Ad fraud Trojan updates Flash Player so that other malware can't get in
The new and somewhat surprising behavior was recently observed by a malware researcher known online as Kafeine, who specializes in tracking drive-by download attacks that use exploit kits.
Kovter is used for so-called click or advertising fraud. Once installed on a computer, it hijacks the browser process and uses it to simulate user clicks on online advertisements in order to generate revenue for its creators.
According to Kafeine's research, the Trojan is being distributed through multiple exploit kits, Web-based attack tools that target vulnerabilities in browsers and their plug-ins -- Flash Player, Adobe Reader, Java and Silverlight.
These tools typically exploit known vulnerabilities, so their creators are primarily targeting users who don't keep the software installed on their computers up to date.
Drive-by download attacks are particularly nasty because they're usually launched from trusted, legitimate websites that have either been compromised or are loading malicious advertisements uploaded by attackers to ad networks.
This is not the first time a malware program patched the flaws it used to get in. However, such cases are rare today because the cybercriminal underground economy is heavily service-based.
Many malicious programs like Trojans don't have their own distribution mechanisms. Their creators don't search for vulnerabilities in software, don't write their own exploits and don't go around infecting websites. Instead, they rely on other cybercriminals who specialize in those activities, like the exploit kit creators.
Access to most exploit kits is sold on a subscription-based model. They generate income for their creators by distributing malware created by others.
That's why Kovter patching Flash Player is unusual. It's akin to paying for a cab and shooting its tires at the destination so that no one else can use it. You'd suppose the cab driver would be angry.