ESET has detected and investigating a complex threat, which comes from a new malware engineer and has so far affected half a million users.
Malware, Stantinko, is broken down into a recent ESET white paper. There it is reported that malware deceives victims to download pirated software from fake torrent sites, while the same manages to constantly transform itself for five years, making it difficult to detect it. 
Targeting mostly Russian-speaking users, Stantinko is one network bot που κερδίζει έσοδα εγκαθιστώντας επεκτάσεις προγραμμάτων περιήγησης, οι οποίες εμφανίζουν ψεύτικες διαφημίσεις κατά την περιήγηση στο διαδίκτυο. Αφού εγκατασταθεί σε ένα μηχάνημα, μπορεί ανώνυμα να πραγματοποιήσει μαζικές αναζητήσεις στο Google και να δημιουργήσει ψεύτικους λογαριασμούς στο Facebook, οι οποίοι έχουν τη δυνατότητα να προσθέτουν φίλους και να κάνουν «like» σε εικόνες και σελίδες.
A "Modular Backdoor"
Stantinko uses powerful techniques to evade detection and can hide itself in plain code that looks legitimate. Using advanced methods, malicious code can be hidden or encrypted in a archive either in their registry Windows. It is then decrypted using a key created during the initial violation. Malicious behavior can not be detected until it receives new information from the Command-and-Control server, which makes it difficult to uncover it.
In infected machines, two Windows services are installed with harmful content that starts automatically when the system starts. «If you get infected, it is difficult to get rid of it, since each of the services can reinstall the other if it is deleted from the system. To completely eliminate the problem, the user must simultaneously delete both services from his machine"Explains Frédéric Vachon, Malware Researcher at ESET.
Once inside a device, Stantinko installs two browser plug-ins, both available in the Google Chrome Web Store - "Safe Surfing" and "Teddy Protection." "Both plugins were still available online during our analysis," says Marc-Etienne Léveillé, Senior Malware Researcher at ESET. «At first sight, they look like legitimate browser extensions and even have a site. However, when installed by Stantinko, extensions get new settings that contain rules for causing illegal click fraud and ads».
Once Stantinko penetrates a computer, its operators can use flexible plugins to do what they want with the compromised system, such as doing anonymous mass searches to find Joomla and WordPress sites, attacking them, find and to intercept data and create false accounts on Facebook.
How money hackers are behind Stantinko
Stantinko has great potential for profits, since click fraud attacks are a major source of revenue for hackers. According to a survey by White Ops and the Association of Advertisers at USA it is estimated that click fraud attacks this year alone cost businesses US$6,5 billion.
Data from the sites hacked by Stantinko can also be sold on the "black" market, since the malware can guess passwords by trying thousands of different combinations. Although ESET researchers were unable to track malicious activity on social networks, Stantinko's creators have a tool that allows them to perform scams στο Facebook, πουλώντας παράνομα «likes» για να προσελκύουν την caution unsuspecting consumers.
Safe Surfing and Teddy Protection plugins can show ads or redirect the user. "They allow Stantinko's creators to get paid for the traffic of these ads. We even found that users were getting access to the advertiser's site directly through ads owned by Stantinko, "concludes Matthieu Faou, Malware Researcher at ESET.
For more information on Stantinko visit the welivesecurity.com page.
