Adware is easy money for cyber-criminals who install malware in advertisements. Researchers have discovered a new piece of malware dubbed Zacinlo that specializes in advertising fraud. According to Bitdefender, Zacinlo uses several platforms to pull advertising from, including Google AdSense.
Adware has long been used to augment the earnings of software developers who deliver free applications to consumers. It’s been a winning strategy for app developers whose products have landed in the hands of users around the globe, but the unspoken contract of "no financial strings attached" has been governed by the third-party advertisers. Advertisers absorbing the product’s cost in exchange for customer data is what gave rise to adware.
In a white paper released today, Bitdefender wrote that “adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.”
Zacinlo, spyware that has been running since early 2012, infects a user's PC and performs one of two tasks: it either opens invisible browser instances to load advertising banners and then simulates clicks from the user, or it changes ads loaded naturally inside the browser with the attacker’s ads in order to collect advertising revenue.
An interesting feature on this adware is that it includes a rootkit driver that protects itself, as well as its other components. Extremely rare and difficult to remove, rootkit-based malware is usually found in less than 1% of threats.
"Threats like Zacinlo clearly demonstrate that crime does pay. Advertising abuse has been known to happen for years, but Zacinlo takes this to a whole new level. The complexity and longevity, as well as the multitude of samples, shows that the team that operates it manages to defraud significant amounts of money from publishers and advertisers," said Bogdan "Bob" Botezatu, senior e-threat analyst from Bitdefender.
“Since the rootkit component attempts to subvert both the operating system and the security solutions running on top of it, I would highly recommend that – from time to time – users run a full security sweep," Botezatu said.