English (US) 
Archived Blog
An Evolution of Profit Driven Malware
03.09.2010 - 7:24 AM
How indeed do these malwares make profits? These are lots of ways. For example, some Trojans in China are designed to steal passwords from players of popular online games. Virtual currencies and other virtual goods associated with online games can be sold for real money. Also, some adware creates annoying pop-up windows, where sometimes the pop-up speed is even faster than the user can click to close them; advertisers will pay for that service because of the traffic it generates.
Here too, China offers an interesting and distinct case study. Trojan.Cinmus/Cinmeng is a Trojan downloader designed to compromise system security and integrity, which might be also known as Adware.Cinmus. This malware is installed mainly via exploited security flaws, without the user's knowledge or permission. A version of this malware will, for example, modify the registry values shown in Figure 1.
Figure 1. Dynamic URL Parameter "pid" 
Taobao.com is an online platform for consumer-focused e-commerce in China, the "eBay of China". The SearchScopes subkeys are UniqueID values that IE7 creates as random GUIDs. The registry entries are used to change search settings for Microsoft Internet Explorer, and the registry path "\SearchScopes\" is only available for IE7 and later.
"URL" plays a key role as it is used to set the search provider, so the malware often modifies this setting. When users click the Search button in an IE browser, the browser redirects to undesirable Web sites (as shown in Figure 2). This is known as browser hijacking. A browser hijacker is a type of malware program that alters the user's browser settings so that browsers are redirected to Web sites that user had no intention of visiting.
Figure 2. URL Redirecting 
However, the case here is different. Let's focus on the former 'URL' value data:
URL = hxxp://[removed].taobao.com/browse/search_auction.htm?q={searchTerms}&pid=mm_XXXXX&...
"URL" contains tokens as defined by the OpenSearch description syntax, which is compatible with IE7 and Firefox. Because of this, these tokens are the recommended format for use on the Web, and the most important one is {searchTerms}. It will be replaced with the keyword or keywords desired by the search client.
"q" and "pid" are taobao.com Web search parameters:
- "q" is the search query
- "pid" is the search request submitted via the site alliance member When an IE browser opens the URL, the parameter "pid=mm_XXXXX" means the taobao.com Web site knows which clients are browsing its Web pages via its alliance member ID 'mm_XXXXX '.
Leaving aside the moral issues, does the registry modification have any economic benefits?
Like any other affiliation program, if a referrer can be identified from a search query, the browser still shows taobao.com site search results; however clicks and purchases then made in taobao.com will directly reward alliance members in facilitating a visit and a purchase.
Taobao.com is not the only one that is ever targeted to make profits by malwares. In fact, lots of Web sites offer rewards in order to encourage their alliance members to promote them, for example Amazon.cn. By staying well under the radar unlike obvious annoying adware, malware writers could now build residual income stream via our unconscious everyday surfing and shopping online.
Security Researcher: Matthew Zhao
