Thursday 25 September 09:30 - 10:00, Green room.Peter Kalnai AVAST SoftwareJaromir Horejsi AVAST Software download slides (PDF) The estimated beginning of this story is in the middle of 2013. The infection chain runs through a malvertising campaign with Java exploitation and ends up dropping a payload with the filename 'notepad.exe'. The main goal of almost all instances of this particular threat is gaining revenue from simulated clicking on online advertisements. Only computers in the United States are targeted. The families of trojans dropped as the final payload share many characteristics, such as possessing both 32-bit and 64-bit variants and using sophisticated stealth techniques for persistence. These are variants of the well-known Win32/64:Alureon rootkit and Win32/64:Blackbeard downloader that was rediscovered at the turn of the year. With this level of complexity, the trojans continue the trend set by one of the most sophisticated threats performing click fraud, namely Win32/64:ZeroAccess/Sirefef. In this session we focus on the in-depth analysis of these Windows executables and their interesting structural and behavioural aspects. This involves explaining methods that fulfil the need for elevated privileges, the 32-bit to 64-bit code execution switch if executed in a 64-bit environment, and a description of the communication protocol. Moreover, we will provide an overall comparison of clickbot modules of all mentioned threats and discuss the similarities and the differences in the code they use. Click here for more details about the conference.