Ad Fraud Trojan Updates Flash, Blocks Other Malware

In a peculiar twist, malware researcher Kafeine noticed that a Trojan was blocking other malware from infecting a computer after closing the door itself by automatically updating the computer’s Flash player to its latest version. Kafeine often specializes and tracks ‘drive-by’ download and web attacks that often use exploit kits to turn into intrusive malware.

The Kovter Trojan

Although Kovter isn’t significantly damaging like other malware, it is essentially used for advertising fraud, also known as click fraud. When the malware is installed on a computer, the browser process is hijacked. After this, a series of simulated user clicks is replicated on online banner and advertisements to rack up the numbers in generating ad revenue for its creators.

Kafeine’s research indicates that the Trojan is distributed through:

  • Web-based exploit kits.
  • Web-based attack tools targeting vulnerabilities in browsers.
  • Targeted plugins that include Flash Player, Java, Microsoft’s Silverlight and even Adobe Reader.

Such tools target pre-existing, known vulnerabilities and the usual targets are end-users who seldom update their software or keep their software and operating system patched.

As mentioned above, ‘drive-by’ attacks are vehemently intrusive and malicious because they’re often launched from websites that are trusted and legitimate but compromised at the time. The same websites are also targeted by attackers to upload malicious advertisements to their ad networks, thereby getting users who trust the websites to begin with, to click on the malicious adverts.

A shifting trend?

Most Trojans and other malicious programs seldom have their own means of distribution. This is because the underbelly of the economy that cyber-criminals operate in is predominantly based around services.

In other words, developers of malware such as Trojans don’t usually search for vulnerabilities that’s inherent in software, nor do they go about infecting websites. Contrary to popular belief, they seldom write their own exploits as other cybercriminals such as exploit kit creators are heavily relied upon for such activity, for overall criminal gain.

The common method used to distribute exploit kids is through subscriptions. Creators make income from distributing malware through such means.

This is why Kovter the Trojan’s behavior is particularly peculiar, making it a topic of interest for security researchers to deliberate over and look into.