New Click-Fraud Attack Is Stealthiest Yet

An anonymous reader sends news from The Washington Post's Security Fix blog of a new Trojan horse program that takes click fraud to the next level. The Trojan, dubbed FFsearcher by SecureWorks, was among the pieces of malware installed by sites hacked with the Nine-Ball mass compromise, which attacked some 40,000 Web sites this month. The Trojan takes advantage of Google's "AdSense for Search" API, which allows Web sites to embed Google search results alongside the usual Google AdSense ads. (SecureWorks' writeup indicates that Yahoo search is targeted too, but the researchers saw no evidence if the malware redirecting Yahoo searches.) While most search hijackers give themselves away on the victim's machine by redirecting the browser through some no-name search engine, FFsearcher "...converts every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay." If FFSearcher were the only piece of malware on the machine, it would have a better chance of staying under the radar.

Read The Fine Summary

[nacturation]

Why would they waste their time? Surely there are easier ways to steal from adsense that don't involve putting people at risk...

Were you just trying for first post, or did you have a point to make? "Why would they [the FFSearcher developers] waste their time?" Because it makes them money and, thus, is not a waste of time at all but rather quite the profitable use of their time. And from the summary, it sounds like FFSearcher does nothing malicious except for redirecting traffic such that it gets referral payments. How is that putting people at risk? And what are these easier-to-steal-from-adsense methods you're referring to?

Re:Read The Fine Summary

[calmofthestorm]

Well, it's not directly harmful, but any malware on a machine is going to open up security vulnerabilities because it will usually:

1) Act as a rootkit to hide itself
2) Provide backdoor access

Either of these can be exploited by a third party. Remember Sony's DRM rootkit? China's Green Dam Youth Escort?

Re:

[larry bagina]

there's plenty of malware that disables vulnerabilities to prevent other malware from being installed.

Re:

[cool_story_bro]

this is true (conficker, for example, patched the very vulnerability that it exploited to gain access). However, that doesn't mean that this particular chunk of malware should be assumed to be safe. Personally, I would err on the side of not trusting anything that changes the behavior of my computer without my knowledge of permission.

Re:

[chaim79]

The scheme is very interesting, I'd say that if they ever got caught and put in front of a jury this would be close enough to legal that they'd have no problem walking... very interesting...

Re:

[calmofthestorm]

They installed software via illegal hacking into users computers, not to mention they hacked into servers and did stuff.

There are a lot of laws that could bone them here, and I doubt juries would take kindly to having their computers modified without their consent unless it was by big media or Microsoft.

Re:

[chaim79]

True, the hacking bit they wouldn't get away with, but the 'click fraud' is close enough to be difficult to call.

Re:

[myxiplx]

Difficult to call? They fraudulently redirected traffic through their servers to generate themselves money, making google pay for transactions they didn't need to. It's practically the definition of wire fraud.

Re:

[Anonymous Coward]

The thing is, creator of this most likely is not a single person / group. What most articles fail to mention is that these eastern european/russian money-making schemes are usually affiliate programs itself. Affiliates get paid their percent from revenue from computers they're installed the software to. The affiliate program itself creates the software and handles everything else other than generating installs.

Even if you happened to catch them, who would you sue? Even the catching part is a major headache,

Re:

[blackest_k]

no heavy duty prison time you mean?

Re:

[Florian Weimer]

And what are these easier-to-steal-from-adsense methods you're referring to?

Adsense for Domains plus some typo-squatting registrations, perhaps. See slashdot.info for an example.

Does this affect all browsers?

[BitterOak]

The article mentions that both IE and Firefox are vulnerable, but doesn't talk about other browsers. It also doesn't say if it affects current versions, or unpatched browsers only. Will security patches for IE and Firefox be coming soon?

Re:

[zarzu]

the article specifically shows the 'augmented reality' in IE and firefox, it even goes on to specifically point out in the end, that the features include:

Working code to hijack both Firefox and IE

so my best guess is that only those two browsers are actually affected and as they are the common browsers there probably isn't much motivation to work on hijacking other browsers (same thing as with mac - windows).

Re:Does this affect all browsers?

[zarzu]

the washington post article doesn't give you any more information than the summary, you should be reading the trojan analysis [secureworks.com] which is linked in both the summary and the article.

Re:

[Zerth]

Lynx [wikipedia.org] is presumably immune...

Re:Does this affect all browsers?

