Advertising networks pay affiliates, usually website operators, for each click on an advertisement that the affiliate has displayed on their website. Click fraud is where affiliates have no intention of waiting for people to visit their website, instead they fraudulently send imitation clicks to the ad network, often using automated scripts or botnets to quickly generate a profit. We recently took a look at Drooptroop, a Trojan horse designed to intercept browser requests for search results and send an intimation ad click to an advertising network, which in turn direct the browser to a website as if the user had actually clicked on that ad.
Drooptroop modifies windows network functions loaded by the browser so that they point to Drooptroop’s own routines where it can intercept and modify the browser’s internet traffic. The malware then waits for the user to do a search using one of several popular search engines including Google, Yahoo, Bing or Altavista. When the user clicks on one of the search results, Drooptroop sends a simulated click on an advert to an advertising network and redirects the browser to a web page chosen by that advertising network.
During the time we were observing it, Drooptroop served ads from the advertising networks 7Search.com and relestar.com as well as fake Anti-Virus websites designed to scare users into downloading and eventually buying fake AV products.
On a machine infected with Drooptroop, we did a Google search for ‘Click fraud’ and got the usual results page:
An analysis of the ACH spam campaign
Massive Rise in Malicious Spam
‘Just applied for my own @facebook.com email account’ Phish Spreading
Can’t Believe A Girl Did This Because of Justin Bieber? You Shouldn’t
RapidShare.com – The Phishing Begins