German Honeynet Project researchers report that adware company DollarRevenue is directly linked to a bot net attack exploiting the MS06-040 server service vulnerability reported last month. Bot net trackers estimate that one malicious hacker alone earned $430 in one day by installing malware/adware programs on infected machines. 7,700 machines were hacked in 24 hours using the vulnerability, and massively flooded with DollarRevenue files by a single command from the controlling IRC server. As reported by Ryan Nariane, Thorsten Holz, a project founder, said about this hacker:
"He's earning more than $430 in a single day with DollarRevenue, and that's not the only piece of adware he's installing. He's installing others and also renting his botnet out to spammers,"
Ugh! I've experienced some massive DollarRevenue infestations myself as blogged here. DollarRevenue is typically accompanied by other adware including the likes of Look2Me, Qoologic, TagAsauras, SurfSideKick, NewDotNet, ZenoTecnico, InternetOptimizer and so on. I've blogged about DollarRevenue previously. In June, well known spyware researcher Patrick Jordan, aka Webhelper, had his site DDoS'ed by a trojan linked to DollarRevenue.
DollarRevenue is known for its high pay outs to affiliates on a pay per install basis, which undoubtedly creates the motivation for these massive installs. DollarRevenue pays 30 cents per install in the USA, 20 cents per install in Canada, 10 cents in the UK, 1 cent in China and .02 cents in other countries. DollarRevenue.com describes their affiliate program here and here. Ryan Naraine describes the bot net operation involving DollarRevenue in more detail.
Some anti-malware vendors describe DollarRevenue software as trojans, see McAfee's description here, Symantec's description here, CA's description here. I've been infected with DollarRevenue software numerous times and have yet to see anything remotely resembling a EULA. In my experience, DollarRevenue is always installed through an exploit with other malware, and DollarRevenue files initiate the installation of other malware/adware. I've seen spam bots and password stealing trojans installed along side DollarRevenue also.
Who is responsible for DollarRevenue? Good question. I wish I had an answer. The current dollarrevenue.com domain registration whois information shows private registration through Network Solutions. The DollarRevenue domain is hosted at IP 188.8.131.52 located in the Netherlands, but research shows their software is installed from multiple IPs and subdomains.