Social engineering in action: how web ads can lead to malware

Social engineering in action: how web ads can lead to malware

Summary: One of the great myths of security is that if you're infected with malware it's your own fault, because you were visiting dangerous web sites. But these days, even a completely innocent link can lead to unwanted, potentially malicious software. Here's what to watch out for.

SHARE:

One of the great myths of security in 2011 is that if you’re infected with malware it’s your own fault. You shouldn’t have been searching for porn, downloading pirated software, or snagging bootleg DVDs from BitTorrent.

As I found out firsthand this week, even a completely innocent link can lead to unwanted, potentially malicious software. In this case, the delivery mechanism was this ad, which I found when I visited a lightly trafficked but legitimate blog (I’ll leave them unnamed, because they’re innocent victims in all this).

The ad appeared at the bottom of a post, with an animated graphic and a yellow bar designed to mimic the appearance of similar “missing plugin” messages from browsers. The ad was served by a third-tier ad network, AdBrite.

For more screens showing exactly how this scam works, see the companion photo gallery, "How ads on legitimate web sites can lead to malware and unwanted software."

Clicking the ad takes you to a page that uses similar social engineering to simulate the experience of a missing codec. The spinning wheel next to the word “Buffering” suggests that the page is trying to download a video but is being stopped somehow.

Although this screen was captured in Google Chrome, the experience is identical in other browsers, including Internet Explorer.

The social engineering is decent. Xvid is a legitimate video codec, and the logo in the top left corner of the page is the same one used by the group that officially maintains the codec. Clicking anywhere on the page results in an executable file called XvidSetup.exe being downloaded.

What happens if you run that file? More social engineering.

  • The installer certainly looks legitimate, and it even offers a choice of Express or Custom installations.
  • The setup file does not have a digital signature.
  • It does appear to install a version of the Xvid codec, but the installer omits the GNU General Public license that is required by the Xvid team.

Regardless of which option you choose you also get a few extras you didn’t count on:

  • It installs Real Player, using an affiliate code that no doubt nets the distributors a commission on the installation. On at least one occasion, it performed a reinstallation even after I clicked Cancel.
  • It downloads additional software and silently installs add-ons for all browsers it detects on your system, including Internet Explorer, Firefox, and Chrome.

This status dialog box goes by very quickly, but you can clearly see what it downloads and installs.

If you look in Firefox, Chrome, Safari, or Internet Explorer, you'll find that several add-ons have been silently installed as well.

At no point during this installation process was I offered a license agreement or given any option to consent to the extras being installed. And even clicking the link on the initial setup screen provides no information about what the offered programs are, who they’re from, or what they do.

After installation, are there any additional clues about what just happened? Not really. The spoftware is listed in Control Panelbut there's no publisher name for the “enhancements” nor are there help and support links.

If you’re looking for the real Xvid codec, by the way, you can find it here. The Windows installer file contains the most recent version of the codec, is digitally signed, and presents a proper GPL license during installation. It also identifies itself properly in Control Panel.

Page 2: What’s the threat? -->

<-- Previous page

So what do these mystery programs do? Are they malicious? Do they steal personal information? Do they display pop-ups?

A couple months ago, Jerome Segura of Pareto Logic analyzed a nearly identical scam (same graphics, similar domain name) and found plenty to be suspicious of:

After installing the “codec” you can return time and time again to the site but you won’t see any video… And that’s where the trick is…

In the meantime, unwanted components have been installed on your computer, such as this Browser Helper Object (BHO) …

What I installed here is different from that package, even if the delivery mechanism is nearly identical. Initially, at least, these browser add-ons appear to do nothing at all. I suspect they’re time-bombed, waiting a few days (or even a month) before triggering their payload.

I did find one giant clue, though, when I clicked the “Installing and Uninstalling” link at the bottom of the page that’s serving up this software. That led to a plain-text page, a portion of which is shown here:

ClickPotato? If that name sounds familiar, it might be because you read this post a couple weeks ago: Trojans, viruses, worms: How does malware get on PCs and Macs? Among the top 10 threats to consumer PCs identified by Microsoft in 2010 was this one:

ClickPotato is a relatively new family of “multi-component adware” that displays pop-ups and ads. It often tags along with Hotbar.

The fact that the distributors of this software bundle are using a template that includes ClickPotato should be a big red flag. I found a few other red flags by inspecting the source code of the landing page, which includes a link to a site called myroitracking.com. According to the Google Safe Browsing service, this domain is a well-known intermediary in the distribution of malware:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, myroitracking.com appeared to function as an intermediary for the infection of 106 site(s).

I observed the behavior of this ad and the landing page over a period of several days. During that time I exchanged several e-mails with the AdBrite Trust & Security team, which initially denied that there was anything wrong with the ad. They finally agreed to investigate after I sent them a report from VirusTotal showing 9 separate detections as malware along with screenshots showing both Norton Internet Security and Microsoft’s SmartScreen blocking the file.

Within 30 minutes, the code at the landing page had been scrubbed, removing the deceptive “missing plugin” references, deleting the link to ClickPotato, and providing a link to an alternate download site with a recompiled file of the same name. It will take the antivirus companies a few days to catch up, at which point a new version will probably appear.

