RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online. When possible, RSA Firstwatch members will use this space to share information about some of our findings.
When it comes to current trends that FirstWatch is seeing in our research lab, we must declare that ClickFraud and Bitcoining are still the biggest recurrent threats we see. And some of this malware has formed an unholy union of these two activities to deliver a constant stream of revenue to the malware authors in the form of ad clicks while also performing some bitcoin mining using spare CPU cycles.
In fact, this activity is so constant and noisy, I had to develop several rules to filter it out of my Security Analytics collections. I am far more interested in trojan programs, DDoS bots and APT exfiltration than I am in meager click fraud. But click fraud is the literal 800 pound gorilla in my room, so this blog will be about understanding and detecting this clickfraud trojan.
For those who don't already know, clickfraud is a way for miscreants to generate money for themselves through referral services via ad banners on various websites. Step one would be to register with an ad-services provider that pays pennies or more per click. Step two would be to gain control of a botnet- followed by step three, programming the botnet to click on ads with the miscreant's referral ID coded into the clicks. The advertising agency counts the clicks and issues the check at the end of the month. The trick for the clickfraudsters is to not generate too many clicks to gain the attention of the ad agency's threshholds to automatically detect click fraud. Or the fraudster has to register scores of referral IDs and randomize his clicks via his botnet to generate his income without detection.
But not all referral money is derived from adclicks. Some software companies sponsor referrals as well. Most seen today is the referral program from Real.com. Remember those guys? They were the big media streaming company back at the turn of the century? Well now they have a high-paying affiliate program that earns miscreants revenue, and we see Realplayer referrals quite often associated with adclick fraud.
One enterprising malware author thought to combine the world of adclick fraud with bitcoin mining. While the user is active, the ad clicking takes place offscreen via an iframe. When the user is idle, the bitcoining software plays with algorithms to strike virtual paydirt. There is a decent writeup on this malware over here at ThreatExpert.
You should check your enterprise to see if anyone has this double-whammy malware installed on an endpoint. The rules are pretty simple:
For the Directdownloader and Bitcoining downloader, look for
client='nsisdl/1.2'
The download software are all hosted on Zen servers.
server='zen'
And of course any connection to
alias.host=www.directdownloader.com, www.openbitcoin.org, openbitcoin.org
should be considered a known clickfraud malware action.
Happy hunting!
