July 5, 2015 by

Ad Fraud Trojan Updates Flash, Blocks Other Malware

In a peculiar twist, malware researcher Kafeine noticed that a Trojan was blocking other malware from infecting a computer after closing the door itself by automatically updating the computer’s Flash player to its latest version. Kafeine often specializes and tracks ‘drive-by’ download and web attacks that often use exploit kits to turn into intrusive malware.

The Kovter Trojan

Although Kovter isn’t significantly damaging like other malware, it is essentially used for advertising fraud, also known as click fraud. When the malware is installed on a computer, the browser process is hijacked. After this, a series of simulated user clicks is replicated on online banner and advertisements to rack up the numbers in generating ad revenue for its creators.

Kafeine’s research indicates that the Trojan is distributed through:

  • Web-based exploit kits.
  • Web-based attack tools targeting vulnerabilities in browsers.
  • Targeted plugins that include Flash Player, Java, Microsoft’s Silverlight and even Adobe Reader.

Such tools target pre-existing, known vulnerabilities and the usual targets are end-users who seldom update their software or keep their software and operating system patched.

As mentioned above, ‘drive-by’ attacks are vehemently intrusive and malicious because they’re often launched from websites that are trusted and legitimate but compromised at the time. The same websites are also targeted by attackers to upload malicious advertisements to their ad networks, thereby getting users who trust the websites to begin with, to click on the malicious adverts.

A shifting trend?

Most Trojans and other malicious programs seldom have their own means of distribution. This is because the underbelly of the economy that cyber-criminals operate in is predominantly based around services.

In other words, developers of malware such as Trojans don’t usually search for vulnerabilities that’s inherent in software, nor do they go about infecting websites. Contrary to popular belief, they seldom write their own exploits as other cybercriminals such as exploit kit creators are heavily relied upon for such activity, for overall criminal gain.

The common method used to distribute exploit kids is through subscriptions. Creators make income from distributing malware through such means.

This is why Kovter the Trojan’s behavior is particularly peculiar, making it a topic of interest for security researchers to deliberate over and look into.


About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

Judy Malware May Have Affected 36.5 Million Android Devices

Researchers have discovered what could possibly be the “largest malware campaign found on Google...

Read more arrow_forward

‘EternalRocks’ Exploit uses Seven NSA Cyberweapons

A security researcher has discovered a repackaged exploit of a total of 7 NSA cyberweapons in a...

Read more arrow_forward

Artificial Intelligence - The Future of Cybersecurity

The sheer number of cyber-attacks and threats present in today’s world is considerable. As the...

Read more arrow_forward

If you have any further questions, please don't hesitate to contact us.