Pop-ups at popular torrent trackers serving W32/Casonline adware

by

Share this news now.

Everyone knows that there’s no such thing as free lunch. The same goes for freely distributed pirated content online.

Recently, Webroot decided to sample malicious activity within some of the most popular Eastern European torrent trackers, based in Bulgaria, Ukraine, and Romania for starters. The results? Countless backdoored key generators and cracks for popular games and software, and most interestingly, monetization of the huge traffic by delivering pop-ups promoting the ubiquitous W32/Casonline adware, which in case you remember was recently spamvertised to millions of end and corporate users.

More details:

Upon visiting the torrent trackers, or clicking on any of the torrents links, on the majority of occasions the tracker’s users will be exposed to pop ups enticing them into downloading third-party online gambling software which in reality is the W32/Casonline adware. The owners of the torrent tracker earn revenue every time a user downloads and installs the application.

Screenshot of a pop-up enticing users into downloading W32/Casonline adware:

Second screenshot of a pop-up enticing users into downloading W32/Casonline adware:

Third screenshot of a pop-up enticing users into downloading W32/Casonline adware:

Fourth screenshot of a pop-up enticing users into downloading W32/Casonline adware:

Fifth screenshot of a pop-up enticing users into downloading W32/Casonline adware:

Sixth screenshot of a pop-up enticing users into downloading W32/Casonline adware:

Screenshot of the GUI of one of the installers:

Pop up URls: hxxp://www.888poker.com/?utm_medium=mb&utm_source=3038; hxxp://static.eurogrand.com/en/; hxxp://dutch.eucasino.com/; hxxp://ieurodicehit.net; hxxp://goldencherrylp.com/cherryslots220free-20free-1162146; hxxp://www.888casino.com/affiliates/city-life.htm

Detection rate for a sampled W32/Casonline.F binary, MD5: 43a6828eb346f954c53b843f3e9da6b3 – detected by 4 out of 42 antivirus scanners.

Detection rate for a sampled GAME/Casino.Gen binary, MD5: 52f62dfe393a7722d639ddb3cd41350b - detected by 4 out of 42 antivirus scanners.

Detection rate for a sampled GAME/Casino.Gen binary, MD5: b07e5e7de2d2d4e960542c349cb1ebee – detected by 1 out of 42 antivirus scanners.

Detection rate for a sampled Trojan.Win32.Casino.428888, MD5: 881e3d78c9ce1fd9a2a6372219b6cc8b – detected by 3 out of 42 antivirus scanners.

Detection rate for a sampled W32/Casonline binary, MD5: bf05408f113688e1353fa8a0cfc13b9d – detected by 0 out of 42 antivirus scanners.

Detection rate for a sampled CasinoOnline binary, MD5: 5960085c6618f5fc30198645d38bff8a – detected by 1 out of 42 antivirus scanners.

Webroot SecureAnywhere customers are proactively protected from these threats.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.


Share this news now.

Trackbacks

  1. [...] my research into adware serving pop-ups at popular Eastern European torrent trackers, what I also came across to while researching  them, was heavy advertisement on behalf of [...]

  2. [...] This is the second bogus casino themed campaign I’ve intercepted in recent months, and the third time when I profile the distribution and infection vectors of W32/Casonline. [...]

  3. [...] In this post, I’ll profile several prolific spam campaigns attempting to trick users into visiting a bogus web site, and downloading a copy of the potentially unwanted application (PUA) most commonly known as W32/Casonline. [...]