Drive-By Download Sites Chauffeur Spyware

By Paul F. Roberts  |  Posted 2005-06-20 Print this article Print

Spyware often makes its way onto users' systems through so-called drive-by download sites that circumvent disclosure through nefarious methods.

Increasingly, spyware is making its way onto users systems through so-called drive-by-download sites using nefarious methods that circumvent disclosure.

One example is, which claims to be a Web site affiliate company just for drive-by sites, using a model similar to aboveboard affiliate networks such as Commission Junction and LinkShare.

The Web domain, which is registered to an individual named "Vasiliy Pupkin" at an apparently fictional address, has been active since December 2004 and makes no secret of its owners desire to leverage browser exploits (in this case, the popular iFrame browser exploit) to make money.

To read about botnet hunters searching for zombie controls, click here.
The Web sites Terms page says that pays 55 cents per install or $55 for 1,000 unique installs of a 3KB program that "changes the homepage and installs toolbar and dialer."

Web site operators interested in joining the network must submit a URL for their Web sites, an estimate of their daily traffic and the account number for an online payment service such as E-gold.

Click here to read about the many faces of spyware. In exchange, they are sent a small piece of HTML code containing the iFrame exploit, which the site owners are expected to attach to their pages. Web surfers who visit those pages using vulnerable versions of Windows or Microsoft Corp.s Internet Explorer Web browser have iFrameDollars.bizs programs silently installed.

An administrator at the site, who uses the name "Alex Zemlickas" and claims to be from Lithuania, forwarded a copy of the iFrame exploit distributed by the affiliates to eWEEK.

An analysis by iDefense Inc. of that exploit revealed a hostile link that triggers a second exploit and installs X.chm, a Trojan-Downloader program, according to Ken Dunham, director of malicious code at iDefense, a computer security intelligence company in Reston, Va.

The downloader, in turn, pulls 111 applications onto the client computer, including other downloaders and Trojan back-door programs, not to mention MediaTickets, an adware program owned by Clickspring LLC, of Brookline, Mass., Dunham said.

Advertisers are leery of marketers methods. Click here to read more. In addition to distributing malicious code and adware through its affiliates, mines click-through traffic from systems compromised by the groups exploit and uses pop-up messages to tempt users into buying nonexistent software programs, taking a cut of any sales.

The crew isnt above using its network of compromised machines to distribute spam or to steal personal information from users, either, Dunham said.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel