Windows File Explorer process used for ad fraud calls

Jan 22, 2015 12:40 GMT  ·  By

Analysis of the payload delivered through the recently discovered zero-day vulnerability in Adobe Flash Player reveals that the malware is called Bedep and it is used for running ad fraud activity.

On Wednesday, French security researcher Kafeine noticed that a version of web-based attack toolkit Angler contained an exploit for an unpatched flaw in Flash Player 16.0.0.257.

Not all Windows versions are targeted

According to his tests, the affected systems are Windows XP with Internet Explorer 6 through 8, Windows 7 with IE 8, and Windows 8 running IE 10. He tested on Google Chrome, too, and found that the exploit was not delivered. A fully updated Windows 8.1 also seems to be out of the cybercriminals’ range.

At the moment, Adobe is investigating the claims but has yet to provide official confirmation of the vulnerability.

Some anti-exploit tools can detect and prevent the exploit attempt but not all of them manage to protect against this attack.

Malwarebytes carried out an analysis of the payload delivered by this particular instance of Angler and determined that Bedep is installed as a result, a piece of malware that creates a network of infected computers, which are used for financial gains by cybercriminals.

Click-stealing payload

Once installed on a machine, Bedep starts downloading pieces of malware as instructed by its operator. In this case, security researcher Jerome Segura has found that the end game is ad fraud.

“Upon infection, explorer.exe (not to be confused with iexplore.exe) is injected and performs the ad fraud calls,” reads a blog post from Segura.

The researcher captured evidence of the bogus clicks and said that the advertisers end up paying for impressions that are not generated by a human being, the campaign missing its intended purpose.

In pay-per-click advertising, a website owner receives monetary compensation each time a visitor clicks on an advertisement. The fraud occurs when the clicks are automated and occur in a non-organic way.

Oftentimes, the ad network and the website owners recording the fraudulent clicks work together to scam the ad publisher.