The so-called Opachki Trojan doesn't do the usual search-result hijacking typically deployed by the bad guys to make money, but instead attempts to hijack all links on a page the infected user is viewing. When the user clicks on a link, the Trojan redirects him to an affiliate-based search engine site that lists multiple links.
"This is the first one I've seen that tries to replace with arbitrary links rather than hijacking search results," says Joe Stewart, a researcher with SecureWorks' Counter Threat Unit. "This one goes to the page and takes all the links and makes them look like searches so the [victim] sees a search result rather than the page they thought they were going to."
Opachki basically provides the bad guys another way to make money from affiliate search engines that pay people to drive traffic to them, he says. Each time the victim clicks on one of the links at the redirected search engine site, the Opachki author gets paid a small sum of money, he says. "So to make it look somewhat legit, they have real people clicking on things so that it makes it look like that person is searching."
And interestingly, the Trojan does one good deed: if the victim's machine is also infected by the nasty Zeus banking malware, it kills it. "Why is it deleting Zeus? [Opachki] is hooking into the browser similarly to what Zeus does. Maybe there's some sort of conflict where they both don't work on the same machine," Stewart says. "I'm not sure what they're thinking" by knocking out Zeus, he says. Opachki infections come via drive-by browser exploits, and the Trojan can do its dirty work even if the user doesn't have administrative privileges on the machine, according to Stewart's report on the Trojan.
So far, Stewart hasn't seen widespread Opachki infections, and he says it appears to be fairly new. Although it may basically be a benign infection, it may have other risks, he says. The victim's machine could be exposed to more malicious Trojans via ads on the affiliate search engine sites, for example. The best way to eradicate the Trojan is reformat and reinstall the operating system.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.