July 5, 2015 by

Ad Fraud Trojan Updates Flash, Blocks Other Malware

In a peculiar twist, malware researcher Kafeine noticed that a Trojan was blocking other malware from infecting a computer after closing the door itself by automatically updating the computer’s Flash player to its latest version. Kafeine often specializes and tracks ‘drive-by’ download and web attacks that often use exploit kits to turn into intrusive malware.

The Kovter Trojan

Although Kovter isn’t significantly damaging like other malware, it is essentially used for advertising fraud, also known as click fraud. When the malware is installed on a computer, the browser process is hijacked. After this, a series of simulated user clicks is replicated on online banner and advertisements to rack up the numbers in generating ad revenue for its creators.

Kafeine’s research indicates that the Trojan is distributed through:

  • Web-based exploit kits.
  • Web-based attack tools targeting vulnerabilities in browsers.
  • Targeted plugins that include Flash Player, Java, Microsoft’s Silverlight and even Adobe Reader.

Such tools target pre-existing, known vulnerabilities and the usual targets are end-users who seldom update their software or keep their software and operating system patched.

As mentioned above, ‘drive-by’ attacks are vehemently intrusive and malicious because they’re often launched from websites that are trusted and legitimate but compromised at the time. The same websites are also targeted by attackers to upload malicious advertisements to their ad networks, thereby getting users who trust the websites to begin with, to click on the malicious adverts.

A shifting trend?

Most Trojans and other malicious programs seldom have their own means of distribution. This is because the underbelly of the economy that cyber-criminals operate in is predominantly based around services.

In other words, developers of malware such as Trojans don’t usually search for vulnerabilities that’s inherent in software, nor do they go about infecting websites. Contrary to popular belief, they seldom write their own exploits as other cybercriminals such as exploit kit creators are heavily relied upon for such activity, for overall criminal gain.

The common method used to distribute exploit kids is through subscriptions. Creators make income from distributing malware through such means.

This is why Kovter the Trojan’s behavior is particularly peculiar, making it a topic of interest for security researchers to deliberate over and look into.


About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Banking Malware Spin-Off Targets Twitter, Facebook Accounts

A sophisticated strain of malware based on the Zeus trojan has been discovered monitoring and...

Read more arrow_forward

UK Cybersecurity Chief Blames Russia for Cyberattacks

The head of the UK GCHQ’s National Cyber Security Centre (NCSC) has accused Russia of staging...

Read more arrow_forward

US Govt Issues Alert Over North Korean Cyber Attacks

The Department of Homeland Security has issued a warning about cyber attacks originating in North...

Read more arrow_forward