For the past couple of weeks, owners of Web sites have been hit with a wave of attacks that surreptitiously infect unsuspecting visitors with a wide variety of malware types. The first wave inflicted rogue antivirus on unlucky victims, but late last week victims who visited infectious sites were redirected into a drive-by download site that pushes clickers onto a vulnerable visitor’s computer.
I’m going to name (domain) names in this post, so please, for your own sake, use this information only to block the domains at your gateway or in your Hosts file — don’t go visiting them just to see what happens. I guarantee you won’t like what happens.
In the earlier attacks that began the week of April 5th, the malicious script directed victims to a page hosting the Eleonor exploit kit; The kit uses several well-worn methods to try to push executable malware (typically the Tacticlol downloader, which malware distributors have been using of late to push down rogue antivirus programs) at susceptible browsers, or computers running vulnerable versions of Adobe Acrobat or the Java Runtime Engine.
Those attacks originated from several domains, including corpadsinc.com, mainnetsoll.com, and networkads.net — all of which are hosted on the same IP address in Turkey, and are still live and hosting the exploit page.
But last week the script began directing users into a page on the domain name yahoo-statistic.com, a site which, despite its name, has nothing at all to do with the giant portal. That page, which loads in an iframe, opens other malicious sites which push the infection.
The list of affected sites is global, including a newspaper in Florida; the English-language page of a government’s Ministry of Women’s Affairs Web site; the Web site of a Spanish lawyer’s association; and a car dealership Web site in Indonesia. And as of today, visitors to this growing list of Web sites are still getting hit with Trojans.
I’m sure a lawyer for Yahoo would love to have some words with anyone connected to this latest attack, which has been going strong for at least six days now. Unfortunately, the site is hosted in Russia, and it appears to have been put together by the same people who use the name “Hilary Kneber“ to register the Web domains they use for malicious purposes. In February, we and others noticed that the same cadre of goons had been actively spreading the Trojan-Backdoor-Zbot password stealer from Web sites supposedly registered to this same pseudonym.
Each of the sites attempt to exploit various security vulnerabilities (one Adobe PDF, two separate Java vulnerabilities, and a hackneyed attack against older versions of Internet Explorer called the MDAC exploit) in order to push malware (shown above as a file called setup.exe) at a visitor. When the infection is complete, the iframe then redirects the page to Google‘s “404″ (page not found) page, as shown below.
If one or more exploits are successful, the victim’s machine pulls down the clicker executables and then contacts one of at least three different Web domains: itotolo.com, totoship.com, and iprototo.com, which serve as command-and-control for the clickers. I don’t know why the malware distributor seems to have an obsession with a scruffy mutt from a famous movie, but I don’t need to understand the machinations of an unhinged mind to be able to deal with the consequences of its actions.
Clickers are an odd sort of adware in that they don’t actually display the ads they load on the infected computer. Selling you junk you don’t need is not in the business plan. Instead, a clicker simply loads dozens to hundreds of Web pages per minute silently, in the background, in an attempt to manufacture fraudulent “clicks” on online ads. Criminals can make money for themselves by signing up as advertising affiliates, then using the clickers to drive infected machines to load their pay-per-click ads. Unscrupulous companies also can use clickers to load the ads from a competitor company, which can prematurely expend the victim company’s pay-per-click ad budget.
Initially, the site pushes down a dropper we classify to the definition Trojan-Backdoor-failst0rm (aka Win32.Decay by other vendors), and that dropper delivers the clicker payload, which we call Trojan-Clicker-Dawg. Because the dropper portion of the infection won’t run in a virtual environment, we play with this stuff on real hardware.
There’s good reason to get rid of clickers quickly: They have a nasty habit of “casually” visiting Web sites hosting other drive-by download exploits, which can force even more malware onto an already infected computer. They also consume a tremendous amount of bandwidth in the furtherance of their activities, which can slow to a crawl an infected PC’s ability to surf the Web.
Author profile: Andrew Brandt
Andrew Brandt researches malware for Webroot Software, and contributes to the Webroot Threat Blog. As a member of the Threat Research team, he and his colleagues help identify malicious software trends and improve the Webroot Antivirus with Antispyware product. Andrew joined the team in 2006. Prior to coming to Webroot, he worked for PC World magazine as a Senior Associate Editor, covering computer security and privacy issues for nearly a decade. In that role, he also wrote the Privacy Watch column. He lives in Boulder, Colorado.