Cyber Criminals Using New Malware to Make Money with Click Fraud
Before Ransomware, Click fraud was one of the popular and efficient ways for cybercriminals to make money and with the explosive growth in the size of the online threats it is still making its way on the Internet.

"Click-Fraud" is the practice of deceptively clicking on search ads with the intention of either increasing third-party website revenues or exhausting an advertiser's budget. Besides the search results, we all have seen advertisements placed in the search engine's WebPage. If the visitor clicks the Ad, the advertiser has to pay a fee to the search engine.

A problem that has arisen with pay-per-click is results in Click-Fraud. The term "fraud" is used because in either case, the advertiser is paying for a click without receiving any true value. Of course, the number of clicks has to be large enough in order to gain a considerable amount of money, and in order to do that an attacker can use an automated script or malicious program to simulate multiple clicks by a browser on an ad.

Such a malicious software infection used by cybercriminals to carry out Click Fraud operations has been spotted by the researchers of Symantec. Last month, the researchers noticed a recent surge of infections which they dubbed as Trojan.Viknok.

Trojan.Viknok was first observed by the security researchers in April 2013. The researchers considered the malware as a sophisticated threat because it has the ability to turn victims' computer into a botnet. To do this, the malware is capable of gaining the elevated operating system privilege in order to infect system files on multiple Windows operating systems, including the 32 and 64-bit versions of Windows XP, Vista and 7.

Then these Viknok-infected computer botnet zombies are allegedly used by cybercriminals to carry out Ad-Click Fraud and to pull more money the scammers are trying to add more victims' computers to their botnet.

"The scammers behind the current Viknok campaign have gone to a lot of effort to add more victims to their Adclick botnet, helping them make more money in the process," states the blog post.

In the last six months, there has been an increase in the use of this threat by cyber criminals and in many cases, the victims infected with the Trojan report hearing audio clips through their computers' speakers.

Cyber Criminals Spreading New Click Fraud Trojan to Making Money
Viknok infects the victims' computers by injecting its payload into DLL files, but modifying the DLL files in the latest operating systems is not an easy task. In this case, cyber criminals make use of a number of methods to infect files, such as rpcss.dll, a library that runs every time the Windows is started. So, if an attacker is able to infect the rpcss.dll file, the malicious code is executed every time Windows starts.

There are a number of methods to infect the rpcss.dll file, including:
  • Using SeTakeOwnershipPrivilege function to take ownership of system files.
  • Taking advantage of Windows' "Dynamic-Link Library Search Order" to run a malicious DLL inside the System Preparation Tool process.
  • Using the Run a legacy CPL elevated tool to run a DLL with elevated privileges.
  • The most powerful technique is by exploiting the Microsoft Windows Kernel 'Win32k.sys' local Privilege Escalation Vulnerability, CVE-2013-3660 that allows to run the malicious code in kernel mode.
Once installed on the computer, the Viknok uses one or more of the above techniques to inject the rpcss.dll file in victims' computers that allow the malicious code to execute every time the operating system starts. Once rpscc.dll file is infected, it loads the core of the malware, which is usually stored in the %System% folder in an encrypted file.
"In many cases, the infection process is completely stealthy; the threat does not show any warning to the user. The malware is also difficult to detect since it does not show any suspicious running process, nor does it infect any of the standard load points," Symantec researchers note in their blog post.
The malware shows the User Account Control (UAC) prompt to the victim in order to gain the elevated privileges, and if user doesn't grant the permission, the infection will fail. But, the UAC prompt masquerade itself as a part of normal system activity, so users might give the Trojan permission without giving it too much thought.

Once the permission is granted, the attacker can remotely send the infected systems commands to load various websites. The websites offer car insurance, travel tickets, domain name registration, and many other services.

The count of Viknok infections has increased over the past few months. From January to April, the number of unique infections has increased from over 10,000 to 22,000 and over 16,500 unique Viknok infections have been noticed in the first week of May alone. The majority of the victims are located in the United States.

Stopping click-fraud is proving as difficult as stopping e-mail spam; and click-fraud artists may be more highly motivated. It is a good idea for users to practice safe email habits, such deleting any suspicious mail received without opening or viewing them, as well as refraining from opening any suspicious attachments or Links.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.