Cyber-criminals likely based in Russia and the Ukraine have compromised computers at thousands of companies with a malware program known as Mevade, hijacking search traffic and conducting click fraud to turn the compromised systems into cash, security firm Websense stated in an analysis posted online on Oct. 23.
The attack has hit companies in the United States, the United Kingdom, Canada and India, among others, and has targeted the business services, manufacturing and transportation industries, as well as government agencies. The list of targeted industries is interesting because—while the Mevade malware is focused on generating cash for the operators of the botnet—it could easily be turned into a data-stealing espionage network, Alex Watson, director of research for Websense Labs, told eWEEK.
“If you look at malware and its capabilities, this group is really going after whatever money they can get,” Watson said. “But if you look at the targets, it’s definitely concerning. It would only take a change in business model to sell access to a number of critical industries.”
Mevade is not a new malware program. First detected by Microsoft on July 2, 2013, the program is likely a variant of malware called Sefnit, used by a cyber-criminal group since 2011. In late July, the number of computers infected by the program, and the industries infiltrated by the botnet, rose quickly, peaking in late August and early September, according to data from Websense. Since late September, the pace of compromise has gradually slowed, suggesting that the campaign has ended, Watson said.
The lull is not unusual for criminal activity, he said. In many cases, cyber-criminal groups will stop using a particular binary executable when antivirus firms broadly detect the program and its variants. Infections will slow or stop while the cyber-criminal groups work on creating a version of the program that antivirus software fails to detect, he said.
The program conducts click fraud, falsifying users’ clicks on Website advertisements to generate fraudulent affiliate fees for the criminal group behind the program.
Mevade gained notoriety in early September when it was connected to a massive spike in user traffic on the Tor anonymizing network. The number of simultaneous user connections jumped at least sixfold to 3 million, from 5o0,000, because a botnet began routing traffic through the network to anonymize the origin and destination of the communications. Security experts connected Mevade to the spike in traffic and estimated that between 1.5 million and 5 million computers were responsible for the traffic.
“Using an anonymizing service like Tor, it is nearly impossible to attribute the infected machines back to the servers they came from,” Websense’s Watson said.
Other industries infected by the Mevade malware include health care, mining, agriculture, communications, education and retail/trade industries, according to Websense. The extensive infrastructure likely means that the attackers are well-financed, the company stated in its analysis.