Malware campaign inflated views of pro-Russia videos

The botnet behind it was also designed to fraudulently view Web ads en masse

Trustwave's researchers found a botnet that inflated views on pro-Russian videos as well as fraudulently increased views on ads placed on specially-designed web pages.

Trustwave's researchers found a botnet that inflated views on pro-Russian videos as well as fraudulently increased views on ads placed on specially-designed web pages.

A botnet designed for Web advertising fraud was also used to nudge up the number of views of some pro-Russian videos on the website DailyMotion, according to security vendor Trustwave.

An investigation into what appeared to be strictly ad fraud turned out to have a surprising political angle, wrote Rami Kogan of Trustwave's SpiderLabs, in a blog post on Thursday.

"We can't know for sure who's behind the fraudulent promotion of video clips, but it appears to be politically motivated," he wrote.

Using botnets to inflate the number of views on videos isn't new, but Kogan wrote "this is the first time we've observed the tactic used to promote video clips with a seemingly political agenda."

One of the videos promoted Russia's position on Crimea, which it forcibly annexed from Ukraine last year. Others also dealt with Russian political and military issues, although some had no Russia connection. The videos appear to have been removed from DailyMotion now.

In early April, the Guardian wrote of an office in St. Petersburg whose employees are paid to write pro-Russian messages on forums and social media sites.

All of the videos had around 320,000 views each but weren't widely shared on Twitter or even commented on, Kogan wrote.

Computers that visited the videos were infected with a trojan called Bedep. Some people were infected after they visited a tourism website that hosted Angler, a so-called exploit kit that tries to find software vulnerabilities on a computer in order to deliver malware.

The Bedep malware was programmed to create a hidden virtual desktop on a victim's computer and runs a fully-featured Internet Explorer instance, Kogan wrote. Users would be unaware of what was going on in the background.

Bedep also caused that hidden browser to navigate to custom-made websites stuffed with advertisements in order to increase ad impressions.

"The objective of ad fraud is to generate fake traffic to ads and receive compensation based on traffic volume," Kogan wrote. "Obviously, more compromised computers leads to more traffic directed to the ads which leads to more revenue for the fraudster."

Some of the infected computers then appear to have been directed to websites hosting other exploit kits such as Neutrino and Magnitude, loading yet more malware.

Those controlling Bedep "are trying to maximize their profit by selling traffic from compromised computers to other campaigners that seek to spread their own malware via Magnitude and Neutrino," Kogan wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags trustwavesecurity

More about KoganTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place