
Adware Is Malicious, and It Uses Advanced Techniques to Infect - koin0r
https://sensorstechforum.com/adware-malicious-advanced-techniques/
======
jstarfish
One of the more frustrating things about infosec is that more and more
practices that were once considered bad or malicious later become mainstream.

Used to be, don't publish information about yourself that could be used to
impersonate you. Then we got Facebook.

Installing random binaries used to be a bad thing, now it's outright
encouraged. "Thanks for using our toilet. Download our app to unlock the
door!"

Telemetry/analytics/arbitrary callbacks used to be shady/questionable and
require user consent, now it's standard practice to exfiltrate whatever you
want from user devices. You've got root/elevated privilege, encryption is easy
and your traffic can easily blend into the haystack, so why not.

Opt-in billing used to be the domain of sleazy porn sites, but now you can't
buy anything from Amazon without them trying to surreptitiously slip a Prime
subscription into your cart during checkout.

Seeing traffic from anonymous VPNs logging into financial accounts used to be
an obvious giveaway of something suspicious going on. Devices are now shipping
with easy-to-enable "anonymous mode" apps that average users have no
legitimate need for and route all of your device's traffic through god knows
where, which has the effect of making your traffic indistinguishable from a
fraudster's.

Popular email clients, budget analysis and social media platforms will solicit
and cache third-party credentials for your employer, your bank, or your life
if you provide them. This despite a decade of trying to beat "never give your
password to anyone!" into the popular mindset.

Same with algorithmically-generated domains/subdomains, etc.

~~~
dontbenebby
>Installing random binaries used to be a bad thing, now it's outright
encouraged. "Thanks for using our toilet. Download our app to unlock the
door!"

It's surprising to me how rarely even reputable companies provide
hashes/signatures.

I just downloaded a Windows virtual machine that MS offers for free[1].

No sha256 sum, no pgp signature. I ended up deciding that since it it served
over HTTPS from an MS controlled domain that I'd accept the risk, but I wish
more vendors would allow advanced users to verify downloads.

(MS is not alone in this, many, many open source projects offer up pre-
compiled binaries with zero checksum info, which especially sucks since so
often they rely on an assortment of mirrors for the binaries rather than a
central location)

I understand that _telling_ users to fire up the CLI may be a pain point, but
offering the information as an optional step for the experienced user should
be a best practice IMHO.

[1]For the interested, seems to last "only" 30 days but you can roll back to a
snapshot if you're just testing compatibility of sites with Edge:
[https://developer.microsoft.com/en-us/microsoft-
edge/tools/v...](https://developer.microsoft.com/en-us/microsoft-
edge/tools/vms/)

~~~
dylan604
It would be amazing if the desktop OS had a right-click option to validate
checksums for you. Just something simple that when clicked allows the user to
choose which type of hash to generate, then you still have to compare to the
website. In 2019 with the amount of data downloaded, this is something the OS
vendors need to do more for their users.

~~~
Digit-Al
What you are looking for is HashTab[1]. It adds a tab to your file properties
page that shows a variety of different hashes for the file, including MD5,
SHA-1, and SHA-256. You can configure it to show a large number of different
hashes. Also, if you have copied a hash from a website into your clipboard it
will automatically compare it to the configured hashes and show you if there
is a match.

[1]
[https://download.cnet.com/HashTab/3000-2094_4-84837.html](https://download.cnet.com/HashTab/3000-2094_4-84837.html)

[edit: typo]

