Hello,
W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. Given this level of complexity, it was decided to conduct a deep analysis of this threat. The analysis revealed IP addresses for the command and control (C&C) servers. These servers are used to deliver encrypted binary large objects or ’blobs’ to the infected client. Without obtaining one of these blobs it was not possible to determine the purpose of the threat. An investigation of the server revealed not only copies of these blobs, but details of a clickfraud operation spread over multiple computers hosted in several countries. The server contained logs and databases of the criminal’s activities, including a record of earnings from late September of 2010 up to June 28th of this year. The maximum earnings in a single day were US$450, with an average of US$170 a day. Overall, the scheme grossed approximately US$46,000. This paper gives a detailed analysis of the infrastructure of the threat, the malware involved, a breakdown of earnings, and information about the criminals behind the scam.