ESET has detected and is investigating a complex threat, which comes from a new strain of malware software and has affected half a million users so far.
Malware, Stantinko, is broken down into a recent ESET white paper. There it is reported that malware deceives victims to download pirated software from fake torrent sites, while the same manages to constantly transform itself for five years, making it difficult to detect it. 
Targeting primarily Russian-speaking users, Stantinko is a bot network that earns revenue by installing program extensions tourς, οι οποίες εμφανίζουν ψεύτικες διαφημίσεις κατά την περιήγηση στο Internet. Once installed on a machine, it can anonymously perform mass Google searches and create fake Facebook accounts that can add friends and 'like' images and pages.
A "Modular Backdoor"
Stantinko uses powerful techniques to escape detection and can be hidden in simple code, which seems legitimate. Using advanced methods, malicious code can be hidden or encrypted in a file either in the registry Windows. It is then decrypted using a key created during the initial violation. Malicious behavior can not be detected until it receives new information from the Command-and-Control server, which makes it difficult to uncover it.
In infected machines, two Windows services are installed with harmful content that starts automatically when the system starts. «If you get infected, it is difficult to get rid of it, since each of the services can reinstall the other if it is deleted from the system. To completely eliminate the problem, the user must simultaneously delete both services from his machine"Explains Frédéric Vachon, Malware Researcher at ESET.
Με το που βρεθεί μέσα σε μια συσκευή, το Stantinko εγκαθιστά δύο plug-ins για προγράμματα περιήγησης, που είναι και τα δύο διαθέσιμα στο Web Store του Google Chrome – το «The Safe Surfing» και το «Teddy Protection». «Και τα δύο plugins ήταν ακόμα διαθέσιμα στο διαδίκτυο κατά τη διάρκεια της ανάλυσης μας» υποστηρίζει ο Marc-Etienne Léveillé, Senior Malware Researcher στην ESET. «At first sight, they look like legitimate browser extensions and even have a site. However, when installed by Stantinko, extensions get new settings that contain rules for causing illegal click fraud and ads».
Once Stantinko infiltrates a computer, its operators can use flexible plugins to do whatever they want with the compromised system, such as perform anonymous bulk searches to find websites Joomla and WordPress, attack them, find and steal data and create fake Facebook accounts.
How money hackers are behind Stantinko
Stantinko has great potential for profits, since click fraud attacks are a major source of revenue for hackers. According to a survey by White Ops and the Association of Advertisers in the US it is estimated that click fraud only this year cost 6,5 business billions of US dollars.
Data from sites infringed by Stantinko can also be sold on the black market, as malware can guess passwords by trying thousands of different combinations. Although ESET researchers have been unable to monitor malicious activity on the social network, Stantinko's creators have a tool that allows them to crack Facebook, selling illegally "likes" to attract the attention of unsuspecting consumers.
Safe Surfing and Teddy Protection plugins can show ads or redirect the user. "They allow Stantinko's creators to get paid for the traffic of these ads. We even found that users were getting access to the advertiser's site directly through ads owned by Stantinko, "concludes Matthieu Faou, Malware Researcher at ESET.
For more information on Stantinko visit the welivesecurity.com page.
