Today we’re going to describe one of the ways the cybercriminals use to earn some easy money. There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call 'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.
They usually pay depending on the country you obtain the download. Normally USA and Europe are the best paid countries and other countries as China or Russia are the worst paid.
Here we can see some examples obtained from these pages:
We will pay you for installs coming from 16 countries as exposed here :
$0.40 for USA, Canada
$0.20 for United Kingdom, France, Germany, Italy, Spain, Belgium, Luxembourg, Monaco
$0.05 for Austria, Denmark, Finland, Sweden, Norway, The Netherlands
$0.01 for China, Korea, Japan
Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:
A short time ago, analyzing a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, we found one of these websites. We found out that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:
There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar.
The web sites where they promote themselves use to be very eye-catching, here you can see some examples: