Advanced File-Contaminator Enables Malicious Campaign of Click-Fraud

According to security investigators, there's a new botnet that's executing an enormous click-fraud scam with which cyber-criminals have seized 87m online searchers for various websites, published CRN dated August 26, 2011.

Named W32.Xpaj.B, the detected file-infector is truly one highly complicated and sophisticated malware, which has drawn malware analysts' attention especially towards its complicated tactics of identification-elusion. According to Piotr Krysiuk a staff-member of Symantec, the malware is one "upper crust contaminator." Symantec.com published this on August 26, 2011.

W32.Xpaj.B appears same as any normal installer; still it has been utilized solely during the mentioned click-fraud scam, which compromises lawful search engine requests while generating ad-borne returns.

Director Kevin Haley of Symantec Security Response stated that the uniqueness of the particular click-fraud botnet related to its treacherous code with which it remained concealed within a contaminated file so it could evade detection. CRN published this.

Moreover, W32.Xpaj.B as well evaded contaminating particular domains like .int, .gov and .mail along with domains hosted within many Eastern European nations possibly for remaining off law enforcement as well as the American government's notice, the director stated.

The analysis disclosed Internet Protocol addresses that pertained to the central C&C (command-and-control) servers. Executable files infected with W32.Xpaj.B asked such servers for allowing it to download things. Furthermore, studying the central C&C infrastructure disclosed that it transmitted beyond merely the data it dispatched to contaminated PCs.

Binary data that was encrypted, keys for encryption, Web applications and databases were all within the servers, constituting the elements that apparently enabled one scam operation against many PCs across countries.

And soon as the above mentioned binary database happened to be executed, W32.Xpaj.B watched over the end-user's online activities and resultant Web-traffic so it could seize the clicks/searches he made. Thereafter, it transmitted the captured content to the C&C server.

Security investigators computed that the click-fraud scam yielded around $46,000 to the cyber-criminals reaching a peak of $62,000 annually.

Similar to the above scam is one, lately, which prompted Google to exhibit malware alerts for those searching via its website. The results generated, following search requests, sent via different proxies, had malicious ads accompanying them.

Related article: Advanced Version of Alureon Rootkit Circulating

» SPAMfighter News - 9/8/2011