SecureWorks Discovers New Click Fraud Trojan

While analyzing a number of malware installed by an exploit kit used to launch 'Nine-Ball' web attacks, security researchers at SecureWorks discovered a new Trojan that employed previously-hidden HTTP request pattern for spreading itself on computers.

Researcher did extensive analysis of the Trojan to know the purpose behind its appearance and found that it was a search hijacker used for click fraud. They highlighted that the Trojan used Google's "AdSense for Search" API that authorized websites to add Google search results along with its usual AdSense ads.

When a user searches anything on Google.com, the Trojan converts the search in such a way that it secretly goes to attackers' website. The Trojan compromises the victims' PC as well as browser, enabling the attacker to keep his website hidden from the user. Moreover, the hidden website sends the search results to the user without leaving any mark of suspicion and gives an impression as they have directly come from Google.com.

It is said that Yahoo search has suffered from the same problem but researchers did not find any evidence of redirection of Yahoo searches. Most of the search hijackers captured the victims' machines by redirecting their browsers to some unnamed search engine.

The technique of click fraud has been prevalent for many years and hackers use malicious software to make their attacks more successful. But victims easily predict that something is wrong when they find their searches are redirecting to unknown portals against their regular search provider.

The new Trojan horse proliferates through tens of thousands lately compromised websites hijack search results. Google.com users remain in dilemma that their search results are filtered through third-party sites.

According to security researchers, click fraud trojans have been persistently coming since the beginning of Internet advertising. They are usually of two kinds - first change the search and page of a user to redirect him to a third party search engine; second includes downloading of a number of URLs and make fake clicks on the ads in a concealed Internet Explorer browser.

However, the new Trojan is more advanced and stealth. In this case, each click on ad is generated by the user.

Related article: SecureWorks Identifies Bank and Information Stealing Trojan Coreflood

» SPAMfighter News - 7/10/2009