Posted on July 14, 2017 at 7:43 PM
Internet Explorer browsers have lately been under attack of a Trojan called Magala. The click fraud adware operates by opening virtual desktops on computers and artificially increasing click counts of several web pages.
Kaspersky Lab operators have discovered the Trojan and filed it as possibly unwanted adware. The reason for such classification is the fact that it doesn’t cause too much harm to users, instead the damage being mostly brought onto companies that pay real online ad services only to have their click stats fakely raised by shady advertisers.
Sergey Yunakovsky, a malware analyst working at Kaspersky Lab, explains the way Magala works in a blog post. It first determines which version of Internet Explorer browser is installed on the infected computer. Any version higher than IE 8 is compatible for the Trojan, which starts a virtual desktop on which it does its operations, like setting up autorun, sending a report to a hardcoded URL and installing the primary payload.
Magala’s next step is to load the toolbar for the MapsGalaxy browser hijacker program, altering the system registry in order to set MapsGalaxy as the default home page.
Kaspersky explained that the Trojan proceeds by contacting the remote server and requesting a list of search queries for the click counts that need to be boosted. With this list, the program begins to send the asked search queries and click on each of the first 10 links in the search results, with a period of 10 seconds between each click.
The infections have been found by Kaspersky mostly in Germany and the U.S. The usual cost per click in this type of campaigns is $0.07, with adds to $2.20 per thousand clicks. Things can easily get out of control if advertisers employ large botnets.
The fact that it cannot be defined whether a specific program is part of a secure and legal advertising campaign or if it is illegal software executing related duties it something that makes the adware difficult to deal with. Another problem is the quantity of the advertising, which requires a different approach than before.
Yunakovsky stated that Magala has been observed by Kaspersky for a while, but only in March of this year did they started fully researching it.
The official pathway in which the malware is spread is unknown, but Yunakovsky warns that this type of trojans can usually be hidden in programs like speed booster and cleaners. The possibility spreads via spam or phishing is unlikely.