Bing ads lead to more malware; new Mac Trojan in the wild
Summary: Malware authors will do just about anything to fool you into installing their software. A popular target is search engine advertising, which one gang is using on Microsoft's search results. In a separate attack, Mac users are being targeted by a Trojan that mimics a Flash installer.
Yesterday, I showed you details of an ad on Microsoft’s Bing search engine that led unwary visitors to a site serving up malware.
Several hours after I reported that ad to Microsoft, it was removed, and a spokesperson told me that Bing’s ad network will “continue to directly work with our agency media partners to verify and confirm any suspicious orders.”
Looks like there’s more work to do.
This morning, I’ve found multiple ads on Bing that go through seemingly innocent intermediary sites to the same malicious server in Russia.
Here, for example, is a pair of ads that appeared at the top of the Bing search results for firefox download:
Clicking the second ad in that block leads to a site called ipcfiles.info. The landing page is just as convincing as the fake Google Chrome downloads I identified yesterday:
Likewise, a Bing search for flash player displays this block of ads above the search results.
Clicking the second ad in this group, which is served from a site called oeachot.info, leads to this landing page:
Again, this is convincing social engineering.
Both intermediary sites use scripts that redirect an unwary user to the same Russian server I flagged yesterday.
I found similar ads, all leading to the same server, when I searched Bing for adobe reader, utorrent, and google earth.
This sort of attack has a higher than average probability of success, because casual Internet users have become accustomed to using search engines as a jumping-off point, and both Bing and Google place ads in prominent positions above search results, where they’re more likely to be clicked.
And because this gang uses a polymorphic engine, the files it delivers are not detected by conventional antivirus scanners. When I submitted both of these samples to VirusTotal today, only 3 of 43 scanning engines detected them as suspicious.
Currently, these ads lead only to Windows malware, but it’s possible that Mac users will be targeted by similar types of attacks. Last week, F-Secure identified a fake Flash Player installer delivered as a Mac package that is actually a DNS-changing Trojan.
Over the weekend, a customer on Apple’s support forums reported finding this on his Mac, and this morning I confirmed that Apple has updated its XProtect signatures to include a definition that flags and removes this threat, which it calls OSX.QHost.WB.A. This is the first definition update for OS X since the takedown of the Mac Defender gang on June 23.
Related posts:
- Bing ad serves malware to would-be Google Chrome switchers
- How prevalent is malware on Windows PCs?
- Why malware networks are beating antivirus software
- Social engineering in action- how web ads can lead to malware
- IE9 versus Chrome: which one blocks malware better?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
RE: Bing ads lead to more malware; new Mac Trojan in the wild
Facebook and Google's track record is far worse
Hate to point the finger
but anyway, CBS doesn't exactly have a pristine record either. I can recount no less than 6 in the past 24 months where they had poisoned ads - and each time was when I opened ZDnet at the start of the day.
And they were all Flash ads.
This is the reason why I advocate against Flash ads. You can easily filter HTML, but I haven't seen any automatic systems that can search through Flash (and Java) ads for malicious content.
I Too Have Seen Poisoned Flash Ads at Legitimate Sites
That's what I'm talking about
"CBS" = CBS Interactive, which owns CNet and ZDnet.
...unless you were calling CBS Interactive "illegitimate".... ;)
Yes, I Know
I knew you meant legitimate sites. That's why I said "I <i>also</i> have seen poisoned Flash ads at legitimate sites." I can change the title as well to make it more clear that I was just chiming in.
My bad
Sandboxing doesn't always work. Most of the fake AV software just installs in the user folder, which can f* up Windows as soon as you log in (just like on a Mac). Sure, it may not be running in other user accounts, but if only have one user account in Windows, you're going to be the admin. If you can't use Windows properly once you log in, then you don't have any option to create additional user accounts, etc. Usually you have to use some kind of offline servicing tool to remove the malware. I use Standalone System Sweeper in DaRT for this reason. I read about the new standalone beta for SSS, which I think is great news for end users, but it's still too complicated. Microsoft should just implement some kind of offline scanning ability in the default WinRE setup in every Win7 install though. DaRT can be deployed to a WinRE partition but it requires IT knowledge and costs extra. It's too bad that MSE can't just integrate itself into WinRE automatically so that the tools will also be there. I'm gonna suggest this feature to Microsoft for future Windows versions. A lot of the suggestions I made were actually implemented. They've made the feedback process much more difficult in recent years though.
RE: Bing ads lead to more malware; new Mac Trojan in the wild
The entire internet is poison. These "corporations" profit from ads...they don't care who or what's being pitched they just pitch it and make a buck in the process which leads to people spending money on new computers, new security software and more wasted money. It's a cycle to create more money!
RE: Bing ads lead to more malware; new Mac Trojan in the wild
Using Windows, I can ask - What's Java? I'm afraid if you install this slow, buggy VM, you reap what you sow. Best MS decision ever, dumping Java.
RE: Bing ads lead to more malware; new Mac Trojan in the wild
Totally agree. I will never miss playing the 10 games that require it.
RE: Bing ads lead to more malware; new Mac Trojan in the wild
Yes, exactly. Now if I could just talk friends/family out of it.
Frankly it is not irrelevant
That's not everything. But it is something.
RE: Bing ads lead to more malware; new Mac Trojan in the wild
RE: Bing ads lead to more malware; new Mac Trojan in the wild
Good point. Windows will even warm you of opening of Microsoft's own software.
RE: Bing ads lead to more malware; new Mac Trojan in the wild
"<i>Windows will even warm you of opening of Microsoft's own software.</i>"
Oh yeah? Not unless said software is set to execute with administrative privileges. Which is exactly when it should warn you.
Because you are not claiming that Word, Excel, Visio, Expression, Visual Studio 2010, Access, Internet Explorer or Outlook are throwing up UAC prompts, are you?
Are you at all familar with Windows?
RE: Bing ads lead to more malware; new Mac Trojan in the wild
RE: Bing ads lead to more malware; new Mac Trojan in the wild
RE: Bing ads lead to more malware; new Mac Trojan in the wild
RE: Bing ads lead to more malware; new Mac Trojan in the wild
No
Google was hammered by these gangs in April and May. It's Bing's turn this month.