Click-fraud malware drives millions of views to YouTube videos

Pierluigi Paganini January 25, 2015

Scammers are earning advertising revenue by spreading click-fraud malware Tubrosa, which sends compromised computers to their YouTube videos.

A new Click-fraud malware campaign aimed at earning money by using the victim’s machine to view YouTube videos and benefits from ads embedded in them.
The malicious campaign, discovered by experts at Symantec, has targeted users around the world for months by serving a malware dubbed Tubrosa. The click-fraud threat Trojan Tubrosa is composed by two modules, one that is delivered via spear-phishing emails and a second one that is downloaded and run by the first component.
“A few weeks ago, we noticed a two-component click-fraud malware (detected as Trojan.Tubrosa) taking advantage of the YouTube Partner Program. The attackers compromise victims’ computers with the malware and use them to artificially inflate their YouTube video views. This allows the scammers to take advantage of the YouTube Partner Program validation process and monetize their fraudulent activity.” states a blog post published by Symantec.
The Tubrosa Click-fraud malware receives a list of nearly a thousand YouTube links from the C&C server and opens them in the background of the infected machine. The malicious code uses some tricks to avoid arousing suspicion, in fact, it turns down the volume of the speakers while it opens the video in the background, even if there isn’t installed the Adobe Flash player the infected machine, the malware downloads it and installs it to allow viewing of the videos.
Click-fraud malware campaign tubrosa

Symantec experts estimated that the scammers have so far earned several thousand dollars via this particular campaign. It’s impossible to know, but it’s likely they are running other similar ones at the same time.

A possible indicator of infection is a significant performance degradation of the victim’s machine.
“The YouTube Partner Program uses a validation process in order to verify that the user’s account is in good standing. In order to bypass Google security checks, the malware dynamically changes the referrer (REFS.txt) and the useragent (UA.txt) using two PHP scripts. This allows the malware to pretend to be a new connection to Google servers, appearing like a different user is connecting to the same videos,” reports Symantec.
According to Symantec, the scammers started distributing the malware in August 2014, and the campaign is still ongoing. The Tubrosa Click-fraud malware mainly infected systems in South Korea, India and Mexico and US.
Tubrosa Click-fraud malware
Symantec researchers estimated that the scammers have so far earned several thousand dollars via this Click-fraud malware campaign and they haven’t excluded that bad actors are running other similar ones campaigns.

To prevent computers from being compromised with click-fraud malware such as Trojan.Tubrosa, Symantec suggested the respect of the following best practices:

  • Exercise caution when receiving unsolicited, unexpected, or suspicious emails
  • Avoid clicking on links in unsolicited, unexpected, or suspicious emails
  • Avoid opening attachments in unsolicited, unexpected, or suspicious emails
  • Use comprehensive security software

Pierluigi Paganini

(Security Affairs – Click-fraud malware, YouTube)



you might also like

leave a comment