CyberInsecure.com

Google AdSense Abused Through Click Fraud Malware Applications

Miscreants have developed one of most sophisticated click fraud malware applications to date. The Trojan code – dubbed FFsearcher by security firm SecureWorks – plugs into a Google API that allows webmasters to add a Google-powered search widget (called “Google Custom Search”) to their website. In normal use, search results made via the widget are displayed alongside Google AdSense ads, with webmasters receiving a small fee every time a surfer follows an ad.

The malware hijacks this feature so that every search an infected user makes is performed through a search widget under their control, so that they get paid by Google every time a surfer clicks on a sponsored ad. Hackers have also worked out a means to pull off this sleight of hand without giving any indication to surfers that anything might be amiss. Google might find it hard to unravel instances of fraud.

FFSearcher installs itself by attaching to an existing system file as an NTFS alternate data stream. These files are hidden from Explorer windows and command-line directory listings. In this case, the name of the system file was C:WINDOWSsystem32netcfgx.dll, and the alternate data stream was named “Zone.Identifier”, making the stream accessible only by requesting the entire path, C:WINDOWSsystem32netcfgx.dll:Zone.Identifier.

The name “Zone.Identifier” is used by Windows post-XP Service Pack 2 as a way to mark an executable that has been downloaded from the Internet, so it would not be unexpected to find such an alternate data stream attached to a file. FFSearcher modifies the existing registry entry that loads the netcfgx.dll to point to netcfgx.dll:Zone.Identifier instead. This way the trojan can load itself into the system without creating any new and suspicious registry keys that might be noticed by startup registry analysis tools. When the trojan DLL finished loading, execution continues on with the original system DLL as if nothing had happened.

The registry key modified is HKLMsoftwareClassesCLSID {5B035261-40F9-11D1-AAEC-00805FC1270E}InProcServer32, which controls the location of the DLL for the network configuration component object of Windows.

The final payload is designed to use a kind of “augmented reality” to redirect searches in Google to a third-party website, my-web-way.com, while maintaining the appearance in the browser that the user is still viewing the Google website and search results the entire time.

The motivating factor behind this scheme is a system Google created called “AdSense for Search”. Google provides an API to webmasters to add a Google-powered search widget (called “Google Custom Search”) to their website. AdSense ads are displayed in the search results, and if a user clicks on one of the ads, Google will pay the webmaster a small sum of money. Many websites and blogs use this service legitimately.

This is one of the more clever click-fraud trojans with an impressive feature set:

1. Working code to hijack both Firefox and IE
2. Difficult to spot by the average user
3. Minimally impacting to the infected machine
4. Probably difficult for fraud detection systems at the search engine sites to detect, since every ad-click that comes through ]is generated on purpose by a user in the course of normal web-surfing activity.

As such, the attack is more sophisticated than previous click fraud approaches, which relied on tricks such as changing a surfer’s start page and searches to point to a third-party search engine, types of behavior that might more easily be detected. FFsearcher works on both IE and Firefox.

“Every click on an ad is user-generated, and the user never notices any change in their web-surfing experience,” writes Joe Stewart, director of malware analysis at SecureWorks. FFsearcher is part of the exploit bundle spread by the recent Nine-ball mass compromise, SecureWorks adds.

Credit: The Register
Credit: SecureWorks

Posted in Cybercrime, Google, Malware, Trojans & Worms |  Print This Post