[jesser]

Firefox and IE are the targets of the trojan once it already has control over your computer. That doesn't mean they are "vulnerable" or are in need of patches.

Only the last link in the Slashdot article discusses how these attackers gained control over your computer:

After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 [microsoft.com] (targeting MDAC) and CVE-2006-5820 [mitre.org] (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate [virustotal.com]. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate [virustotal.com].

So, basically an IE hole that was fixed in 2006, plus a handful of plugin vulnerabilities. They didn't even bother looking for an old Firefox vulnerability to exploit, perhaps because too many Firefox users are up-to-date.

Re:

[jesser]

Or because Firefox has a small market share.

Perhaps. But I can only assume the same is true of "AOL SuperBuddy", because I've never even heard of it, and they targeted it.

Also, big corporates use IE, and they tend to have more powerful machines.

The power of a machine doesn't matter for affiliate-program fraud.

Re:Does this affect all browsers?

[Jahava]

The virus itself is a complicated one. As per the article, it was installed on the system during a mass exploit dubbed Nine-Ball [websense.com], which was loaded onto 40,000 legitimate websites. Visiting those sites caused the Nine-Ball script to execute, which redirected an iframe to a page containing malicious code which mounts a series of attacks. Those mentioned by the site are:

• Exploit MS06-014 [microsoft.com], which targets the MDAC ActiveX control
• Exploit CVE-2006-5820 [mitre.org], which targets the AOL SuperBuddy ActiveX control
• [Some] targeting Acrobat Reader"
• [Some targeting] QuickTime

So basically, an application (browser) visits this malicious page. If that application runs the ActiveX controls mentioned (and presumably Acrobat Reader and/or QuickTime), it was vulnerable to the initial Nine-Ball exploit. IE qualifies for all 4 of those; Firefox can use ActiveX (I believe, with a plugin), but not out of the box... however, it does have plugins for Acrobat Reader and QuickTime.

If any of those vulnerabilities were present with the applicaton visited the iframe, it runs malicious code that installs a crapton of viruses on the host computer, among them the FFSearcher virus.

Once FFSearcher is on your computer, it causes itself to get run all of the time, probably as Administrator. It then proceeds to:

1. Executes a Windows root-kit to hide its presence
2. Injects code into browser application processes; for IE, it will inject an IE-specific payload, and for Firefox, it will inject a Firefox-specific payload. Each payload causes the infected browser to do all the malicious redirecting that is described in lower-level detail in the article.

So a nice, clean, and secure IE / Firefox get started up, but Windows, itself infected, loads the virus into them! No vulnerabilities are exploited, here. Since FFSearcher runs as Administrator, everything it does is straightforward and allowed by the system; it can do basically anything. What it chooses to do is target IE and Firefox. Since it's running as Administrator, it doesn't have to exploit any vulnerabilities in either; it just barges in and rewrites parts of them to do its bidding. Administrator can do things like that.

In conclusion, there isn't any vulnerability in IE or Firefox that's involved in FFSearcher, and the only reason FFSearcher doesn't pwn other browsers is because the author didn't bother to write a payload for them, too. FFSearcher, itself, was installed due to some browser vulnerability that happened sometime, and now, permanently present on the system, takes advantage of its Administrator privileges to do some pretty wicked stuff.

Re:Does this affect all browsers? Chrome?

[xyzzypoofs]

I guess I should finally download Chrome - isn't that a Google product?

How the server gets infected?

[Krneki]

I can't find how the server gets infected. Is it Windows, Linux, Apache, IIS, ... ?

What part is to blame?

Re:

[mrbene]

The server in the Nine-Ball distribution could be any with an active exploit against it - an "infected" server is just one serving up pages with an iframe to the exploit site, so that site visitors would end up being attacked. Since any web server on any OS can serve up HTML...

Re:

[Krneki]

But how this exploit gets on the server web page?

Re:

[nacturation]

The goal is to get some website to distribute your payload, which consists of specially crafted HTML code. This can be done by simply posting a comment on any webpage which accepts and retransmits arbitrary HTML. Or it could be done by exploiting a bug in IIS, Apache, or other webserver software so that the original site serves up your payload. Or you could hack Windows or Linux to get the webserver to use your payload. The payload then exploits any number of browser bugs, whether Firefox, IE, or anothe

Re:

[Krneki]

Thanks for the info, but I'd like to understand how the Windows, Linux, IIS, Apache gets hacked.

