29

Some days ago I got infected by a malware, probably something new and very clever, as it went in unstopped and no scanning tool was able to detect it afterwards (see this question).

It was a two-stage infection: first an obvious malware went in via Internet Explorer (fully patched, so there probably is some still unknown hole there) and started running and doing silly things like hiding all my files and flashing fake system warning popups asking me to reboot due to a "disk controller malfunction"; this was probably a way to trick me into rebooting to load the actual malware. Then, after this was removed (very easily, a simple Run Registry key), it left a rootkit behind which was absolutely undetectable... but that kept doing silly things too, like hijacking Google searches and launching background iexplore.exe processes which were clearly visible in the Task Manager (wonder what they were doing, though). At last, I was able to get rid of it by rewriting the system drive's MBR and boot sector, where some loader code had been hidden; I still don't know what that was actually loading, though.

What I'm wondering now is: people writing malware are becoming increasingly clever, using more and more advanced stealth techniques... and yet, they keep using these powerful tools to do silly things like showing advertisements, which by now almost everyone recognizes as a sure sign of malware infection (and who ever does click on them, anyway?). If it wasn't for the search hijacking and background iexplore.exe processes, I'd never have guessed a rootkit was still there after the "main" infection... and, if the "main" infection hadn't played aroud with attrib.exe to make me think all my files had disappeared, I would have just not noticed it and it would have been free to load the rootkit upon the next reboot (which, being that a home computer, would for sure have happened in at most a day).

Such a stealth rootkit could have stayed there for a long time, if it didn't make such efforts to show its presence; and it could have done real damage, like installing a keylogger or taking part in a botnet; which it maybe also did, too... but since it was so obvious the machine was infected, I started looking for a way to clean it, and found it (or otherwise I'd have just formatted, which I'm going to do anyway, just to be sure).

So, the question remains: why all of these clever infection and stealth techniques are being wasted on showing useless advertisements?

Massimo
  • 731
  • 5
  • 13

6 Answers6

26

Various reasons:

Attacker is often not the Developer - Developers of malware sell the packages to anyone - the payload will be then defined by the attacker. Some attackers want to be stealthy - some don't, in fact some delight in being obvious and notorious.

Practice - developing techniques

Apathy/Ignorance - end users are really no good at fixing problems that can't be resolved by clicking on antivirus or malware cleaners.

Money - click-thrus and clickjacking can make good money. Viagra/Cialis spam also makes money. Fake-malware removal tool downloads can make a lot of money.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
  • 6
    I like the Developer/User argument. Just like the benign economy the users of software are often not the creators. There is some good reaserch on this malware economy. TrendMicro's ["The Business of Cubercrime"](http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/wp04_cybercrime_1003017us.pdf) is a very readable overview of this complex underground economy. Some highlights: affiliate programs, pay-per-install, recruiting affiliates, and "customer service". – this.josh Jul 13 '11 at 17:03
  • 4
    The last sentence is a good one. Imagine a malware that proudly displays its name, say MisterMalware, so that the dumb user searches the internet and finds its brother, whose name is of course MisterMalwareCleaner and comes with a price tag! This is ransomware without an apparent ransom. – user21820 Mar 16 '16 at 11:40
13

The answer is simple, and it's a similar phenomenon to the the anthropic principle, called survivor bias. There are many, many stealthy viruses that stay in place a long time, because they don't do this—but you don't ever hear or think about those, for the very reason that they're stealthy. Remember, what you're really asking is, "Why do I see so many non-stealthy viruses compared to the number of stealthy viruses I see?" But of course, you don't see the stealthy ones.

forest
  • 65,613
  • 20
  • 208
  • 262
Lily Chung
  • 968
  • 1
  • 9
  • 13
1

My first guess is : Money. And my second would be : challenge. Eventually you could add : pranks. (Maybe for the first malwares that was developed :D)

But malwares are also worms and viruses. So we may add to the potential gains :

  • Have access to computer (botnet, proxies) => stealth
  • Steal high valuable data => power, reputation
  • Scare end-user and gain money => deception

Directly or indirectly, that implies money.

Maybe one of them is for world's domination though. (joke?)

M'vy
  • 13,053
  • 3
  • 48
  • 69
  • 1
    I think you misunderstood my question. It was more along the lines of "why do they make the presence of malware obvious by showing ads when they could just have it sit there and steal your credit card number unnoticed?". – Massimo Jul 13 '11 at 09:06
  • 2
    Well because most users will be deceived and think it's normal. And credit card fraud is more traceable than advertisement farming; to fraud with card you need special settings to ensure you will not be sent to jail the next day. – M'vy Jul 13 '11 at 09:16
  • 1
    Sure. But mine was just an example, there are *many* more useful things a malware could do than displaying ads... which is also the *worst* thing it can do as long as "going unnoticed" is concerned. – Massimo Jul 13 '11 at 09:32
  • @Massimo re credit cards, a single credit card number is not worth a lot of money, only in bulk. It is simply not worth the effort to steal a card number, one at a time. – AviD Jul 17 '11 at 00:25
  • @AviD♦: why not? – Totty.js Jul 29 '11 at 00:33
  • 1
    That's just the way the stolen CC economy works... it costs too much to steal *and use* a single card, compared to what you can *safely* extract from a single card. – AviD Jul 29 '11 at 07:35
0

What you are describing sound like FakeAlert or fake antivirus/pc booster/system optimizer software. The sole purpose of the software to get you to buy the "Full" edition to get ride of non existent problems, or problems it has created. They may add advertising on the side, hence Google search diversion...etc.

It's not silly malware. It's there to make money, although it won't make much on an individual system, a large deployment on maximum number of computers usuaully brings good returns. Besides the operators are just using a kit they purchased, hence it doesn't make sense at first using complex kit for such purposes.

-1

Perhaps they are even more clever than you think: they create an obvious infection with annoying popups and a rootkit which is easily removed. So you think you are clean now. However: the real infection is still there but is even more cleverly hidden. Keep a close eye on your bank-account....

Jeff
  • 3,609
  • 4
  • 19
  • 23
  • 1
    Well, of course a total system wipe and reinstall followed soon after. Which, again, it wouldn't have... if the infection was hidden instead of blatantly obvious. – Massimo May 01 '14 at 14:02
-3

One answer is that you have a few classifications of that business model. Just if you bought a franchise, you would be purchasing a proven profitable "system". Malware and botnets could be considered a digital equivalent of that.

Unfortunately it is a vicious circle but I don't forsee it stopping because human nature includes greed. Say someone in China or Ukraine writes a new malware exploit they are more than likely doing it for the cash. Next users become infected and AV companies find out about it and create a "fix" and push the sales of their suites based on "On our product we usually have fix's to most users infections in hours VS days".

So people buy that product, but then they get "infected again" then they usually take their systems to some type of retail store who may or may not know what they are doing (toss coin here) to remove the threat(s). If the store can't figure it out then some of us (competent admins/tech's) get a call to "fix" or remove the infection(s). After resolvin the issue I always install a 3rd party HOSTS file to block a lot of crap from coming through to begin with. Why do AV companies not implement some sort of hosts blocking you might ask? $MONEY$ is always the answer. Point still being the circle makes money, bad guys, companies and the good guys will all get paid at some point in time.

Rory Alsop
  • 61,474
  • 12
  • 117
  • 321
Brad
  • 849
  • 4
  • 7