Trojan.Trafbrush: Providing Click Fraud Services to Affiliates

My colleague, Takashi Katsuki, posted a blog that describes how Trojan.Farfli provides a service to affiliates, which allows them to increase the number of hits for an affiliate’s tracker. Recently I came across another Trojan, which provides such a service: Trojan.Trafbrush.

When Trojan.Trafbrush is executed, it drops several components and registers a browser helper object (BHO). It then downloads two configuration files from 1.mailhunt.cn. One of the files is config.ini, which contains display options of a Web browser and URLs. Most of the URLs are related to search engines with affiliate IDs in them. The other file, list.dic, is a dictionary file of search keywords. The BHO periodically opens the URLs or performs searches using a keyword that is randomly picked from list.dic. Thus, the compromised computer aids the affiliate to increase the number of hits of their tracker. The Trojan also accesses another site, luckycn.cn, in order to check for updates to itself.

Interestingly, when the files are downloaded from 1.mailhunt.cn, some older configuration files are also there. The files are well organized. Each file is named by date and they are separated into folders by the version of the Trojan. From these files it is possible to determine which URLs are targeted and which dishonest affiliates have attempted to gain their revenue through fraudulent clicks generated by the Trojan. Baidu and Google were among the URLs listed in the files along with over ten other unique affiliate IDs.

Another server, luckycn.cn, contains different versions of a large number of the Trojan's binaries along with many text files. One text file in particular is a log file recording all of the development activities of the Trojan in detail including times, actions, changing reasons, and even developer’s names:

How kind to provide a detailed record of the authors. It is now possible to tell that this operation commenced in January 2008. The configuration files also reveal that the Trojan has targeted Baidu, Google, and Yahoo. The authors are very hard working; releasing new binaries or new configuration files almost every day. They may also release more than one updated file per day on busy days, which may be due to the product becoming more well known, leading to an increase in customers. We can tell the authors of Trojan.Trafbrush consist of a well managed team. For their hard work, they must be paid well by their affiliates and the affiliates must deem it worthwhile.

Click fraud is not a new concept. It has been happening since the introduction of the pay-per click (PPC) pricing model. Because online advertising business is increasing and PPC incomes are critical revenue for small content providers and owners of small sites, we can be certain that this trend is going to continue.