I understand that once you got access you can do whatever you want, but I'd like to know what was the first step to compromise the server.

Re:

[nacturation]

Could be any number of ways:

http://www.dmoz.org/Computers/Hacking/Exploits/ [dmoz.org]

Re:

[sexconker]

Ads.
Sites host ads.
People buy ads through ad placement companies like Google.
Bad people engineer ads to contain the exploit and payload.
Site serves up bad ad.
Users of site get fucked.

It's always the fucking ads.

Re:

[Krneki]

Or it comes in a form of an ADD pointing from an infected server?

Re:

[emlyncorrin]

What has Attention Deficit Disorder got to do with this?

Re:How the server gets infected?

[Seth Kriticos]

Reading the article helps - there is only one server: my-web-way.com , which is supposedly controlled by the attackers. The whois entry reveals, that it is registered in Moskow, Russia.. probably with a fake name.

Now to what gets infected: Windows machines. It plays with DLL's and the Registry (described in the article).

Interesting is: this peace of mallware does not directly (perceivably) damage the user of the infected machine, but it generates revenue through (semi fake) Google ad clicks. I wonder how they (Google) will react.. would guess that big corporations get quite pissed by this kind of stuff. Let's wait and see..

Re:How the server gets infected?

[stephanruby]

Interesting is: this peace of mallware does not directly (perceivably) damage the user of the infected machine, but it generates revenue through (semi fake) Google ad clicks. I wonder how they (Google) will react.. would guess that big corporations get quite pissed by this kind of stuff. Let's wait and see..

Finally, a piece of malware I'm not super-annoyed by.

Re:

[wordsnyc]

Yeah. This really isn't "click fraud" in the sense of defrauding Google through spurious clicks. The ads are real, the clicks are from real potential customers, it's just that Google is having to cough up a minuscule fraction of its revenue to the page owner -- the same commission it would pay if the search were run under a legitimate instance of the Adsense for Search api, which is to say .005% of SQUAT.

Stop the presses! Google's been robbed! Not really. Obviously, the taking over PCs bit is bad behav

Re:

[Repossessed]

Um... depending on the search terms 20 dollars a click isn't unreasonable (or wasn't two years ago), and while Google puts a cap on payouts for high click value terms, they still pay about 75% of their click revenue to adsense publishers.

Hijack a hundred thousand machines this way, and you could pull a pretty good income, at least till you get shut down.

Re:

[Repossessed]

Note: my figures are from 2004, and may not reflect 2009 numbers.

Re:

[Repossessed]

Second note: Those payout figures are for large affiliate programs (like with AOL), they probably don't reflect smaller sites.

Re:

[wordsnyc]

I've gotten $3 per click on my sites on a good day. Of course, we all just take Google's word for the economics of Adsense -- they don't "do" auditing.

Re:

[gnick]

I wonder how they (Google) will react.. would guess that big corporations get quite pissed by this kind of stuff. Let's wait and see..

They've got the talent, the resources, and the legal team. This seems like an excellent time for Google to "be evil" and take the law into their own hands.

We could only hope.

Re:

[causality]

They've got the talent, the resources, and the legal team. This seems like an excellent time for Google to "be evil" and take the law into their own hands.

Yeah. Take the law into their own hands! With ... a team of lawyers.

Re:

[mqduck]

What do you think lawyers are for?

Re:

[causality]

What do you think lawyers are for?

Hypothetically speaking, if someone "took the law into his own hands," the lawyers would probably be the first to go...

Re:

[corbettw]

Nah, they'll just track which clicks are coming from that domain and then turn off the AdSense account(s) associated with it. That shouldn't be too hard to do.

Re:

[rattaroaz]

Reading the article helps - there is only one server: my-web-way.com , which is supposedly controlled by the attackers. The whois entry reveals, that it is registered in Moskow, Russia.. .

In America, server gets infected, but in Soviet Russia, infections get served!

Re:

[ioshhdflwuegfh]

Reading the article helps - there is only one server: my-web-way.com , which is supposedly controlled by the attackers. The whois entry reveals, that it is registered in Moskow, Russia.. .

In America, server gets infected, but in Soviet Russia, infections get served!

In America you serve the infection while in Soviet Russia the infection serves you.

Re:

[weicco]

Reading the article helps - there is only one server: my-web-way.com , which is supposedly controlled by the attackers.

echo 0.0.0.0 my-web-way.com >> C:\WINDOWS\system32\drivers\etc\hosts

There. I ended up their revenue stream :)

Re:

[Krneki]

I'm more interested in the server side of the story, how a fake Google ad finds a way on the server?

