July 5, 2015 by

Ad Fraud Trojan Updates Flash, Blocks Other Malware

In a peculiar twist, malware researcher Kafeine noticed that a Trojan was blocking other malware from infecting a computer after closing the door itself by automatically updating the computer’s Flash player to its latest version. Kafeine often specializes and tracks ‘drive-by’ download and web attacks that often use exploit kits to turn into intrusive malware.

The Kovter Trojan

Although Kovter isn’t significantly damaging like other malware, it is essentially used for advertising fraud, also known as click fraud. When the malware is installed on a computer, the browser process is hijacked. After this, a series of simulated user clicks is replicated on online banner and advertisements to rack up the numbers in generating ad revenue for its creators.

Kafeine’s research indicates that the Trojan is distributed through:

  • Web-based exploit kits.
  • Web-based attack tools targeting vulnerabilities in browsers.
  • Targeted plugins that include Flash Player, Java, Microsoft’s Silverlight and even Adobe Reader.

Such tools target pre-existing, known vulnerabilities and the usual targets are end-users who seldom update their software or keep their software and operating system patched.

As mentioned above, ‘drive-by’ attacks are vehemently intrusive and malicious because they’re often launched from websites that are trusted and legitimate but compromised at the time. The same websites are also targeted by attackers to upload malicious advertisements to their ad networks, thereby getting users who trust the websites to begin with, to click on the malicious adverts.

A shifting trend?

Most Trojans and other malicious programs seldom have their own means of distribution. This is because the underbelly of the economy that cyber-criminals operate in is predominantly based around services.

In other words, developers of malware such as Trojans don’t usually search for vulnerabilities that’s inherent in software, nor do they go about infecting websites. Contrary to popular belief, they seldom write their own exploits as other cybercriminals such as exploit kit creators are heavily relied upon for such activity, for overall criminal gain.

The common method used to distribute exploit kids is through subscriptions. Creators make income from distributing malware through such means.

This is why Kovter the Trojan’s behavior is particularly peculiar, making it a topic of interest for security researchers to deliberate over and look into.


About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

Netflix Launches Public Bug Bounty Program

Streaming giant Netflix has announced the launch of a public bug bounty program designed to allow...

Read more arrow_forward

15-Year-Old Hacks Ledger Hardware Cryptocurrency Wallet

A teenage hacker has discovered a flaw in Ledger, a popular hardware wallet that could essentially...

Read more arrow_forward

Expedia’s Orbitz: 880,000 Payment Cards Struck by Data Breach

Orbitz, a subsidiary of online travel giant Expedia has revealed a data breach wherein hackers may...

Read more arrow_forward