Kovter is a Trojan specifically designed to exploit advertising campaigns. Often referred to as click or advertising fraud, the Trojan is used to hijack Web browser sessions in order to simulate a victim’s machine clicking on advertisements to generate advertising revenue for the hackers behind the malware campaign. A well-known malware security researcher who calls himself Kafeine first discovered the latest version of this threat. Kafeine specializes in tracking and studying drive-by download attacks that rely on exploit kits to find vulnerabilities in popular Web browser plug-ins including Adobe Flash Player, Adobe Reader, Microsoft Silverlight, and Java. According to Kafeine, the latest version of Kovter is being distributed using multiple exploit kits that are designed to capitalize on zero day vulnerabilities found within the browser plug-ins mentioned above.
Since these exploit kits rely on known vulnerabilities in these plug-ins, the creators of the exploits kits being used are targeting PC users who do not take the time to ensure all third-party applications are regularly updated. For a PC to become infected with Kovter via one of these exploit kits, the hackers must first compromise legitimate websites that can then be used to serve the malicious content in the background. This technique is known as a drive-by download attack. If compromising an entire website is out of the question, the hackers behind the campaign can instead load malicious advertisements that have been uploaded to legitimate ad networks. In both cases, once a user visits one of these websites, the exploit kit works silently in the background to find known vulnerabilities.
Once a vulnerability is discovered, the exploit is run to download the malicious payload (in this Kovter) onto the target PC. In most cases, the victim never knows the machine has been infected – especially when the malware installed is designed only to commit advertising fraud.
Often, there is no noticeable difference in the PCs performance but hackers are making money nonetheless. Furthermore, the hackers controlling Kovter could always decide to send new instructions to all infected PCs that could present a serious threat to users who’s PCs have been infected with this malware variant. Kovter was originally discovered a couple of years ago but what makes this new variant so interesting is that once the Trojan has successfully installed itself onto a PC, it automatically attempts to update Flash Player so that the very same exploits used to infect the PC cannot be used by other malware to infect the PC alongside Kovter.
Although this technique may seem strange to some readers, it actually makes a lot of sense. Kovter is designed to avoid detection and have a minimal impact on system performance with the hope being that the user never realizes an infection has occurred. This allows the hackers behind Kovter to continue collecting ad revenue without the knowledge or consent of the infected PC’s owner. If another strain of malware were to also infect the PC, chances are high that the user might notice something wrong and attempt to remove the new malware or antivirus detection software may alert the user to a potential threat. In most cases, this will prompt the user to run malware scans in an attempt to isolate and remove the source of infection – potentially removing Kovter at the same time. Another theory as to why Kovter attempts to update Flash Player is that video advertisements pay a lot more than standard impression ads.
The hackers behind the latest Kovter campaign may be attempting to ensure that video ads are playable using the latest version of Flash to maximize their financial returns as a result of successfully infecting a PC. In either scenario, however, Flash Player gets updated and effectively closes the door on any future infections (until new vulnerabilities are discovered and hackers learn how to exploit them using standard drive-by download attacks that rely on readily-available exploit kits such as the Black Hole exploit kit and the Fiesta exploit kit (both of which are leveraged in this most recent malware campaign).
Interestingly enough, the new version of Kovter also attempts to update Internet Explorer as many drive-by download attacks rely on vulnerabilities within the standard Windows OS Web browser to exploit the PC and drop a malicious payload. Kafeine first discovered this threat after noticing that many of the virtual machines he uses to test various malware threats began trying to update both Flash Player and Internet Explorer. Since these virtual machines are designed to be exploited by malware, the auto-update feature is intentionally turned off. After investigating, Kafeine was able to determine that the virtual Windows machines were, in fact, infected with a new version of Kovter that was trying to update these applications.
Although the technique of applying a patch after infection isn’t necessarily new, it is an interesting technique that comes at a time when Flash vulnerabilities are being discovered nearly every week. To avoid infection by Kovter and other malware distributed via drive-by download, ensure that Windows and all third-party applications are updated regularly. Enable the auto-update option whenever possible to make the update process as easy and painless as possible. Also ensure that antivirus software is installed and up-to-date. Although Kovter is difficult to detect using standard antivirus software, many of the exploit kits used by Kovter are easily detected by Internet security suites.
Remember that drive-by download attacks are only successful if an unpatched vulnerability is present in the system or in a application plug-in. As long as these patches are applied as soon as they are released, it is nearly impossible for your PC to become infected with Kovter.
There is likely to be more malware with similar intent appearing in the near future considering that online advertising has become a multi-billion dollar per year industry and malicious advertising, or malvertising, makes up an increasingly large part of the industry’s overall revenue.