Incident Response, Malware, TDR

Surge in ‘Viknok’ infections bolsters click fraud campaign

A trojan called “Viknok,” which targets Windows users' online banking credentials, is currently being used to further click fraud scams, researchers found.

First detected in April 2013, Viknok has now been attributed to over 16,500 infections that occurred in the first week of May, alone. On Thursday, Andrea Lelli, a researcher at Symantec, revealed in a blog post that scammers had increasingly leveraged the trojan over the past six months, though an actual “spike” in infections was detected last month when 22,000 infections occurred.

Lelli added that the majority of victims struck in early May were in the U.S.

According to Lelli, the trojan targets DLL [dynamic link library] files with a malicious payload and has "evolved into a sophisticated threat capable of obtaining elevated operating system privileges," in order to infect files on multiple Windows platforms, including the 32 and 64-bit versions of Windows XP, Vista and 7.

Once the trojan infects users, attackers use the malware to bolster click fraud campaigns where users are unknowingly redirected to ads. Symantec noted that some victims heard “random audio playback through their compromised computers,” due to various ads that played in the background.  

Of note, Viknok uses a number of tricks to silently infect core system files, Lelli wrote, but the “most powerful” technique entails exploitation of a Windows privilege escalation vulnerability (CVE-2013-3600). This exploit allows Viknok to run code in kernel mode, she explained.

“The threat's purpose is to infect the file rpcss.dll, so that the malicious code is executed every time Windows starts,” Lelli wrote. “The infection of this file merely provides a loader for the core of the malware itself, which is usually stored in an encrypted file in the %System% folder.”

Infected rpcss.dll system files go on to download “Vikadclick,” another Windows trojan that performs malicious activities allowing click fraud.

On Thursday, Satnam Narang, a security response manager at Symantec, told in an interview that researchers are still investigating how saboteurs delivered Viknok to users' computers.

In his expert opinion, however, scammers often deliver such threats via exploit kits which take advantage of users running vulnerable software.

“I think it's probably an exploit kit delivering [Viknok] through a downloader,” Narang said. “Typically we see that, but we are still investigating.”

As Viknok targets multiple Windows platforms, Satnam advised users to keep their systems updated with the latest patches to avoid infection. He also recommended that users implement security software that can protect and repair targeted files.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.