14 DAY TRIAL // Security researchers from Symantec have uncovered a click fraud scam instrumented with the help of a sophisticated file infector.
It was actually the infector, called W32.Xpaj.B, that attracted the attention of malware analysts with its complex detection-evading techniques.
W32.Xpaj.B infects executable files on computers and network drives which then query the command and control servers every time they are run.
"W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered," the company's analysts say in their research paper. [pdf]
"The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm," Symantec's Gavin O Gorman notes.
Despite resembling a general purpose downloader, W32.Xpaj.B has only been used as part of this click fraud scheme that hijacks legitimate search engine queries and returns ad-laden results.
The infrastructure supporting this operation spans several countries, but unlike the file infector, the server-side code is unsophisticated. This has led researchers to believe that the dropper might have been bought from a third-party.
The scam itself is similar to the one that recently led to Google displaying malware warnings on its search site. The search queries are passed through a series of proxies and when results are returned, they are accompanied by rogue ads.
Symantec's researchers have managed to reverse-engineer the encrypted code and obtain access to the "accounting" back-end which held logs going back as far as September 2010.The extracted data shows that fraudsters intercepted an average of 241,000 searches per day until June this year, which resulted in profits of $170 per day.
Taken into consideration the strong evidence that this is a three-man operation from Ukraine, that means each fraudster made over $1,000 per month. Giving that the average gross monthly salary in Ukraine was $290 in 2010 and that people behind this operation made three times that, it's not hard to understand why cyber criminals are so determined.