Threat Management, Incident Response, Malware, TDR

Click-fraud trojan targeting Yahoo, Google: Symantec

Security researchers at Symantec have uncovered a click-fraud trojan targeted to the online advertising networks of Google, Yahoo and, China's largest independent internet search engine.

This trojan, Trojan.Trafbrush, artificially inflates the number of page views a variety of ads are receiving, Zulfikar Ramzan, a senior principal researcher at Symantec Security Response, told This is the second such trojan -- the first was Trojan.Farfli -- Symantec has discovered recently.

Ramzan suspects the authors of this trojan operate webpages that display ads from the three search engines. These are the so-called affiliates in the internet advertising environment; the search engines act as agencies for companies who want their ads placed on content-appropriate websites.

The search engines and the affiliates share in the revenue from placing ads, so the affiliates "would get a commission for having hosted an ad on their page," Ramzan said. "The person who's writing trojan is probably in cahoots [with] the affiliates."

The click-trojan artificially increases the number of "hits," or click-throughs, the ads receive by generating the clicks automatically from infected PCs.

"It looks like a legitimate person is clicking the ad, even though no one really is and no one views the advertiser's website," Ramzan explained, adding that he is surprised that Yahoo and Google, in particular, are targets.

"The bigger players in the space have a lot of back-end forensics and detection systems to determine when a click is fraudulent whereas some of smaller players have less-sophisticated ways to do so," he said.

These methods could deploy at a variety of metrics to determine whether a click-through was human- or trojan-generated, he said. These include time spent viewing the ad, the frequency of hits on specific ads, and the IP address where the click-through originated.

There are several notable characteristics of this trojan, Ramzan added. First, click-fraud trojans have been rare so far. In addition, the authors are updating the Trafbrush trojan at least daily, and often multiple times a day.

According to Ramzan, a couple of factors may be driving this rapid evolution.

The authors might well be looking for more popular targets, thus increasing their "hit" rate and the amount of money they're earning, he said.

"They could also be fine-tuning how they're generating hits to keep them under the radar of the back-end mechanisms at Yahoo and Google to detect fraudulent clicks," he said.

This type of trojan, which infects a user's PC but in reality causes no harm to the computer itself while generating fraudulent click-throughs, also is rather new, Ramzan added. Unlike a trojan that downloads a keylogger to steal the user's personal information, "the real victims are the people paying for the ads," he said.

Neither Yahoo nor Google responded to's request for comment.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.