~~~
dylan604
That sounds cool. However, that's just another piece of software that needs to
be downloaded and verified before installing. I want this to be part of the
OS. It's a dangerous world out there, and the OS shouldn't make it so hard to
stay safe.

~~~
dontbenebby
Yeah, for example a right click option to show the hash of a file in macOS
would be nice. Technically I can do it on the CLI, but most users are cli-shy

------
arboghast
I reverse malware from time to time for fun and for work and I can guarantee
you that many adware are malware in disguise. They often have the same
functionalities and persistence mechanisms. We're far from the AskToolbar that
was showing up in your Internet Explorer over a decade ago.

Two variants in particular, known as DealPly and DealAlpha use advanced
persistence mechanisms that you'd find in APTs to make themselves nearly
impossible to catch and remove.

The other risk is the advertising network itself that delivers the
advertisement. Exploit kits have been using comprised advertising servers to
deliver the exploit and compromise hosts since adware exists. These servers
rarely have good security and the companies owning them generally don't care
much. I even suspect that some willingly participate in the distribution for
financial gain.

While doing forensics for a client a few weeks ago, I found what appeared to
be a state-sponsored APT being delivered by a program bundled with adware.

I'm really upset with open source projects like FileZilla willingly serving
bundled crap to its user downloading from the official website to finance
itself. They're putting millions of computers at risk.

~~~
SCHiM
There is a malware family out there that managed to outwit a couple of
security researchers. Multiple layers of VM/debugger detection layers were
present in a malware sample. If a debugger or VM was detected it would drop a
generic adware sample to disguise the true intent. Additionally, telemetry
designed to look adwareish would sent to the CnC servers, blacklisting your IP
so that you'd only ever receive the adware from that point on even if you
managed to bypass the additional layers of protection that were previously
missed.

[https://foxitsecurity.files.wordpress.com/2015/12/foxit-
whit...](https://foxitsecurity.files.wordpress.com/2015/12/foxit-
whitepaper_ponmocup_1_1.pdf)

------
ducttape12
Remember back when everyone's computers were infected with this crap because
everyone installed p2p crap like Kazaa?

Do non-tech savvy people still have a reason to install software? Don't most
people just need a web browser?

~~~
MagicPropmaker
I still see non-tech savvy friends have computers with "adware" installed in
their browser. It's usually because they tried to "fix" something themselves,
googled, and installed something that was purported to fix the problem.

There are a bunch of well SEO'd sites that will come up if you google nearly
any computer issue that will appear to have a solution, but step 3 is usually
to try installing some software.

(For example, if you google "can't delete file windows" this site will come
up. I don't recommend installing the software
[https://www.easeus.com/partition-manager-software/delete-
fil...](https://www.easeus.com/partition-manager-software/delete-files-that-
cannot-be-deleted.html) ) Here's a discussion on MalwareBytes forum about it:
[https://forums.malwarebytes.com/topic/166526-easeus-
partitio...](https://forums.malwarebytes.com/topic/166526-easeus-partition-
master/)

No matter how many times I yell and scream at friends not to just blindly
google for "Device Drivers" and install them, they do. Even sites that look a
lot like a legit Epson or Canon site (for scanner or printer drivers, etc) are
fake. (And they're searching for device drivers because they have a printer
problem and they don't realize that the need to install a custom driver for a
name-brand current printer on Windows or MacOS is very very rare)

~~~
gowld
It's fascinating that someone knows what a device driver is but doesn't know
what a malware site is. Is this someone whose computer knowledge is frozen in
1996?

~~~
jolmg
Actually, it's news to me that Windows no longer requires looking for and
installing device drivers for common printer brands. Also, what's a malware
site? Is that an anti-virus official website or a forum where people just talk
about their experiences with malware? I guess my Windows knowledge is stuck in
the 90s/00s. Never really needed either on Linux.

------
Animats
So why no prosecutions under the Computer Fraud and Abuse Act for "exceeding
authorized access"? Adware doesn't have consent. There's no contract of
adhesion. Has anyone filed a criminal complaint?

------
herodotus
Paper here: [https://madiba.encs.concordia.ca/~x_decarn/papers/vdm-
tifs20...](https://madiba.encs.concordia.ca/~x_decarn/papers/vdm-tifs2019.pdf)

~~~
Dotnaught
Wrong paper linked. See:
[https://www.theregister.co.uk/2019/05/20/wajam_malware_claim...](https://www.theregister.co.uk/2019/05/20/wajam_malware_claims/)
and
[https://arxiv.org/pdf/1905.05224.pdf](https://arxiv.org/pdf/1905.05224.pdf)

