ESET has detected and investigating a complex threat, which comes from a new malware engineer and has so far affected half a million users.
Malware, Stantinko, is broken down into a recent ESET white paper. There it is reported that malware deceives victims to download pirated software from fake torrent sites, while the same manages to constantly transform itself for five years, making it difficult to detect it. 
Targeting primarily Russian-speaking users, Stantinko is a bot network that earns revenue by installing program extensions browsing, οι οποίες εμφανίζουν ψεύτικες διαφημίσεις κατά την περιήγηση στο διαδίκτυο. Αφού εγκατασταθεί σε ένα μηχάνημα, μπορεί ανώνυμα να πραγματοποιήσει μαζικές αναζητήσεις στο Google και να δημιουργήσει falseυς λογαριασμούς στο Facebook, οι οποίοι έχουν τη δυνατότητα να προσθέτουν φίλους και να κάνουν «like» σε εικόνες και σελίδες.
A "Modular Backdoor"
Stantinko uses powerful techniques to evade detection and can hide in plain code, which looks legit. Using advanced methods, malicious code can be hidden or encrypted in a file or in the registry of Windows. It is then decrypted using a key created during the initial violation. Malicious behavior can not be detected until it receives new information from the Command-and-Control server, which makes it difficult to uncover it.
In infected machines, two Windows services are installed with harmful content that starts automatically when the system starts. «If you get infected, it is difficult to get rid of it, since each of the services can reinstall the other if it is deleted from the system. To completely eliminate the problem, the user must simultaneously delete both services from his machine"Explains Frédéric Vachon, Malware Researcher at ESET.
Once inside a device, Stantinko installs two browser plug-ins, both of which are available in its Web Store. Google Chrome - "The Safe Surfing" and "Teddy Protection". "Both plugins were still available online at the time of our analysis," said Marc-Etienne Léveillé, Senior Malware Researcher at ESET. «At first sight, they look like legitimate browser extensions and even have a site. However, when installed by Stantinko, extensions get new settings that contain rules for causing illegal click fraud and ads».
Once Stantinko penetrates a computer, its operators can use flexible plugins to do what they want with the compromised system, such as doing anonymous mass searches to find Joomla and WordPress sites, attacking them, find and to intercept data and create false accounts on Facebook.
How money hackers are behind Stantinko
Stantinko has great potential for profits, since click fraud attacks are a major source of revenue for hackers. According to a survey by White Ops and the Association of Advertisers in the US it is estimated that click fraud only this year cost 6,5 business billions of US dollars.
Data from the sites hacked by Stantinko can also be sold on the "black" market, since the malware can guess passwords by trying thousands of different combinations. Even though the researchers of ESET were unable to track malicious activity on the social network, Stantinko's creators have a tool that allows them to run Facebook scams, illegally selling "likes" to attract the attention of unsuspecting consumers.
Safe Surfing and Teddy Protection plugins can show ads or redirect the user. "They allow Stantinko's creators to get paid for the traffic of these ads. We even found that users were getting access to the advertiser's site directly through ads owned by Stantinko, "concludes Matthieu Faou, Malware Researcher at ESET.
For more information on Stantinko visit the welivesecurity.com page.
