Notes on click fraud: American story

Thursday 25 September 09:30 - 10:00, Green room.

Peter Kalnai AVAST Software
Jaromir Horejsi AVAST Software

  download slides (PDF)

The estimated beginning of this story is in the middle of 2013. The infection chain runs through a malvertising campaign with Java exploitation and ends up dropping a payload with the filename 'notepad.exe'. The main goal of almost all instances of this particular threat is gaining revenue from simulated clicking on online advertisements. Only computers in the United States are targeted. The families of trojans dropped as the final payload share many characteristics, such as possessing both 32-bit and 64-bit variants and using sophisticated stealth techniques for persistence. These are variants of the well-known Win32/64:Alureon rootkit and Win32/64:Blackbeard downloader that was rediscovered at the turn of the year. With this level of complexity, the trojans continue the trend set by one of the most sophisticated threats performing click fraud, namely Win32/64:ZeroAccess/Sirefef.

In this session we focus on the in-depth analysis of these Windows executables and their interesting structural and behavioural aspects. This involves explaining methods that fulfil the need for elevated privileges, the 32-bit to 64-bit code execution switch if executed in a 64-bit environment, and a description of the communication protocol. Moreover, we will provide an overall comparison of clickbot modules of all mentioned threats and discuss the similarities and the differences in the code they use.

Click here for more details about the conference.

Peter Kalnai

Peter Kalnai

Peter Kalnai is a malware researcher and analyst in the AVAST Software virus lab. His main responsibilities are the reverse engineering of Windows, Linux and OS X executables, especially connected with mainstream cyber threats. He has experience with developing weak automated anti-malware heuristics for Windows PEs and Android packages. As a speaker, he has attended international conferences including Virus Bulletin, RSA Conference and CARO Workshop. Currently, he is a Ph.D. student in mathematics at Charles University in Prague. In his free time he enjoys playing table football and watching stand-up comedians.


Jaromir Horejsi

Jaromir Horejsi

Jaromir Horejsi is a malware researcher and analyst at anti-virus company AVAST Software. His main specialization is reverse engineering and analysis of malicious PE files on the Windows platform. He is interested in malware internals - how it is packed/crypted, how it is installed on a computer, how it protects itself from being analysed, etc. With the growth of mobile malware, his interest also focuses on the reverse engineering of mobile applications. He is a prolific blogger and in the past he has presented his research at several IT security conferences, including RSAC, Virus Bulletin and AVAR.