The Magala trojan makes its money dishonestly by clicking on ads in your browser

Another potentially unwanted program at your service…

David bisson
David Bisson

The Magala trojan makes its money dishonestly by clicking on ads in your browser

A piece of malware known as the Magala Trojan Clicker generates money by boosting advertisement click counts.

The threat, detected by Kaspersky Lab as Trojan-Clicker.Win32.Magala, fits in with the unloved Ask Toolbar and other such utilities as a type of potentially unwanted program (PUP).

Skirting the line between adware and malware, Magala doesn’t affect a user beyond co-opting some of their machine’s computing resources. But it does generate advertising revenue dishonestly and to the detriment of small businesses who pay for those advertisements.

Sign up to our free newsletter.
Security news, advice, and tips.

Kaspersky Lab’s Sergey Yunakovsky has taken a close look at how the malware works, and shared his findings, including his observations covering the stages of a Magala infection, in a blog post:

“The first stage of infection involves the Trojan checking which version of Internet Explorer is installed and locating it in the system. If it’s version 8 or earlier, the Trojan won’t run. So, if you still have this version on your computer, there’s nothing to worry about.”

170629 sl trojan clicker 1
Checking the version of Internet Explorer, virtual desktop initialization. (Source: Securelist)

Assuming a later version of Internet Explorer is running on the infected machine, Magala creates a virtual desktop in the background. It then leverages IHTMLDocument2 to load the MapsGalaxy Toolbar, a program widely regarded as adware.

Magala Trojan Clicker generates revenue by boosting advertising clicks

Once it’s confirmed the toolbar successfully installed, the malware contacts its remote server and retrieves a list of search queries that unscrupulous advertisers have slated for boosting. It then sends these queries and clicks on each of the first 10 links that appear in the search results at 10-second intervals.

170629 sl trojan clicker 5
List of search queries. (Source: Securelist)

A campaign such as this typically generates about 7 cents per click, or about US $2.20 per thousand clicks. Such an amount is pittance when compared to what a botnet composed of thousands of enslaved devices could make. But it’s enough for unscrupulous advertisers to get up the next day and do it all again.

To protect themselves against Magala, users need to be think twice before they download a piece of free software somewhere on the web. Software developers don’t just build their programs for free. SOMEONE’s making money… the HOW just might not be obvious.

Users should also install an anti-virus solution onto their computers.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.