Re:

[notrandom]

tell you how. this is what happened to my machines (webserver and users). users got infected by some trojan. code was downloaded. executed with admin privileges. my webmastr was infected. ftp passwords were sniffed. all index*.(php)|(html) files were added the injections code. some others as well as phpbb logins etc etc. from there more users were browser-infected. some of those had ftps or such on other sites. rinse. repeat. i cleaned the servers fast as i was in standby at infection time luckily. since t

Re:

[ragethehotey]

no it didnt generate ANY revenue. thats the whole point, that they wont pay for fake clicks. why do you think that it FINALLY happened when in reality nothing really had changed?

Re:

[Runaway1956]

"and it's not fair (nor should it be legal!) to penalize that person for clicks outside their control"

If you own a dog, you're responsible for it. If you own a car, you're responsible for it. If you own a computer, you're not responsible?

Cry us a river - - -

Re:

[pjt33]

Did you actually read the portion you quoted in context? The "clicks outside their control" he's talking about aren't made on his computer but by some random person/bot visiting his website, which he was trying to monetise via Adsense.

Re:

[selven]

If someone injects a drug into your dog that makes him bite everyone in sight then the person who injected the drug is responsible.

The flaw in their foolproof plan

[Dachannien]

So, let me get this straight:

The trojaneers' moneymaking is predicated upon people actually clicking on ads.

Uh... good luck with that!

Re:

[zappepcs]

That comment makes more sense than any others I've read in this thread.... sigh

Re:The flaw in their foolproof plan

[michaelhood]

Yeah, good thing no one clicks [google.com] on Google's ads.

Google reported $21,128,514,000.00 in ad revenues for FY2008.

Re:

[Dachannien]

Does Google charge their customers per clickthrough or per impression?

Re:

[Anonymous Coward]

I would not in a million years click on adds in most sites (those that get past addblock et al, that is), as they're usually about as helpful and legit looking as the used car salesman guy advertising the steak knife cheese juicer on late-night TV.

But... google adds are small, typically unintrusive and sometimes (*shock* *horror*) relevant and even helpful. So yeah, I will click on one or two every now and then.

Re:

[mail2345]

Called people who do not understand the concept of ads on their computer. Like the people who fall for typosquatters. Not as dumb as the people who believe that the fellow from nigeria can make him rich, and enlargen his penis.

Next step, bank accounts

[mlts]

This reminds me of the concern about bank fraud that IBM made the ZTIC device to help mitigate.

First, the attack is click fraud, but its not that large a jump to target bank transactions. The malware can target a Web browser where a person thinks they transferred some cash to their savings from their checking, when in reality, their entire balance was just moved to an attacker's offshore account. The malware would be doing a man in the middle dance making the victim think that everything is fine, when in reality their account is empty.

This type of attack would get around a lot of security measures used by banks today. The only real defense would be to have a separate device that shows transactions on it and one confirms or denies on that device as opposed to a potentially compromised computer.

Re:

[zarzu]

i thought there have already been trojans like this (or it was just a thought experiment told to me in a slightly too threatening way), the general solution to it is - as you point out - the inclusion of a second device, like a cell phone, to confirm the transaction. makes it more of a hassle to complete a transaction but adds a rather strong way of detecting fraud, as long as people take the time to read the text message and don't just dismiss it as another 'yes really'-button. i think these trojans are a

Re:

[Renraku]

Let us say that your bank account were drained by said trojan. You look it up on an uninfected machine and see that all your money was just transferred to say, Zaire. You call your bank, bitch, moan, and you have your money back. Said account in Zaire is banned from all transfers by that bank.

That's standard practice for fraud transfers.

Now, lets say instead, that your bank account was only short a dollar.

One single dollar.

Would you notice?

Alright, if you noticed, do you think the people you work with wo

Re:

[sabt-pestnu]

Bank statements do have transaction records on them. While many people (myself included) do not examine them regularly or carefully, there are still many who would.

Shut Down the Adsense Account?

[basementman]

What's keeping Google from shutting down the account that are getting the illegitimate clicks? I doubt they could produce a hundreds of different account just because it would make receiving payment extremely difficult.

