Jul8
8:16 pm (UTC-7)   |   by Det Caraig (Technical Communications)

Earlier this month, TrendLabs security experts discovered that around 40,000 websites have been hacked and seeded with code that bombarded visitors’ PCs with countless browser exploits to install a Trojan, which we already detected as TROJ_FFSEARCH.A. This Trojan has been found to be among the malware installed by another threat. It is known as FFSearcher, named after one of the websites used in the scam, ffsearcher.com.

Click for larger view

Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.

Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:

  • Browser hijackers that change a user’s start page and searches to redirect to a third-party search engine
  • Trojans that silently pull down a list of advertising URLs and generate fake clicks on the ads in a hidden Internet Explorer window

The new Trojan, however, differed, as every click on an advertisement is user generated. The user does not even notice any change in his or her Web-browsing activities.

This Trojan may also be unknowingly downloaded by a user while visiting malicious websites. It executes and attaches an NTFS Alternate Data Stream (ADS) to a legitimate system file. It then deletes the .EXE file after execution to prevent detection and consequent removal, leaving the ADS in place. Afterward, it connects to a remote URL to download its configuration file. Once done, it monitors the user’s Web-browsing activities and redirects searches in Google to the website found in the downloaded configuration file.

Click for larger view

Trend Micro product users need not fret though as Smart Protection Network already protects their systems from this threat.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Wednesday, July 8th, 2009 at 8:16 pm and is filed under Hacked Sites, Malware, Security . You can leave a response, or trackback from your own site.



4 Responses to “Click Fraud Takes a Step Forward with TROJ_FFSEARCH”

Trackbacks

  1. TrendMicro (TrendMicro)
  2. tonys3kur3 (Tony Bradley)
  3. iia_security (Terry Walls)
  4. sunsarav (Saravana Kumar)

Leave a Reply


ColdFusion Spurs Another Mass Compromise
Zero-day MPEG2TuneRequest Exploit Leads to KILLAV


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice