Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    Earlier this month, TrendLabs security experts discovered that around 40,000 websites have been hacked and seeded with code that bombarded visitors’ PCs with countless browser exploits to install a Trojan, which we already detected as TROJ_FFSEARCH.A. This Trojan has been found to be among the malware installed by another threat. It is known as FFSearcher, named after one of the websites used in the scam, ffsearcher.com.

    Click for larger view

    Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.

    Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:

    • Browser hijackers that change a user’s start page and searches to redirect to a third-party search engine
    • Trojans that silently pull down a list of advertising URLs and generate fake clicks on the ads in a hidden Internet Explorer window

    The new Trojan, however, differed, as every click on an advertisement is user generated. The user does not even notice any change in his or her Web-browsing activities.

    This Trojan may also be unknowingly downloaded by a user while visiting malicious websites. It executes and attaches an NTFS Alternate Data Stream (ADS) to a legitimate system file. It then deletes the .EXE file after execution to prevent detection and consequent removal, leaving the ADS in place. Afterward, it connects to a remote URL to download its configuration file. Once done, it monitors the user’s Web-browsing activities and redirects searches in Google to the website found in the downloaded configuration file.

    Click for larger view

    Trend Micro product users need not fret though as Smart Protection Network already protects their systems from this threat.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice