A huge botnet called Stantinko was discovered by security researchers from ESET, the botnet was undetected for at least 5 years succeeded to infect about half a million devices worldwide and enables operators to “execute anything on the victim machine.
The huge botnet is essentially used to install on the infected systems browser extensions that are used to inject advertisements and perform click fraud.
According to ESET:
“To infect a system, they trick users looking for pirated software into downloading executable files sometimes disguised as torrents. FileTour, Stantinko’s initial installation vector, then loudly installs a lot of software to distract the user while it covertly installs Stantinko’s first service in the background.”“Stantinko is a modular backdoor. Its components embed a loader allowing them to execute any Windows executable sent by the C&C server directly in memory. This feature is used as a very flexible plugin system allowing the operators to execute anything on an infected system.”
The Safe Surfing and Teddy Protection extensions are installed by the Stantinko malware. Both extensions spread through the Google Chrome Web Store are used to block undesired URLs. The botnet installs its versions of both browser extensions that are able to obtain a configuration to perform click fraud and advertisement injection.
“Stantinko installs two browser extensions, The Safe Surfing and Teddy Protection, which inject advertisements or redirect the user. It allows the Stantinko operators to be paid for the traffic they provide to advertisers.”
