Nontraditional Trojan Distribution

Wednesday, July 13, 2011 @ 10:07 AM gHale

Cyber criminals pushing click fraud Trojans use distribution techniques commonly seen in scareware schemes, said GFI security researchers.

This is one of the first browser-aware schemes used to distribute this type of malware and right now appears to target Chrome and Firefox users, the researchers said.

Microsoft Updates Rootkit Removal Plan
‘Indestructible’ Botnet Making Rounds
Botnet Detection via a Smart DNS
Mariposa Botnet on Comeback Trail

The Trojan, part of the 2GCash family, comes from a domain registered through a free dynamic DNS provider.

Internet Explorer users will get a redirect to, a legitimate website, while people using other browsers are served malicious files for download. Google Chrome users will get a prompt to download and install a Flash Player update called v11_flash_AV.exe, even though the browser comes with a bundled Flash plug-in that updates regularly.

Meanwhile, Firefox users will see a fake “what’s new” page that similarly claims and outdated Flash Player. This mimics the page that normally appears after Firefox upgrades to a new version and actually performs a check to see if installed plug-ins are up to date.

However, despite warning about an old version of Flash Player, the file served for download is ff-update.exe. Both files install the same 2GCash variant, a Trojan used to perform click fraud and hijack people’s search results.

This allows the cyber criminals to monetize their creation. However, the malware can also act as a downloader for additional threats, including PDF exploits and scareware.

Leave a Reply

You must be logged in to post a comment.