‘Opachki’ Trojan hijacks links for cash and deletes Zeus malware from the infected machine

By Kelly Jackson Higgins
DarkReading

First there were hijacked search results, now there are hijacked links: a newly discovered Trojan redirects victims to search engine sites in order to cash in on the clicks.

The so-called Opachki Trojan doesn’t do the usual search-result hijacking typically deployed by the bad guys to make money, but instead attempts to hijack all links on a page the infected user is viewing. When the user clicks on a link, the Trojan redirects him to an affiliate-based search engine site that lists multiple links.

“This is the first one I’ve seen that tries to replace with arbitrary links rather than hijacking search results,” says Joe Stewart, a researcher with SecureWorks’ Counter Threat Unit. “This one goes to the page and takes all the links and makes them look like searches so the [victim] sees a search result rather than the page they thought they were going to.”

Opachki basically provides the bad guys another way to make money from affiliate search engines that pay people to drive traffic to them, he says. Each time the victim clicks on one of the links at the redirected search engine site, the Opachki author gets paid a small sum of money, he says. “So to make it look somewhat legit, they have real people clicking on things so that it makes it look like that person is searching.”

And interestingly, the Trojan does one good deed: if the victim’s machine is also infected by the nasty Zeus banking malware, it kills it. “Why is it deleting Zeus? [Opachki] is hooking into the browser similarly to what Zeus does. Maybe there’s some sort of conflict where they both don’t work on the same machine,” Stewart says. “I’m not sure what they’re thinking” by knocking out Zeus, he says. Opachki infections come via drive-by browser exploits, and the Trojan can do its dirty work even if the user doesn’t have administrative privileges on the machine, according to Stewart’s report on the Trojan.

So far, Stewart hasn’t seen widespread Opachki infections, and he says it appears to be fairly new. Although it may basically be a benign infection, it may have other risks, he says. The victim’s machine could be exposed to more malicious Trojans via ads on the affiliate search engine sites, for example. The best way to eradicate the Trojan is reformat and reinstall the operating system.

—

Credit Due: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221400320

LONDON (Reuters) – Detectives have made the first arrests in Europe to tackle a “trojan” computer virus which is believed to have infected tens of thousands of computers across the world, London police said on Wednesday.

The ZeuS or Zbot trojan, a type of sophisticated malicious computer programme, has been used to collect millions of lines of data from machines allowing those responsible to obtain a mass of personal information.

The Metropolitan Police said the trojan was configured so that once installed in an affected computer, it recorded users’ bank details and passwords, credit card numbers and other information such as passwords for social networking sites.

The financial gains for the criminals and the potential losses to individuals and institutions affected were very substantial, detectives said.

Police said a man and a woman, both aged 20, had been arrested on November 3 in Manchester. They have been released on police bail pending further inquiries.

“The ZeuS trojan is a piece of malware used increasingly by criminals to obtain huge quantities of sensitive information from thousands of compromised computers around the world,” said Detective Inspector Colin Wetherill of the Met Police’s Central e-Crime Unit.

“The arrests represent a considerable breakthrough in our increasing efforts to combat online criminality.”

Detectives said the arrests were some of the first in the world and the first in Europe to combat the distribution and control of ZeuS.

(Reporting by Michael Holden; Editing by Steve Addison and Sonya Hepinstall)

—

Credit Due: http://www.reuters.com/article/internetNews/idUSTRE5AH43Y20091118