ESET has detected and investigating a complex threat, which comes from a new malware engineer and has so far affected half a million users.
Ο τρόπος δράσης του κακόβουλου λογισμικού, με την ονομασία Stantinko, αναλύεται σε πρόσφατο white paper της ESET. Εκεί αναφέρεται ότι το malware ξεγελά τα θύματα να κατεβάζουν πειρατικό λογισμικό από πλαστούς ιστότοπους torrent sites, while the same manages for five years to be constantly transformed, making it difficult to detect. 
Mainly targeting Russian-speaking users, Stantinko is a bot network that earns revenue by installing browser extensions that display fake ads while browsing the web. Once installed on a machine, it can anonymously perform bulk Google searches and create fake accounts on Facebook, who have the ability to add friends and like images and pages.
A "Modular Backdoor"
Stantinko uses powerful techniques to escape detection and can be hidden in simple code, which seems legitimate. Using advanced methods, malicious code can be hidden or encrypted in a file either in the registry Windows. It is then decrypted using a key created during the initial violation. Malicious behavior can not be detected until it receives new information from the Command-and-Control server, which makes it difficult to uncover it.
In infected machines, two Windows services are installed with harmful content that starts automatically when the system starts. «If you get infected, it is difficult to get rid of it, since each of the services can reinstall the other if it is deleted from the system. To completely eliminate the problem, the user must simultaneously delete both services from his machine"Explains Frédéric Vachon, Malware Researcher at ESET.
Once inside a device, Stantinko installs two browser plug-ins, both of which are available in the Google Web Store Chrome - "The Safe Surfing" and "Teddy Protection". "Both plugins were still available online at the time of our analysis," said Marc-Etienne Léveillé, Senior Malware Researcher at ESET. «At first sight, they look like legitimate browser extensions and even have a site. However, when installed by Stantinko, extensions get new settings that contain rules for causing illegal click fraud and ads».
Once Stantinko penetrates a computer, its operators can use flexible plugins to do what they want with the compromised system, such as doing anonymous mass searches to find Joomla and WordPress sites, attacking them, find and to intercept data and create false accounts on Facebook.
How money hackers are behind Stantinko
Stantinko has great potential for profits, since click fraud attacks are a major source of revenue for hackers. According to a survey by White Ops and the Association of Advertisers at USA it is estimated that click fraud attacks this year alone cost businesses US$6,5 billion.
Data from the sites hacked by Stantinko can also be sold on the "black" market, since the malware can guess passwords by trying thousands of different combinations. Although ESET researchers were unable to track malicious activity on the social network, Stantinko's creators have a tool that allows them to run Facebook scams, illegally selling "likes" to attract caution unsuspecting consumers.
Safe Surfing and Teddy Protection plugins can show ads or redirect the user. "They allow Stantinko's creators to get paid for the traffic of these ads. We even found that users were getting access to the advertiser's site directly through ads owned by Stantinko, "concludes Matthieu Faou, Malware Researcher at ESET.
For more information on Stantinko visit the welivesecurity.com page.
