Trojan Focuses on Click Fraud

Tuesday, May 13, 2014 @ 04:05 PM gHale

While there are quite a few ways for bad guys to steal your money, click fraud still represents an efficient way for them to make off with more bounty.

Along those lines, researchers have been analyzing the activities of cybercriminals that rely on the Viknok Trojan for click fraud operations.

New Ransomware Hits Market
Android Ransomware For Sale
Security App Minus the Security
Multiple Attacks for Android Trojan

Trojan.Viknok has been around since at least April 2013. According to Symantec, the threat is capable of turning infected computers into botnet zombies by obtaining elevated privileges on the operating system, including on the 32- and 64-bit versions of Windows 7.

Last month, researchers noticed a considerable increase in the number of infections. In many cases, victims report hearing audio clips through their speakers when their systems end up infected with the Trojan.

So far 16,500 unique victims ended up recorded in May alone, most of them being located in the United States.

Viknok infects computers by injecting its payload into DLL files. However, on the latest operating systems, this is not an easy task. This is why cybercriminals are using a number of methods to inject files, such as rpcss.dll, a library that lets software run each time the operating system starts.

The threat uses the SeTakeOwnerhipPrivilege function to take ownership of system files. It also leverages the Dynamic-Link Library Search Order to run a malicious DLL inside the System Preparation Tool process. The RunLegacyCPLElevated.exe (Run a legacy CPL elevated) tool ends up utilized to execute DLLs with elevated privileges.

Another technique, which Symantec experts say is the most powerful, involves the exploitation of CVE-2013-3660, a Windows Kernel “Win32k.sys” local privilege escalation vulnerability.

When it first lands on a computer, Viknok uses one or more of these techniques to inject the rpcss.dll file. This allows the malware to execute every time the operating system starts. Once this file ends up infected, it loads the core of the malware, which is in the System folder in an encrypted file.

“In many cases, the infection process is completely stealthy; the threat does not show any warning to the user. The malware is also difficult to detect since it does not show any suspicious running process, nor does it infect any of the standard load points,” Symantec researchers said.

In some instances, a User Account Control (UAC) prompt is displayed, and the victim needs to grant permission in order for the infection to be successful. However, the UAC prompt might not look suspicious, so users might give the Trojan permission without giving it too much thought.

As far as click fraud goes, once the threat infects a computer, its masters send it commands to load various websites. Researchers believe victims might be hearing audio clips in their speakers because the content plays on the websites visited by Viknok. The websites offer car insurance, travel tickets, domain name registration, and many other services.

The number of infections has increased over the past months. If in December almost no infections were spotted, in January, the number increased to over 10,000. In February it dropped to around 2,500, but in March it increased to 7,500. In April, the total number of unique infections was 22,000.

Leave a Reply

You must be logged in to post a comment.