Malware Affiliation Programs

By posted 23 May 2008 at 05:28AM

General

0

If you are a frequent reader of this blog, it is not news to you that malware authors are moving away from a quest for fame toward profit driven operations. Malware authors and controllers are moving to a free market organization where each group has a very precise area of expertise and "outsource" other tasks to other groups.

An example of this business structure are the malware affiliation programs that seem to gainin popularity. Some malware gangs have removed infections from their malicious operations and now rely on other groups to install their creations on victim computers. A typical scenario goes as follow:

  • A number of websites get defaced using various types of attack vector to include an iFrame. This iFrame then injects malicious code in visitors Internet browser.
  • The malicious code installs a basic trojan on the victim system. The only functionality of this trojan is to download and execute additional components, usually from affiliated gangs.
  • The controllers of the malware that gets installed on the victims’ computer pay the attackers that defaced the websites in compensation for the installations.

We came across such a site with tens of different malicious samples this week. In this case, the malicious code tries to exploit five different vulnerabilities present in Internet Explorer or its ActiveX components. The first stage downloader sits on the infected computer for a couple of seconds before downloading and installing nine different malware including adware, worms, and viruses. This attack is far from being subtle; an infected computer becomes almost unusable within minutes after infection since the malicious programs eats up all the system’s resources. The malicious server is presently hosted in Russia and is still serving malware. The following malware have been detected on the server:

  • Win32/BHO.NCI trojan
  • Win32/TrojanProxy.Agent.NDW
  • Win32/Nulprot trojan
  • Win32/Statik application
  • a variant of Win32/TrojanDownloader.Small.IAW trojan
  • Win32/Adware.Virtumonde application
  • Win32/TrojanClicker.Agent.NDEtrojan
  • probably a variant of Win32/Nuwar worm
  • Win32/TrojanDownloader.Small.AWA trojan

As usual, our recommendations to users are to update any installed software, including ActiveX components. For webmasters, we strongly recommend monitoring web pages to quickly identify malicious content for removal and thus protect your visitors.

 

Pierre-Marc Bureau

Researcher

Related Articles

Internet Service Providers “failing to protect” against cyber attacks, says EU agency
Supermarket security breach puts 2.4 million credit cards at risk
Nine out of ten employees knowingly ignore cyber safety policies
Oregon farm company sues its bank over $223,500 cyber-heist
Obama increases spending to defend U.S. computer networks from cyber attacks

Follow Us

FacebookYoutubeTwitterLinkedInGoogle+RSS

Automatically receive new posts via email:

Delivered by FeedBurner

11 articles related to:
Hot Topic

Linux malware

07 May 2013
11
Linux/Cdorked.A malware: Lighttpd and nginx web servers also affected
06 May 2013
10
Linux Apache malware: Why it matters to you and your business
02 May 2013
9
The stealthiness of Linux/Cdorked: a clarification
26 Apr 2013
8
Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole
24 Jan 2013
7
Linux/SSHDoor.A Backdoored SSH daemon that steals passwords
View more
Popular articles Tags
.ASIA domain name scams still going strong
Close call with a Caribbean cruise line scam
DNSChanger temporary’ DNS servers go dark soon: is your computer really fixed?
Java zero day = time to disable Java, in your browser at least
AMMYY Warning against Tech Support Scams
ESET Virus Radar

Archives

Select month
Copyright © 2013 ESET, All Rights Reserved.