14 DAY TRIAL // Security researchers from Kaspersky Lab warn of a click fraud trojan distributed via spam emails that advertise links to exe files hosted at RapidShare.
The malware is a variant from the Trojan-Dropper.Win32.Drooptroop family and is in circulation since the beginning of of December. The spammed links are of the form http://rapidshare.com/files/[removed]/gift.exe.
Kaspersky Lab experter Vicente Diaz points out that even if the rogue emails take a rather direct approach in spreading the malicious URLs, many spam filters fail to detect them.
That's because they don't contain any malicious attachments and because rapidshare.com is not a bad domain by itself. Neither are .exe files hosted there.
We have seen the same technique used two tweeks ago in a wave of spam emails distributing a piece of scareware known as Security Shield. In that case, the RapidShare links pointed to a file called surprise.exe.
This Drooptroop variant is also used to promote scareware by displaying fake antivirus scans inside the browser window. This is done by hooking the spoolsv.exe process and intercepting network traffic to and from the browser.
The method is also used to perform the trojan's main function - click fraud. Requests to click tracking scripts are intercepted and rewritten to appear as if they come from a specific referrer.
Overall, given the cost-effective attack vector which relies on a free hosting solution and the two monetizing methods employed the trojan, its creators are probably getting a very good return on their investment.
Users are advised to exercise caution when dealing with links in emails, especially those leading to executables. Online multi-engine scan services like Virus Total can be used to check if files are malicious, but running an up to date and capable antivirus program at all times is also a must.