Advertising banner clickfraud is probably the most common type of crimeware seen in RSA FirstWatch's sandboxes on a daily basis. The way that clickfraud works is a piece of malware gets installed that contains hardcoded referrer IDs. We call this clickware. This clickware will install a toolbar or other browser helper objects and will click on ad banners automatically. Those ad banners, and the companies that sponsor them, will then pay pennies per click to the owner of those referrer IDs. An owner and distributor of the clickware trojans can scrape hundreds or thousands of dollars per day depending on the success of his or her malware distribution.
The most popular clickware detected today is the Okaysearch and BuscaID browser hijacking trojan. This clickware will often automatically install on a victim's computer, changing the homepage and default search engines to either Okaysearch.com or BuscaID.com, which are mirrors of the same site. BuscaID has been around since June of 2012. Okaysearch.com was registered by BuscaID at the end of March 2013 after that domain name was allowed to expire by the previous domain holder. Visiting either page will display advertisements that, if clicked, will install the BuscaID toolbar pack, which according to online resources, can be a bit of a bear to manually uninstall. See this page here:
An easy way to detect whether any of your enterprise hosts has been compromised by this clickware is to create a rule looking for referers from these sites. On your decoders, create a rule that reads:
Name: OkaySearch and BuscaID Clickware
Condition: referer contains 'okaysearch','buscaid'
Set to: Alert in Alert field
Finally, to show how rampant these clickware trojans are in the FirstWatch Sandbox, you can check out our 45-Day timeline screenshot below. You will also note by looking at the Alerts field that identifies known intelligence types, that some of these sites containing the BuscaID and Okaysearch referers are also responsible for downloading other trojans, malware, and participate in Bitcoining.
Good luck hunting for Clickware!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.