Increasingly, spyware is making its way onto users systems through so-called drive-by-download sites using nefarious methods that circumvent disclosure.
One example is iFrameDollars.biz, which claims to be a Web site affiliate company just for drive-by sites, using a model similar to aboveboard affiliate networks such as Commission Junction and LinkShare.
The Web domain, which is registered to an individual named “Vasiliy Pupkin” at an apparently fictional address, has been active since December 2004 and makes no secret of its owners desire to leverage browser exploits (in this case, the popular iFrame browser exploit) to make money.
The Web sites Terms page says that iFrameDollars.biz pays 55 cents per install or $55 for 1,000 unique installs of a 3KB program that “changes the homepage and installs toolbar and dialer.”
Web site operators interested in joining the iFrameDollars.biz network must submit a URL for their Web sites, an estimate of their daily traffic and the account number for an online payment service such as E-gold.
In exchange, they are sent a small piece of HTML code containing the iFrame exploit, which the site owners are expected to attach to their pages. Web surfers who visit those pages using vulnerable versions of Windows or Microsoft Corp.s Internet Explorer Web browser have iFrameDollars.bizs programs silently installed.
An administrator at the site, who uses the name “Alex Zemlickas” and claims to be from Lithuania, forwarded a copy of the iFrame exploit distributed by the iFrameDollars.biz affiliates to eWEEK.
An analysis by iDefense Inc. of that exploit revealed a hostile link that triggers a second exploit and installs X.chm, a Trojan-Downloader program, according to Ken Dunham, director of malicious code at iDefense, a computer security intelligence company in Reston, Va.
The downloader, in turn, pulls 111 applications onto the client computer, including other downloaders and Trojan back-door programs, not to mention MediaTickets, an adware program owned by Clickspring LLC, of Brookline, Mass., Dunham said.
In addition to distributing malicious code and adware through its affiliates, iFrameDollars.biz mines click-through traffic from systems compromised by the groups exploit and uses pop-up messages to tempt users into buying nonexistent software programs, taking a cut of any sales.
The iFrameDollars.biz crew isnt above using its network of compromised machines to distribute spam or to steal personal information from users, either, Dunham said.