This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OkaySearch and BuscaID Clickware and Browser Hijacking Detection

RSAAdmin
Beginner
Beginner
‎2013-05-11 09:39 PM

Advertising banner clickfraud is probably the most common type of crimeware seen in RSA FirstWatch's sandboxes on a daily basis.  The way that clickfraud works is a piece of malware gets installed that contains hardcoded referrer IDs.  We call this clickware.  This clickware will install a toolbar or other browser helper objects and will click on ad banners automatically.  Those ad banners, and the companies that sponsor them, will then pay pennies per click to the owner of those referrer IDs.  An owner and distributor of the clickware trojans can scrape hundreds or thousands of dollars per day depending on the success of his or her malware distribution.

 

buscaidcom-search.png

 

The most popular clickware detected today is the Okaysearch and BuscaID browser hijacking trojan.  This clickware will often automatically install on a victim's computer, changing the homepage and default search engines to either Okaysearch.com or BuscaID.com, which are mirrors of the same site.  BuscaID has been around since June of 2012.  Okaysearch.com was registered by BuscaID at the end of March 2013 after that domain name was allowed to expire by the previous domain holder.  Visiting either page will display advertisements that, if clicked, will install the BuscaID toolbar pack, which according to online resources, can be a bit of a bear to manually uninstall.  See this page here:

 

 

An easy way to detect whether any of your enterprise hosts has been compromised by this clickware is to create a rule looking for referers from these sites.  On your decoders, create a rule that reads:

Name:  OkaySearch and BuscaID Clickware

Condition:  referer contains 'okaysearch','buscaid'

Set to:  Alert in Alert field

 

buscaid.JPG.jpg

Finally, to show how rampant these clickware trojans are in the FirstWatch Sandbox, you can check out our 45-Day timeline screenshot below.  You will also note by looking at the Alerts field that identifies known intelligence types, that some of these sites containing the BuscaID and Okaysearch referers are also responsible for downloading other trojans, malware, and participate in Bitcoining.

 

buscaidtrend.JPG.jpg

 

Good luck hunting for Clickware!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.