Earlier this month, TrendLabs security experts discovered that around 40,000 websites have been hacked and seeded with code that bombarded visitors’ PCs with countless browser exploits to install a Trojan, which we already detected as TROJ_FFSEARCH.A. This Trojan has been found to be among the malware installed by another threat. It is known as FFSearcher, named after one of the websites used in the scam, ffsearcher.com.
Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.
Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:
- Browser hijackers that change a user’s start page and searches to redirect to a third-party search engine
- Trojans that silently pull down a list of advertising URLs and generate fake clicks on the ads in a hidden Internet Explorer window
The new Trojan, however, differed, as every click on an advertisement is user generated. The user does not even notice any change in his or her Web-browsing activities.
This Trojan may also be unknowingly downloaded by a user while visiting malicious websites. It executes and attaches an NTFS Alternate Data Stream (ADS) to a legitimate system file. It then deletes the .EXE file after execution to prevent detection and consequent removal, leaving the ADS in place. Afterward, it connects to a remote URL to download its configuration file. Once done, it monitors the user’s Web-browsing activities and redirects searches in Google to the website found in the downloaded configuration file.