Surge in 'Viknok' infections bolsters click fraud campaign

Share this article:
The social engineering scam delivers malware via anti-virus program updates.
Researchers detected over 16,500 Viknok infections in the first week of May alone.

A trojan called “Viknok,” which targets Windows users' online banking credentials, is currently being used to further click fraud scams, researchers found.

First detected in April 2013, Viknok has now been attributed to over 16,500 infections that occurred in the first week of May, alone. On Thursday, Andrea Lelli, a researcher at Symantec, revealed in a blog post that scammers had increasingly leveraged the trojan over the past six months, though an actual “spike” in infections was detected last month when 22,000 infections occurred.

Lelli added that the majority of victims struck in early May were in the U.S.

According to Lelli, the trojan targets DLL [dynamic link library] files with a malicious payload and has "evolved into a sophisticated threat capable of obtaining elevated operating system privileges," in order to infect files on multiple Windows platforms, including the 32 and 64-bit versions of Windows XP, Vista and 7.

Once the trojan infects users, attackers use the malware to bolster click fraud campaigns where users are unknowingly redirected to ads. Symantec noted that some victims heard “random audio playback through their compromised computers,” due to various ads that played in the background.  

Of note, Viknok uses a number of tricks to silently infect core system files, Lelli wrote, but the “most powerful” technique entails exploitation of a Windows privilege escalation vulnerability (CVE-2013-3600). This exploit allows Viknok to run code in kernel mode, she explained.

“The threat's purpose is to infect the file rpcss.dll, so that the malicious code is executed every time Windows starts,” Lelli wrote. “The infection of this file merely provides a loader for the core of the malware itself, which is usually stored in an encrypted file in the %System% folder.”

Infected rpcss.dll system files go on to download “Vikadclick,” another Windows trojan that performs malicious activities allowing click fraud.

On Thursday, Satnam Narang, a security response manager at Symantec, told in an interview that researchers are still investigating how saboteurs delivered Viknok to users' computers.

In his expert opinion, however, scammers often deliver such threats via exploit kits which take advantage of users running vulnerable software.

“I think it's probably an exploit kit delivering [Viknok] through a downloader,” Narang said. “Typically we see that, but we are still investigating.”

As Viknok targets multiple Windows platforms, Satnam advised users to keep their systems updated with the latest patches to avoid infection. He also recommended that users implement security software that can protect and repair targeted files.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.