Spyware - From Russia Without Love
Published: Saturday, July 02, 2005 Online-Casinos.com
FROM RUSSIA WITHOUT LOVE
An online business based in Russia will pay Web sites 6 cents for each machine
they infect with adware and spyware, security researchers say, calling the practice
"awful."
The depths to which some scumware dispensers will go to infect consumers' PCs
with adware and spyware was examined recently in an article from TechWeb News,
which reported that an online business based in Russia will pay websites 6 cents
for each machine they infect with adware and spyware.
iframeDOLLARS.biz, which according to a WHOIS lookup, is registered to a Nick
Fedorov in Nizhny Novgorod, a Russian city on the Volga about 240 miles east
of Moscow, will pay Webmasters to place a one-line exploit on their sites to
snare unwary surfers.
The code exploits a number of patched Windows and Internet Explorer vulnerabilities,
including some that go back as far as 2002. Systems that haven't been updated,
however, would still be vulnerable to the exploit.
According to analysis done by the SANS Institute's Internet Storm Center, the
exploit drops at least nine pieces of malicious code, including backdoors, other
Trojans, spyware, and adware, on any PC whose user surfs to a site hosting the
exploit code.
iframeDOLLARS says it pays $61 per thousand unique installs, or 6.1 cents per
compromised machine, to any site that signs up as an affiliate. The Russian
firm boasts that its exploit works "without any ActiveX console or any
pop-upsIt means that you will not lose your unique visitors." Nor, apparently,
give away the fact that the code is dropping malware onto machines whenever
a vulnerable user simply visits an affiliate site.
On its own site, iframeDOLLARS claimed that it handed out $11,890 in payments
last week, which if true, would translate into nearly 195,000 infected PCs.
But the business is picky. "We won't buy Russian and Asian (Japanese, Korean,
Chinese) traffic," it tells prospective partners on its Web site.
Richard Stiennon, the director of threat research at anti-spyware software vendor
Webroot says the practice is ".....new in that they're taking an existing
business model - an affiliate-style program - to exploit a [Windows] vulnerability
to plant their code."
What's not new is exploiting Windows to install adware and spyware, Stiennon
added. CoolWebSearch, the most pervasive and pernicious piece of adware on the
planet by the Boulder, Colorado-based company's calculations, is typically installed
using some of the same vulnerabilities.
Stiennon estimated that iframeDOLLARS could collect as much as $75,000 annually
from the adware it placed on the infected machines during the past week (and
which cost it approximately $12,000 in payments to place). "They could
be making a lot of money," said Stiennon.
Dan Hubbard, the head of security at Websense, a San Diego-based Web security
and filtering vendor, said that iframeDOLLARS.biz has been around for some time,
known to his team, and included in Websense's database as a malicious site.
"They've tried other things in the past [to install adware], including
malicious Java applets and PHP exploits," said Hubbard.
Nor are they alone in taking this model and maliciously running with it, Hubbard
added. Other sites, since shut down, have tried a similar approach, paying for
other sites to infect PCs, then reaping the revenue rewards.
"I'm surprised that [iframeDOLLARS] hasn't been shut down, too," said
Hubbard.
According to the Internet Storm Center, organisations can prevent the downloading
of adware and spyware from iframesDOLLARS' servers by blocking the IP address
81.222.131.59.
