German Honeynet Project researchers report that adware company DollarRevenue is directly linked to a bot net attack exploiting the MS06-040 server service vulnerability reported last month. Bot net trackers estimate that one malicious hacker alone earned $430 in one day by installing malware/adware programs on infected machines. 7,700 machines were hacked in 24 hours using the vulnerability, and massively flooded with DollarRevenue files by a single command from the controlling IRC server. As reported by Ryan Nariane, Thorsten Holz, a project founder, said about this hacker:
“He’s earning more than $430 in a single day with DollarRevenue, and that’s not the only piece of adware he’s installing. He’s installing others and also renting his botnet out to spammers,”
Ugh! I’ve experienced some massive DollarRevenue infestations myself as blogged here. DollarRevenue is typically accompanied by other adware including the likes of Look2Me, Qoologic, TagAsauras, SurfSideKick, NewDotNet, ZenoTecnico, InternetOptimizer and so on. I’ve blogged about DollarRevenue previously. In June, well known spyware researcher Patrick Jordan, aka Webhelper, had his site DDoS’ed by a trojan linked to DollarRevenue.
DollarRevenue is known for its high pay outs to affiliates on a pay per install basis, which undoubtedly creates the motivation for these massive installs. DollarRevenue pays 30 cents per install in the USA, 20 cents per install in Canada, 10 cents in the UK, 1 cent in China and .02 cents in other countries. DollarRevenue.com describes their affiliate program here and here. Ryan Naraine describes the bot net operation involving DollarRevenue in more detail.
Some anti-malware vendors describe DollarRevenue software as trojans, see McAfee’s description here, Symantec’s description here, CA’s description here. I’ve been infected with DollarRevenue software numerous times and have yet to see anything remotely resembling a EULA. In my experience, DollarRevenue is always installed through an exploit with other malware, and DollarRevenue files initiate the installation of other malware/adware. I’ve seen spam bots and password stealing trojans installed along side DollarRevenue also.
Who is responsible for DollarRevenue? Good question. I wish I had an answer. The current dollarrevenue.com domain registration whois information shows private registration through Network Solutions. The DollarRevenue domain is hosted at IP 194.187.45.56 located in the Netherlands, but research shows their software is installed from multiple IPs and subdomains.
Suzi Turner is webmaster and owner of SpywareWarrior.com, a comprehensive site that includes a spyware help forum, spyware blog and reviews of anti-spyware software by noted spyware expert Eric L. Howes. Suzi became angry about spyware in 2002 after being infected by a drive-by-download of a browser hijacker and unwanted adware/spyware and decided to help others in the same predicament. In April 2005, Microsoft awarded Suzi its MVP (Most Valued Professional) Award in recognition of her work to help internet users protect their privacy by removing and preventing spyware. Suzi is also a nurse for a national disability management company.View the original article at ZDNet
