Ya!Bucks spreads malicious executable files

Executable files on the Ya!Bucks pay per install program are spreading a range of malware including the Rustock and Pushdo spam bots and fake anti-virus.

Writing on the Marshal8e6 TRACElabs blog, Gavin Neale claimed that affiliate or pay per install programs such as Ya!Bucks reward people for installing malware on a victim's PC or by redirecting browsers to landing pages where users may be asked to download software or be exposed to exploits.

Once a user is registered with Ya!Bucks, members can download an executable file that they will then spread to victims' PCs via their own methods. Ya!Bucks members get paid if the victim purchases the software that was installed (often illegally) on their PC.

Neale claimed that affiliate programs such as this are one reason why there is a constant stream of malicious web pages being created to install software on people's computers.

“There is also a section of available landing pages where members can redirect traffic from their own web pages to. This is often seen in search engine optimisation schemes where web pages are made to appear in search engine results to attract visitors who are then redirected to an affiliate program-landing page. The landing page used by Ya!Bucks is a typical fake anti-virus page designed to trick users into installing the fake AV software,” said Neale.

He claimed that the lab signed up to the site and received an email every few days to let them know that there was a new, apparently undetectable, executable file available for them to use. At first the file was only detected by a couple of anti-virus engines, but several days later most of the major anti-virus programs had added signatures for it.

Neale claimed that on the test system, the executable downloaded a range of malware including the Rustock and Pushdo spam bots and the fake anti-virus software ‘Protection System'. It also caused the system to slow down to an almost unusable speed and generated a flood of various Windows error messages.

Affiliate programs pay their affiliates in different ways, for example, Ya!Bucks states that they give affiliates 70 per cent of the revenue that they generate from purchases of the fake anti-virus software. Others pay for each PC their software is installed on. The payment per install varies between countries.

US installs fetch the most, usually around US10-15c per install, while installs in Asia are around one cent. The payments can increase once the affiliate has reached a certain number of installs.

Neale said: “Presumably the affiliate will get paid if the victim purchases the fake AV. Whether or not they purchase ‘Protection System' they will have two spam bots and a host of other malicious software on their computer.

“Most affiliate programs require affiliates to have earned a certain amount of money before they are able to have the cash transferred to a web-money account. We have seen several affiliate programs apparently disappearing, leaving their affiliates lamenting their losses on underground forums.”

See original article on scmagazineuk.com