A click fraud Trojan called Magala is hijacking Internet Explorer browsers and opening virtual desktops on infected machines in order to artificially inflate various web pages’ click counts. The Trojan which Kaspersky Lab researchers discovered and classified as potentially unwanted adware does not cause any significant harm to infected users, but it does cheat companies who pay for legitimate online ad services but instead are having their click stats boosted fraudulently by unscrupulous advertisers. Magala determines which version of Internet Explorer is running on an infected machine. If the version is higher than IE 8, the Trojan will initialize a virtual desktop in order to execute its operations, including setting up autorun, sending a report to a hardcoded URL and installing the primarily payload. The Trojan then loads the toolbar for the MapsGalaxy browser hijacker program and alters the system registry so that MapsGalaxy becomes the default home page. Magala then contacts the remote server and requests a list of search queries for the click counts that need to be boosted. Using this list, the program begins to send the requested search queries and click on each of the first 10 links in the search results, with an internal of 10 seconds between each click.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street