August 7, 2014

Modern cybercriminals employ any and all means possible to make money via the Internet. They resort to committing ordinary fraud, spreading Trojans and stealing confidential information to subsequently use it in all sorts of criminal schemes. In a way, click fraud stands apart from other types of cybercrime. Here cybercriminals also make use of special malware such as Trojan.Click3.9243.

Click fraud involves imitating a legitimate user visiting a site or clicking on an ad without having an actual interest in the site or advertised links. Click fraud helps criminals generate pay-per-click income. Site owners also often resort to the fraud to generate clicks for their competitors’ ads to increase their advertising expenses. Click fraud is facilitated by special software that is covertly installed onto target computers. One such program discovered by Doctor Web's security researchers was dubbed Trojan.Click3.9243.

This Trojan is distributed under the notorious referral program Installmonster (a.k.a. Zipmonster) which is known to security experts for its ties with virus makers. The Trojan poses as a browser called Ad Expert Browser; however, users are given no explanation as to what its advantages are or why they should want it at all. The Ad Expert Browser license agreement indicates that it can sometimes display advertisements while the user is surfing the web, but, in fact, this is extremely unlikely since Trojan.Click3.9243‘s true purpose is entirely different. When launched on an infected computer, the Trojan creates a hidden Windows desktop and starts several processes that are used by Trojan.Click3.9243 to load various web pages and begin clicking on advertisements. It is worth mentioning that the Trojan attempts to mimic the behaviour of a living person: it scrolls through web pages, emulates mouse pointer movement, and views videos using its built-in codecs, after first disabling the audio in its application so that it doesn't interfere with the actual user experience. During its operation, the malware sends criminals the list of running processes on the infected PC and an assessment of the system's CPU load. After analysing this Trojan’s digital signature, virus analysts have concluded that the developers of Trojan.Zadved.1, described in detail in a Doctor Web review published in December 2013, may be behind the click fraud program.

To maintain security, Doctor Web recommends that users refrain from installing software from dubious sites and use modern anti-viruses.