In this section

• Home
• Security
• SophosLabs blog
• 2007
• 10

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

4 October 2007 09:58 GMT

Affiliate scheme (ab)|()use?

The shift towards financially motivated malware is old news. All readers will know the bulk of current threats are primarily focussed on making the bad guys money. The mechanism to do this can vary hugely, but the two main methods are compromising the victim machine (so it can be ‘leased’ out for various nefarious purposes) and stealing data (authentication credentials, product keys and the like) from the machine. Several articles and papers have explored the mechanisms malware uses to make money. A presentation at the recent Virus Bulletin conference in Vienna provided good insight into some of the recent techniques.

One of the money making techniques that is less described, is that of web marketing, or, to put it another way, the use (abuse?) of affiliate schemes. You may be aware of ‘clicker’ Trojans. These are items of malware that open links to various web sites in order to increase the traffic at those sites, thereby increasing advertising revenue. More recently, we are seeing more subtle techniques used in web attacks to achieve the exact same goal (in addition to installing some malware of course!). The business of injecting malicious scripts and iframes into web pages to load further malicious content has been well described recently (1,2). The same techniques are becoming increasingly used to abuse pay per click affiliate schemes.

The flowchart below provides an illustration of a recent web attack that demonstrates the parallel use of malware and affiliate scheme abuse in order to make money. As described before, each node is a web page, and green arrows represent iframe links between pages.

You can view a larger version of the image (complete with partial URLs and host countries) by clicking on the small image. Ensure you click again to expand the image in your browser window.

The main characteristics of this attack are described below:

• it starts at the top, where a malicious script redirects the user to another site.
• this page loads exploits from a remote site to infect the victim (red arrow) with a data stealing Trojan detected as Mal/Behav-112. It also links to three other pages on the same domain (dotted arrows).
• one of these pages appears to be some counter (stat.php).
• the other two pages spawn the loading of a whole batch of web pages via a horde of rather incestuous iframes. These serve no purpose other than requesting a mass of other pages, passing in various affiliate IDs.
• at the bottom left-hand side of the flowchart you will notice that the pages linked to are search portals. A variety of rather predictable search terms are used (from soccer and online dating to musical instruments and porn). Of course, an affiliate number is passed in as well (to enable payment).

So, how does this look from the victim’s point of view? Well, since the pages are loaded via iframes with tiny (or zero) width and height parameters, the victim sees nothing. Of course, anyone looking at the HTTP requests sent from the victim machine would certainly see something - perhaps best described as a ‘HTTP explosion’!

Fraser Howard, SophosLabs UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot