Bing ads lead to more malware; new Mac Trojan in the wild

Bing ads lead to more malware; new Mac Trojan in the wild

Summary: Malware authors will do just about anything to fool you into installing their software. A popular target is search engine advertising, which one gang is using on Microsoft's search results. In a separate attack, Mac users are being targeted by a Trojan that mimics a Flash installer.

SHARE:
TOPICS: Apple, Hardware, Malware
118

Yesterday, I showed you details of an ad on Microsoft’s Bing search engine that led unwary visitors to a site serving up malware.

Several hours after I reported that ad to Microsoft, it was removed, and a spokesperson told me that Bing’s ad network will “continue to directly work with our agency media partners to verify and confirm any suspicious orders.”

Looks like there’s more work to do.

This morning, I’ve found multiple ads on Bing that go through seemingly innocent intermediary sites to the same malicious server in Russia.

Here, for example, is a pair of ads that appeared at the top of the Bing search results for firefox download:

Clicking the second ad in that block leads to a site called ipcfiles.info. The landing page is just as convincing as the fake Google Chrome downloads I identified yesterday:

Likewise, a Bing search for flash player displays this block of ads above the search results.

Clicking the second ad in this group, which is served from a site called oeachot.info, leads to this landing page:

Again, this is convincing social engineering.

Both intermediary sites use scripts that redirect an unwary user to the same Russian server I flagged yesterday.

I found similar ads, all leading to the same server, when I searched Bing for adobe reader, utorrent, and google earth.

This sort of attack has a higher than average probability of success, because casual Internet users have become accustomed to using search engines as a jumping-off point, and both Bing and Google place ads in prominent positions above search results, where they’re more likely to be clicked.

And because this gang uses a polymorphic engine, the files it delivers are not detected by conventional antivirus scanners. When I submitted both of these samples to VirusTotal today, only 3 of 43 scanning engines detected them as suspicious.

Currently, these ads lead only to Windows malware, but it’s possible that Mac users will be targeted by similar types of attacks. Last week, F-Secure identified a fake Flash Player installer delivered as a Mac package that is actually a DNS-changing Trojan.

Over the weekend, a customer on Apple’s support forums reported finding this on his Mac, and this morning I confirmed that Apple has updated its XProtect signatures to include a definition that flags and removes this threat, which it calls OSX.QHost.WB.A. This is the first definition update for OS X since the takedown of the Mac Defender gang on June 23.

Related posts:

Topics: Apple, Hardware, Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

118 comments
Log in or register to join the discussion
  • RE: Bing ads lead to more malware; new Mac Trojan in the wild

    Well..., haft to admit, this made me chuckle a little.
    ZackCDLVI
  • Facebook and Google's track record is far worse

    Why is it that 1 in 5 Facebook pages contain [links to] a Java exploit? I am CONSTANTLY fixing customer machines where they pick up some kind of new Java exploit from Facebook links and/or ads. I can literally track their history back to wall posts and ads running on Facebook pages. Last week I cleaned a machine that had 18 exploits on it (some were variations of others, but they were uniquely identified). This is why I advocate against Java use for the masses.
    Joe_Raby
    • Hate to point the finger

      ...well, not really...

      but anyway, CBS doesn't exactly have a pristine record either. I can recount no less than 6 in the past 24 months where they had poisoned ads - and each time was when I opened ZDnet at the start of the day.

      And they were all Flash ads.

      This is the reason why I advocate against Flash ads. You can easily filter HTML, but I haven't seen any automatic systems that can search through Flash (and Java) ads for malicious content.
      Joe_Raby
      • I Too Have Seen Poisoned Flash Ads at Legitimate Sites

        @Joe_Raby <br>I also have seen poisoned Flash ads at legitimate sites. They get taken care of quickly when reported, but it's too late for a machine that they've infected. This gives a lot of credence to using Adblock and Flashblock plugins/add-ons for your browser (especially in Windows which is usually targeted by these ads). I would think that the sandbox in new versions of IE would help with this kind of attack (as well as having the latest version of Flash, though I wouldn't count on that being enough), but I haven't seen one of these ads on a sandboxed system yet.
        CFWhitman
      • That's what I'm talking about

        @Joe_Raby

        "CBS" = CBS Interactive, which owns CNet and ZDnet.

        ...unless you were calling CBS Interactive "illegitimate".... ;)
        Joe_Raby
      • Yes, I Know

        @Joe_Raby
        I knew you meant legitimate sites. That's why I said "I <i>also</i> have seen poisoned Flash ads at legitimate sites." I can change the title as well to make it more clear that I was just chiming in.
        CFWhitman
      • My bad

        @CFWhitman

        Sandboxing doesn't always work. Most of the fake AV software just installs in the user folder, which can f* up Windows as soon as you log in (just like on a Mac). Sure, it may not be running in other user accounts, but if only have one user account in Windows, you're going to be the admin. If you can't use Windows properly once you log in, then you don't have any option to create additional user accounts, etc. Usually you have to use some kind of offline servicing tool to remove the malware. I use Standalone System Sweeper in DaRT for this reason. I read about the new standalone beta for SSS, which I think is great news for end users, but it's still too complicated. Microsoft should just implement some kind of offline scanning ability in the default WinRE setup in every Win7 install though. DaRT can be deployed to a WinRE partition but it requires IT knowledge and costs extra. It's too bad that MSE can't just integrate itself into WinRE automatically so that the tools will also be there. I'm gonna suggest this feature to Microsoft for future Windows versions. A lot of the suggestions I made were actually implemented. They've made the feedback process much more difficult in recent years though.
        Joe_Raby
      • RE: Bing ads lead to more malware; new Mac Trojan in the wild

        @Joe_Raby

        The entire internet is poison. These "corporations" profit from ads...they don't care who or what's being pitched they just pitch it and make a buck in the process which leads to people spending money on new computers, new security software and more wasted money. It's a cycle to create more money!
        Rob.sharp
    • RE: Bing ads lead to more malware; new Mac Trojan in the wild

      @Joe_Raby

      Using Windows, I can ask - What's Java? I'm afraid if you install this slow, buggy VM, you reap what you sow. Best MS decision ever, dumping Java.
      tonymcs@...
      • RE: Bing ads lead to more malware; new Mac Trojan in the wild

        @tonymcs@...
        Totally agree. I will never miss playing the 10 games that require it.
        TechNickle
      • RE: Bing ads lead to more malware; new Mac Trojan in the wild

        @tonymcs@...
        Yes, exactly. Now if I could just talk friends/family out of it.
        TechNickle
  • Frankly it is not irrelevant

    @Ed Bott Yes, it is good for you to point out these social engineering attacks, as they are particularly insidious. But it also isn't wrong to point out that the Mac is not (yet) known to be vulnerable to involuntary payloads in the wild, such as buffer overruns, etc.

    That's not everything. But it is something.
    Mac_PC_FenceSitter
  • RE: Bing ads lead to more malware; new Mac Trojan in the wild

    @LoverockDavidson One problem with that analysis is so much legitimate software throws the same warnings. This isn't a dig at Windows (or Mac OS X), just shows how difficult this problem is to fully address.
    Jeremy-UK
    • RE: Bing ads lead to more malware; new Mac Trojan in the wild

      @Jeremy-UK
      Good point. Windows will even warm you of opening of Microsoft's own software.
      ZackCDLVI
    • RE: Bing ads lead to more malware; new Mac Trojan in the wild

      @Zc456

      "<i>Windows will even warm you of opening of Microsoft's own software.</i>"

      Oh yeah? Not unless said software is set to execute with administrative privileges. Which is exactly when it should warn you.

      Because you are not claiming that Word, Excel, Visio, Expression, Visual Studio 2010, Access, Internet Explorer or Outlook are throwing up UAC prompts, are you?

      Are you at all familar with Windows?
      honeymonster
    • RE: Bing ads lead to more malware; new Mac Trojan in the wild

      @honeymonset, I'm pretty sure he was talking about IE9's download filter, which works on a reputation basis. Not even Microsoft software gets away from that.
      The one and only, Cylon Centurion
    • RE: Bing ads lead to more malware; new Mac Trojan in the wild

      @honeymonster<br>Jee, what bone did I pick with you? I've been using Windows since 98 SE but that's not the point. Yes, UAC will prompt up for MS' own software. Not saying it's a bad thing, more of a double edged sword.
      ZackCDLVI
    • RE: Bing ads lead to more malware; new Mac Trojan in the wild

      @honeymonster Dude, take your medication and realize that he was talking about IE9
      ItsTheBottomLine
  • RE: Bing ads lead to more malware; new Mac Trojan in the wild

    So is the point of this article that Google has better malware checking than Bing?
    rfoto
    • No

      @rfoto

      Google was hammered by these gangs in April and May. It's Bing's turn this month.
      Ed Bott