Danger! FFSearcher Click Fraud Trojan!
Sunday, July 5, 2009While analyzing a slew of malware downloaded by the exploit kit used in the "Nine-Ball" web attacks, the SecureWorks Counter Threat Unit came across an interesting trojan that used a previously-unseen HTTP request pattern. Intrigued, we performed additional analysis to discover its purpose. After some time we came to the conclusion that the trojan was a search hijacker trojan used for click fraud.
Click fraud trojans are as old as Internet advertising itself, and usually we see one of two types: browser hijackers that change one's start page and searches to redirect to a third-party search engine, or trojans that silently pull down a list of ad URLs and generate fake clicks on the ads in a hidden Internet Explorer window. This trojan however, was much more subtle and creative - in this case, every click on an ad is user-generated, and the user never notices any change in their web-surfing experience.
We call this trojan search hijacker "FFSearcher", named after one of the websites used in this scheme. Detection of the dropper executable by anti-virus engines is poor at this time, with only 4 of 39 scanners detecting it at all.
Size: 76800 bytes PE timestamp: Wed Jun 10 14:17:03 2009 MD5 sum: 09dbd01791f310b9d97378cac6efa185 SHA1 sum: ec04a28a8ee0d38bc3590cc2301c0e9d30077938
FFSearcher installs itself by attaching to an existing system file as an NTFS alternate data stream. These files are hidden from Explorer windows and command-line directory listings. In this case, the name of the system file was C:\WINDOWS\system32\netcfgx.dll, and the alternate data stream was named "Zone.Identifier", making the stream accessible only by requesting the entire path, C:\WINDOWS\system32\netcfgx.dll:Zone.Identifier.
Read complete post at :
