By definition, Adware is a program bundle which renders advertisements in order to generate revenue for its author. In a more strict sense, e.g. for security solutions, it means an application/installer whose nature lies somewhere between a potentially unwanted application and proper malware, like Trojans or Spyware. It might use more or less aggressive methods, starting with tricks and ending with fraud, to achieve its goals to benefit its distributor, while staying as innocent as possible on first sight. We blogged about an adware downloader a year ago.
Now we focus on two selected adware examples: The first is a Windows installer called Linkular and the second is a well-known application called Genieo (with a focus on its OS X version.) Being in the wild for a few months, the detection within AV products reached only partial coverage in both cases, with very similar numbers on VirusTotal (~10-20 %, see Sources below). However, the OS X adware Genieo is additionally flagged by OS X-specific security solutions. Considering maliciousness, the Windows adware is far more dangerous and invasive than the OS X one and also more than other Windows Adware examples we usually see. Here’s the comparison:
|Distribution strategy||Advertisement Network||unknown|
|Software Download site||coolestmovie.info||www.genieo.com|
|Rank on alexa.com||~4200||~3000|
|Masking||VLC Player + Addon||Flash Player (*)|
|Payload||SpeedUpMyPC; Multiplug; Bitcoinminer;OneStep/BasicServe||Codemc; Photo.it; Qtrax(**)|
|Change of browser start page||YES||YES|
|Persistance||YES (of payload)||YES|
|Obfuscation||YES (of payload)||NO|
|Digitally signed||YES (both installer & payload)||YES|
(*) masking is not connected with the official site, but some of its distribution partners
(**) related to older installers; not presented anymore
On Friday, July 12th a warning from an AVAST fan about a new polymorphic multisystem threat came to an inbox of AVAST. Moreover, an archive of malicious files discussed here were attached. Some of them have been uploaded to Virustotal and therefore they have been shared with computer security professionals on the same day. A weekend had passed by and articles full of excitement about a new Trojan for MacOs started to appear on the web. We decided to make a thorough analysis and not to quickly jump on the bandwagon. The key observation is that the final payload comes in the form of scripts needed to be interpreted by Windows Script Console resp; Python in the case of MacOs. Moreover a script generator that creates new malicious Windows file shortcuts was also included.
A chain of events that installs a malicious Visual Basic script on Windows platform looks like this:
Apple’s ‘cloak of invulnerability’ has lately been shredded by the MacDefender fake antivirus and the Pinhead and Boonana Trojans. Don’t worry, be proactive. Here are five tips to make your Mac more secure:
1. Don’t use ‘automatic login’
It’s cool to turn your computer on and instantly use it. But troubles can start when a computer is turned on by someone other than its owner… If you are concerned about your sensitive data, you can encrypt or simply disable the ‘automatic login’ function. Here’s how to do it:
1) Go to System Preferences > Security
2) Authenticate yourself by clicking Click the lock to make changes
3) Check Disable automatic login Read more…
There’s a groovy discussion in the world of Apple about the security of Mac OS. I’ve seen this kind of discussion many times and in most cases it had a quite similar scenario. We won’t go through this entire scenario (although it could be fun), we’ll just summarize the core of it with one phrase that pops up in all these debates: “There are no viruses for Mac OS.”
Let’s take a short excursion through the history of Mac infections.