Everyone knows that there’s no such thing as free lunch. The same goes for freely distributed pirated content online.
Recently, Webroot decided to sample malicious activity within some of the most popular Eastern European torrent trackers, based in Bulgaria, Ukraine, and Romania for starters. The results? Countless backdoored key generators and cracks for popular games and software, and most interestingly, monetization of the huge traffic by delivering pop-ups promoting the ubiquitous W32/Casonline adware, which in case you remember was recently spamvertised to millions of end and corporate users.
More details:
Upon visiting the torrent trackers, or clicking on any of the torrents links, on the majority of occasions the tracker’s users will be exposed to pop ups enticing them into downloading third-party online gambling software which in reality is the W32/Casonline adware. The owners of the torrent tracker earn revenue every time a user downloads and installs the application.
Screenshot of a pop-up enticing users into downloading W32/Casonline adware:
Second screenshot of a pop-up enticing users into downloading W32/Casonline adware:
Third screenshot of a pop-up enticing users into downloading W32/Casonline adware:
Fourth screenshot of a pop-up enticing users into downloading W32/Casonline adware:
Fifth screenshot of a pop-up enticing users into downloading W32/Casonline adware:
Sixth screenshot of a pop-up enticing users into downloading W32/Casonline adware:
Screenshot of the GUI of one of the installers:
Pop up URls: hxxp://www.888poker.com/?utm_medium=mb&utm_source=3038; hxxp://static.eurogrand.com/en/; hxxp://dutch.eucasino.com/; hxxp://ieurodicehit.net; hxxp://goldencherrylp.com/cherryslots220free-20free-1162146; hxxp://www.888casino.com/affiliates/city-life.htm
Detection rate for a sampled W32/Casonline.F binary, MD5: 43a6828eb346f954c53b843f3e9da6b3 – detected by 4 out of 42 antivirus scanners.
Detection rate for a sampled GAME/Casino.Gen binary, MD5: 52f62dfe393a7722d639ddb3cd41350b – detected by 4 out of 42 antivirus scanners.
Detection rate for a sampled GAME/Casino.Gen binary, MD5: b07e5e7de2d2d4e960542c349cb1ebee – detected by 1 out of 42 antivirus scanners.
Detection rate for a sampled Trojan.Win32.Casino.428888, MD5: 881e3d78c9ce1fd9a2a6372219b6cc8b – detected by 3 out of 42 antivirus scanners.
Detection rate for a sampled W32/Casonline binary, MD5: bf05408f113688e1353fa8a0cfc13b9d – detected by 0 out of 42 antivirus scanners.
Detection rate for a sampled CasinoOnline binary, MD5: 5960085c6618f5fc30198645d38bff8a – detected by 1 out of 42 antivirus scanners.
Webroot SecureAnywhere customers are proactively protected from these threats.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.