Malware uses system as a tool to reach its goal

Jul 6, 2015 14:50 GMT  ·  By

If users do not patch their software, some malware authors integrate routines that do, such as in the case of Flash Player running on computers infected with Kovter click-fraud, which is currently delivered by multiple web-based attack tools.

Exploit kits attack systems with outdated versions of web browsers and plugins (mostly Flash Player, but Java, Silverlight, and Adobe Reader are also targeted), taking advantage of vulnerabilities that have already been patched by the developers.

Most of the times, malware patching a system post-infection is done to prevent other threats from grabbing a piece of the pie, which would increases the chances of running on the compromised system for a longer time.

Malware makes sure Flash video can play on the host

Independent malware researcher Kafeine discovered that his Kovter-infected virtual systems connected to Adobe’s servers, downloaded and installed the latest version of Flash Player, a behavior he thought was accounted by improper configuration of the test machines.

The action was triggered by Kovter, though, which had already compromised the computers. The researcher believed that the purpose was to seal the door shut for other malware exploiting Flash vulnerabilities.

However, he was presented with a different theory from security company Sentrant, which has a solid argument: cybercriminals want to make sure that the system can play Flash video loaded from any resource.

The researchers "believe that the installation/update of Flash is not an attempt to 'close the door on future malware' but rather an attempt to ensure that Flash videos are loaded and playable on the host."

Multiple exploit kits distribute Kovter at the moment

"Many advertising exchanges will either not serve, or decrease the bid price of flash ads (video) to hosts who are detected using a very old version of Flash. In-fact we have seen the same Flash update behaviour on almost every other ad-fraud malware families that we have analyzed," Sentrant said.

As such, patching infected systems not only ensures that other malware pieces seeking a way in by leveraging flaws in Flash stay out, but revenue return is also maximized.

According to Kafeine’s analysis, Kovter is distributed via exploit kits Angler, Nuclear Pack and Neutrino.