Re:

[zarzu]

i don't think anything is keeping them from it, it's probably the first thing they did or are going to do. the problem is that they need to track the configuration of the trojan (which can be updated remotely) and keep shutting down accounts of the new search sites. it would be far more convenient if they had a possibility to determine click fraud by analyzing their stats, which is very difficult this way, as the fraud essentially looks the same as normal behavior. not having that option increases their wor

Nine-ball?

[Suzuran]

Does this mean Cirno is the strongest?

Re:

[KDingo]

Apparently she's not as dumb as we've perceived her to be.

Re:

[Kushieda Minorin]

One thing is for sure: even at Google you can't take it easy.

Interesting Point

[Demonantis]

Who would be liable for the bug? Since its dlls that are affected Microsoft would have to fix it. The thing is why should they? Their customers are not affected terribly. It is not technically fraud because it is not really misrepresenting what it presents. Google still benefits because of the adsense charges. It would be interesting to see who wants to fix this.

Re:

[maxume]

It is in Google's interest to fix it. If the perception that adsense isn't fair becomes widespread, it hurts their pricing power.

Detection Should be Trivial

[phantomcircuit]

Alright and then google almost immediately bans that person for adsense.

Wow brilliant plan guys.

I had code like that on 3 sites

[bobjr94]

We have 3 web sites hosted by gate.com, all different domain names, different passwords, etc.. We have the same code/virus/whatever on all 3 sites, all used a hidden iframe linking to a site in Russia.

Re:Blocking the .ru domain

[Technician]

Does anyone know if the users browser times out if the router blocks the .ru domain? It may be worth monitoring your router logs for sudden excessive .ru domain requests.

this isn't click fraud!

[ILuvRamen]

They're not inducing clicks so it's not by definition click fraud. Who titled that? They're relying on a normal amount of clicks and just taking a commission off them that Google themselves offer freely. So basically they're just violating Google's terms of service for their search API. Actually it might not even say anything specifically related to showing a search API as a full page but still collecting the commission or whatever they're doing. Sounds like it's 99% Google's fault if you ask me.

Re:

[account_deleted]

Comment removed based on user account deletion

Russia is full of unemployed people

[3.5 stripes]

Many of them are computer scientists, mathematicians, and hackers.

Those people are actively recruited by the russian mob, because they have seen the amounts of money available in these sorts of scams.

Re:

[Moodie-1]

This may be off-topic, but WTH. Re your sig: Take a look at this YouTube video:
http://www.youtube.com/watch?v=-QRCKNoUgko [youtube.com] It's a hoot!
(If the link doesn't work then just search for "Stapelfahrer Klaus (subtitled)".)

If its evil, it can't be Google.....

[Bob_Who]

....the impersonators prefer "Don't Be Elvis"

dll with the name SOCKET2.DLL

[viralMeme]

"This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder"

Having thus read, I need go no farther. How does the exploit actually get on to the web servers i nthe first place?

Unaltered altered noclick click fraud

[ioshhdflwuegfh]

With all this modern technology and stuff, things get complicated. Add a bit of English to it and it goes like this:

[...] the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com [italics added].

This as-though content that victim does not see is just like the content that the victim sees, the only difference being that there is no difference between the two:

Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads.

What's more, in this click fraud even clicks aren't changed:

What's more, the attackers aren't diverting clicks[...]

Welcome to the world of your invisible, untouchable overlords!

Cat - mouse

[fulldecent]

One solution to the AdSense cat-and-mouse game is conversion-based ad fees.

This is how the "complete 10 offers and get a free iPod" sites work. Clicking on the link doesn't work, you need to sign up for the offer and/or spend money.

If you are using AdWords fully, Google knows your conversions and knows what value those conversions provide to you. Your payment for ads could be changed so that you don't pay for CPM, you don't pay for clicks, you pay for conversions, which are money in your bank.

There is a pos

I'm impressed..

[Hobyx]

That's like the kind of sneakiness that would end up in Ocean's 11 or The Unusual Suspects. Whoever made this should do something productive with their time.

Old Fashioned Detective Work

[manoftin]

Surely Google should just follow the money?

Stealthiest?

[AP31R0N]

Why would they make one that was LESS stealthy? Does the Air Force work on making bombs less accurate? Does Porsche try to make their cars more sluggish? Is intel working on a chip that gets hotter?

This is like those stupid info bites where they pretend a change in any statistic is meaningful. "Unemployment is the highest it's been all month!" So what? You can always find some point in the past to say it's breaking some record. "This is the purplest purple since, um, 20 years ago. Wow!" That it bea