Thanks to James Wyke of SophosLabs for his excellent-as-ever work on this article.
After a quiet period where you might have thought that cybercrooks had given up on Flash, Adobe’s browser plugin is back in the news.
First, Adobe shipped an emergency update to deal with what it called “limited, targeted attacks“.
Usually, those words imply that a few attackers are using a new exploit with proprietorial care in order to keep a low profile.
Then, cybercrooks packaged the exploit into a widely-known exploit kit called Magnitude and hired out access to other crooks.
That broadened the attack, with a wave of ransomware pushed out by the updated exploit kit.
Then the kit chooses one or more exploits that seem likely to work, and uses them to deliver malware on a “pay-per-install” basis.
The ransomware crooks pay the exploit kit crew to push the malware out; if it subsequently works, then the victim pays the ransomware crooks.
Malware with a twist
Now, there’s Flash-delivered malware with a new twist: it locks the door behind itself.
This particular sample, first reported by independent researcher Kafeine, is a variant of the Kovter malware, and he’s seen it delivered via numerous exploit kits.
→ These exploit kits are known by the innocent-sounding names Fiesta, Angler, Nuclear Pack and Neutrino, but they are anything but innocent.
According to SophosLabs, many variants of Kovter are known, and they comprise one of the most prevalent click fraud malware families.
Click fraud involves racking up bogus traffic via pay-per-click ads, and pocketing the revenue that the hapless advertiser pays out for website visits from malware.
Loosely speaking, the criminals behind click-fraud malware do deals with crooked pay-per-click ad affiliates, who are supposed to generate revenue by placing ads on their websites.
But crooked ad network affiliates don’t rely only on legitimate visitors: by paying other criminals behind a malware operation like Kovter, they can “order up” clicks from infected zombie computers.
The advertisers pay the ad-click company in good faith; the ad-click company pays its click-generating affiliates in good faith; the crooked affiliates pay the Kovter crew for illicit clicks; and the Kovter crew pay the exploit kit operators for distributing the malware.
Maximising fraudulent clicks
Of course, a click fraud zombie needs the latest browser plugins if it wants to be able to “see” and “click” on the latest ads.
If your browser displays a blank space where an ad is supposed to be, you may not notice, and even if you do, you probably won’t care.
But if zombie malware on your computer fires up a browser page and finds a blank space where it’s been programmed to click, it’s just lost an opportunity to generate illicit ad-affilate revenue.
So, this version of Kovter (detected and blocked by Sophos products as Troj/Kovter-Z), having sailed in through the latest Flash exploit, promptly calls home to Adobe and grabs the latest, patched version of Flash.
In the past, malware that performed “free” security updates typically did so as a sort of raison d’être – an excuse that was supposed to legitimise the malware by giving it a veneer of decency.
In this case, by grabbing the latest version of Flash, Kovter-Z is looking out entirely for itself.
The Flash update not only ensures that Kovter can work with the very latest Flash-based ads, but also protects the malware from other crooks who might later buy time from the same exploit kit operators and try to take over Kovter’s turf.
What to look for
Sophos products detect and block the various malware components from this story under numerous names, including:
- Kovter malware: Troj/Kovter-* (Kovter-Z for this sample)
- Flash exploits from the above exploit kits: ExpFL-*
Note that exploit kits rarely rely on a single bug or a single potentially-buggy browser plug-in, and the crooks running the operation may deploy different exploits for different “customers.”
So the exploit kits above also variously try exploits based on PDF files (ExpPDF-*), Java (ExpJV-*), and Silverlight (Exp-SL-*).
An exploit kit can string together exploits against multiple plugins in the hope that one attack will succeed, and that is why we urge you not to install browser addons unless you know you need them.
Omitting components you don’t require is known by the apposite metaphor of reducing your attack surface area.
Just like a hedgehog when it curls into a ball.
Clean up with the free Sophos Virus Removal Tool
This is a simple and straightforward tool for Windows users. It works alongside your existing anti-virus to find and get rid of any threats lurking on your computer.
It does its job without requiring you to uninstall your incumbent product first. (Removing your main anti-virus just when you are concerned about infection is risky in its own right.)
Download and run it, wait for it to grab the very latest updates from Sophos, and then let it scan through memory and your hard disk. If it finds any threats, you can click a button to clean them up.
Other free tools to protect you from exploits kits and zombies
All the features of our commercial UTM for use on a spare computer or in a virtual machine. You get web filtering, email filtering, virus scanning, intrusion prevention, a web application firewall and a full-on Virtual Private Network (VPN) solution for up to 50 computers or mobile devices at home.
You also get 12 free licences for Sophos Anti-Virus for Windows to keep your family PCs clean.
A standalone version of our business grade anti-virus for OS X. You get real-time (on access) malware prevention, web filtering, scheduled scans, malware cleanup and more, plus it keeps itself up-to-date automatically.