Welcome back to this blog series on misleading applications. This is the concluding article, so if you need a refresher on what we’ve covered to get to this point, have a look at the first two parts (part 1 and part 2). Essentially, today I’m going to conclude how malicious users gain access to Trojans, fake codec, and fake scanner URLs in order to distribute misleading applications. And, it may be of some interest to discuss why those with malicious intent would do this (easy money, perhaps?), but I’ll break some reasons down for you. Also, I’ll provide some tips to protect your computer from these threats and to keep your eye out for telltale signs of misleading apps.
Pay-per-install: The Source
Our research has shown that this is an affiliate-based model, where malicious users can obtain access to these URLs and Trojans by registering on certain distribution websites. The malicious user (registered as an affiliate) is then solely responsible for spreading these links and executables. The affiliate is then paid for every successful installation. This distribution method has been termed “pay-per-install.” A unique affiliate ID is tagged to the end of the URL in order to determine the payouts.
These pay-per-install sites mainly distribute the following:
Fake codec links – These are links to fake codec Web pages, similar to what has been described previously. These pages lure or even force the user to download Trojans, masked as missing codecs.
Fake scanner links – These are links to fake scan Web pages. These Web pages are usually crafted to simulate system scans and lead to misleading applications directly.
Malicious binaries – Some of the affiliate sites make direct offers for the affiliate to access to malicious executables (Trojan.Zlob, Trojan.Vundo, Trojan.FakeAVAlert, and others).
Here is a graphical representation of this food chain:
Shown below is a screenshot of fake codec links distributed by one of these pay-per-install sites. The URL links are sorted by categories, and are updated frequently.
Affiliate sites would then pay the affiliate a fixed rate per installation. For example, one of the affiliate sites offers to pay anything from $0.55 to $0.01, depending on the country that the malicious program is installed in. Payments are often made through online payment vendors. Some of the affiliate sites that peddle misleading application binaries offer up to $30 per installation. One can just add up the numbers to see how profitable this business is. One can also speculate that the pay-per-install schemes are probably more attractive than distributing email spam because of higher payouts. Also, most of these pay-per-install sites have free memberships.
We can see some payout rates, sorted by country, in the snapshot below:
There may be other means of distributing these misleading applications; however, the pay-per-install schemes seem to form a big chunk of the distribution chain. Also, not all products from pay-per-install affiliates are malicious, and there are a lot of legitimate applications distributed using this methodology.
There are online forums that help malicious users and “script kiddies” with their pay-per-install endeavors. These forums usually have free membership. On these forums, we have seen users exchanging tools, discussing new techniques to avoid detection, discussing payout rates, exchanging how-to tutorials on distribution techniques, posting reviews for tools that help pay-per install distribution, etc. “Crypter” programs, which obfuscate malicious executables in order to evade antivirus detection, are regularly traded on these forums.
Shown below is a post asking for “downloader” programs. Downloaders are malicious programs that can download one or more Trojans once the downloader has been installed on the target machine.
Here is another post asking for reviews for .exe crypters—tools that pack or encrypt executables in order to set them as undetectable by antivirus solutions.
According to our research, affiliates earn anything from $50 to $1,000 a day. Some part of this profit is then reinvested in buying tools like crypters, seed servers, etc. in order to evade detection and improve infrastructure; in order to achieve a higher install ratio; and thus, a higher payout.
Over the past few months we have detected and cleaned up tens of millions of instances of misleading applications or Trojans related to misleading applications. We have blocked a huge number of requests to fake scan and fake codec sites using our intrusion prevention engine. These signatures proactively protect the user from the initial vectors, thereby preventing any further infections.
One important thing to note here is that in most cases the misleading application itself is the last part of the chain. The appearance of the misleading app is usually preceded by a chain of events such as Trojans, fake scan pages, fake codec applications, pop-ups, and taskbar notification icons (which ultimately lead the user to the misleading application).
Symantec continues to provide world-class defenses in order to protect users from this new trend. We follow a comprehensive prevention, detection, and removal strategy using our intrusion prevention, browser protection, antivirus and behavioral engines.
Here are a few more steps to keep your machine from becoming infected:
1) Keep your antivirus definitions up-to-date.
2) Install the latest security updates for your operating system.
3) Install the latest updates for all third party applications on the system, especially for vulnerable applications (for example, Adobe Reader and Flash Player).
4) Be wary of clicking on any suspicious links.