Monetizer Trojans

Date: 16/07/2014

Browser Start Page Modifiers (Trojan.StartPage Family)

One of the best-known and most aggressive members of this family is, undoubtedly, Adware.Webalta.2 (according to Dr.Web’s classification). This piece of work is intended for viral advertising of webalta.ru, a Russian search engine, (we are happy to learn that, by now, this resource has fallen into decay and refuses to find whatsoever :))

this is Webalta.ru

The Trojan itself represents a simple executable file called ‘WebaltaService.exe’. It spreads by masquerading as all sorts of useful programs.

Installing WebaltaService along with a torrent client downloaded from one of many sites (the option

After being started, it creates the folder ‘WebaltaService’ in the directory %AppData%, saves itself into the newly created folder and registers as a registry service:

[HKLM\System\CurrentControlSet\Services\WebaltaService]
Description = Search Service
DisplayName="WebaltaService"
ImagePath= "%AppData%\WebaltaService\WebaltaService.exe -start"

All this program does is to modify the start page for ‘webalta.ru’ in all browsers installed within the system. It does this by making changes in the registry, browser configuration files and properties of shortcuts located on the desktop. At the same time, the running ‘webaltaservice.exe’ closely monitors all changes of the start page and, if necessary, restores it back to ‘webalta.ru’.

The junior relatives of Adware.Webalta.2 (for example, Trojan.StartPage.55558 or Trojan.StartPage.58232) are not so intrusive. When started, they simply modify the start page without embedding into the system. Trojan.StartPage.55558 would set some fake search engine like ‘ultimate-search.net’ as a start page, while Trojan.StartPage.58232 will bring on your start page ‘duba.com’, a Chinese news and entertainment portal.

Decompiled chunk of source code from Trojan.StartPage.58232 (the highlighted section indicates setting of 'ultimate-search.net' as a start page)

Replacing the start page in IE to 'duba.com' by making changes in the registry (performed by Trojan.StartPage.58232)

Chinese domain 'duba.com' also features a decent search engine

The purpose of these programs is clear — to drum up the traffic to and promote some Internet resources.

Traffic Monetizers (Trojan.LoadMoney family)

In most cases, all members of this family originate out of some affiliate program aimed at monetizing the traffic for software installations.

loadmoney.ru, an affiliate program to monetize the traffic

In essence, these programs pay for downloading the additional software along with downloaded content. It works like this: the owner of some website with downloadable content changes the direct links to his content for the links provided by affiliate program which lead to a downloader. By clicking the link to desired content, the visitor downloads this program (which is identified by antivirus as unwanted software). When started, the downloader installs additional software along with downloadable content (usually, it’s a browser toolbar or the browser from some well-known Internet portal).

General diagram of the affiliate program aimed at monetizing the traffic

Downloaders from various affiliate programs

Usually, the downloader is digitally signed to avoid raising “unnecessary” questions among the visitors.

Downloader Security Certificate

If you look at the data exchange between the downloader and server of affiliate program, you can see the identifier of partner in the affiliate program, name of affiliate program, name of downloaded file and the additional software that will be installed along with the downloaded content.

A piece of data exchange between the downloader and the server in the form of XML traffic

It is clear that the owners of affiliate programs are responsible only for their downloader while the content quality remains on the conscience of its owner. Although the terms of affiliate program provide for checking the entire content that goes through its server and blocking all suspicious content, the speed of this process leaves much to be desired. For example, I have seen several links that don’t lead to the requested file at all. However, they diligently install both the toolbar and browser. In other cases, the links led to a paid archive that allegedly would allow you to “reset the trial period for antivirus.” This means that a valid digital signature of downloader may serve a cover for easily bringing to your computer something bad.

Paid archives (Trojan.SMSSend family)

Surely, at least once in your life, you faced a situation when an archive with an extremely desired software or some other useful stuff which you had put so much effort to find in the vast cyberspace of the web at the end of its unpacking suddenly asks you to enter your phone number or send a mobile text message, to continue decompressing the archive.

Free gifts for users of Odnoklassniki and VKontakte, for which they would eventually have to pay

This means that you have seen in action the affiliate programs aimed at making money on paid archives. These programs are represented, for example, by such services as ‘zipmonster.ru’ or ‘wizardpacker.com’.

Affiliate program from 'zipmonster.ru'

In essence, these affiliate programs allow to make money by compressing the distributed content with an archiver provided by the affiliate program. This creates paid archives, and to unlock the access to such archive, the user must enter a code which he can receive in a text message that would debit a certain amount from his mobile phone account.
Usually, the antiviruses have a bad opinion of paid archives because, very often, such archives hide a dubious content.

One of paid archives at virustotal.com

In addition to promising the extension of the trial period for Kaspersky Anti-Virus, this archive will ask you for money and modify your browser start page to 'yamdex.net'

Conclusion

The described programs do not destroy files, they do not steal credit cards and format your hard drive. Most antiviruses classify them as ‘unwanted software’ or ‘adware’, and some don’t even see anything wrong with them. However, as an old joke goes, “we found what we were looking for but I still have a bad feeling…”

Related posts:
2023.07.07 — VERY bad flash drive. BadUSB attack in detail

BadUSB attacks are efficient and deadly. This article explains how to deliver such an attack, describes in detail the preparation of a malicious flash drive required for it,…

Full article →
2023.03.26 — Poisonous spuds. Privilege escalation in AD with RemotePotato0

This article discusses different variations of the NTLM Relay cross-protocol attack delivered using the RemotePotato0 exploit. In addition, you will learn how to hide the signature of an…

Full article →
2023.07.07 — Evil Ethernet. BadUSB-ETH attack in detail

If you have a chance to plug a specially crafted device to a USB port of the target computer, you can completely intercept its traffic, collect cookies…

Full article →
2023.03.03 — Nightmare Spoofing. Evil Twin attack over dynamic routing

Attacks on dynamic routing domains can wreak havoc on the network since they disrupt the routing process. In this article, I am going to present my own…

Full article →
2022.12.15 — What Challenges To Overcome with the Help of Automated e2e Testing?

This is an external third-party advertising publication. Every good developer will tell you that software development is a complex task. It's a tricky process requiring…

Full article →
2022.06.01 — WinAFL in practice. Using fuzzer to identify security holes in software

WinAFL is a fork of the renowned AFL fuzzer developed to fuzz closed-source programs on Windows systems. All aspects of WinAFL operation are described in the official documentation,…

Full article →
2022.02.15 — First contact: How hackers steal money from bank cards

Network fraudsters and carders continuously invent new ways to steal money from cardholders and card accounts. This article discusses techniques used by criminals to bypass security…

Full article →
2022.01.12 — Post-quantum VPN. Understanding quantum computers and installing OpenVPN to protect them against future threats

Quantum computers have been widely discussed since the 1980s. Even though very few people have dealt with them by now, such devices steadily…

Full article →
2023.03.03 — Infiltration and exfiltration. Data transmission techniques used in pentesting

Imagine a situation: you managed to penetrate the network perimeter and gained access to a server. This server is part of the company's internal network, and, in theory, you could…

Full article →
2022.06.01 — Quarrel on the heap. Heap exploitation on a vulnerable SOAP server in Linux

This paper discusses a challenging CTF-like task. Your goal is to get remote code execution on a SOAP server. All exploitation primitives are involved with…

Full article →