The gang behind this scam appears to have tried to cover up its tracks—but you can bet they’re not out of business. I hope this story makes it possible for you to recognize them if they cross your path.

Topics: Browser, Malware, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

110 comments
Log in or register to join the discussion
  • RE: Social engineering in action: how web ads can lead to malware

    Pretty horrible trick. What we need is a Software Center approach to things like this. What I mean is, if you got all your software via a tool built into the OS, you wouldn't run the risk of downloading and installing malware disguised as a legitimate application. Perhaps though, such a software center could be more for simple stuff, like in this case, codecs. It's a tough one.
    Imrhien
    • RE: Social engineering in action: how web ads can lead to malware

      @Imrhien

      windows 8 is going to have a software store but i think it was because of the DOJ oversight that MS didnt launch the app store till now meanwhile apple has one and their is Linux repos but anywho MS is getting a store in windows 8
      Viper589
      • RE: Social engineering in action: how web ads can lead to malware

        @Knix96

        Too bad IE9 is unavailable for our 10,000 work PC's running XP, at least they just updated from IE6 to IE7.
        bannedagain
      • RE: Social engineering in action: how web ads can lead to malware

        @Bannedagain
        Well xp still can get ie8 somi think that should helpmyou a little
        Viper589
      • RE: Social engineering in action: how web ads can lead to malware

        bannedagain, if you are a HOME USER, there is no reason why you should STILL be using Windows XP. Upgrade to Windows 7.... you will thank yourself for doing so.

        I'm running two tester PC's without any form of virus-control that I get all the software for them off Download.com that I do the same surfing as I do on my virus-control 'protected' PC's and they haven't gotten any bad stuff on them yet after 3 months (according to MalwareBytes and Kaspersky).

        Windows XP is an insecure PoC (compared to Windows 7), old as the hills, and it's time that old dog gave up the ghost and died.
        Lerianis10
      • RE: Social engineering in action: how web ads can lead to malware

        @Knix96 I never knew web ads are not malwares, I thought they are always malwares, when ever you browse a video streaming site, you always get a malware attack.
        <a href="http://www.paperprofs.co.uk/writing-types/book-report/">Book Report Help</a>
        <a href="http://www.paperprofs.co.uk/writing-types/dissertation/">Buy Dissertation</a>
        <a href="http://www.paperprofs.co.uk/writing-types/admission-essays/">Buy Admission Essay</a>
        lorisinclair
    • RE: Social engineering in action: how web ads can lead to malware

      @Imrhien That approach, while it may work, cannot be the exclusive approach for getting software. The reason for that is the freedom to develop. If your software must all be approved by microsoft, there could be an incentive not to approve competing products... In fact Apple refuses to approve many competing products in the iOS and the desktop app stores.
      snoop0x7b
      • RE: Social engineering in action: how web ads can lead to malware

        @snoop0x7b Thanks for sharing this information with us. I am a big fan of reading, thanks for sharing this wonderful information.
        <a href="http://www.paperprofs.co.uk/writing-types/essay/">Custom Essay</a> | <a href="http://www.paperprofs.co.uk/writing-types/research-papers/">Buy Research Paper</a>
        lorisinclair
    • This is the App Store concept. Apple can get away with that ...

      @Imrhien ... but regulators will never allow Microsoft to do so and as soon as you broaden the model to include a variety of App Stores from different vendors, you invite some of them to include CRAPWARE in their downloads - just as hardware vendors include CRAPWARE.

      No CRAPWARE is not MALWARE but for many of us, there is a fine line between them.
      M Wagner
    • RE: Social engineering in action: how web ads can lead to malware

      @Imrhien ... Not so though; simply learn how to check a ste's reputaton and activities over the last 6 - 12 months for reputations. Otherwise go to a site YOU know is safe!
      tom@...
      • RE: Social engineering in action: how web ads can lead to malware

        @tom@... And you do this for every site you visit? Knowing that a regular IT pro visits around hundreds of sites (blogs, forums, ...) a day?
        belli_bettens@...
    • RE: What we need is a Software Center

      @Imrhien

      <b>Do you mean like the one that can be found in Ubuntu??</b>

      You can use Synaptic Package Manager to install new software packages, or update existing ones.

      The newer Ubuntu Software Center along with Update Manager is a more n00b friendly of accomplishing the same task. Ubuntu (and many other Linux distributions) have had package managers for years.

      <b>It's a pity that you Windows users have not yet caught up.</b>
      fatman65535
      • RE: Social engineering in action: how web ads can lead to malware

        @fatman65535
        the reason windows hasnt caught up is because it is simple they would have had antitrust regulators all over them!!!!
        Viper589
      • RE: Social engineering in action: how web ads can lead to malware

        @fatman65535
        What about legitimate software that isn't in the repository?
        Firefox 5?
        That program doesn't appear in my Ubuntu 10.04 repository (apparently it's in the Ubuntu 11.04 repository).

        I keep getting updates offering FF 3.6.18 (I've manually installed FF 5).
        lehnerus2000
    • TO : Imrhein & Software Center. . .

      What's up with you ? Next you'll be preaching about only getting and giving software "according to one's needs". Somewhere along the line you either missed High School Government class or have decided that the internet is the ideal frontier for Marxism. Also, I seem to recall that a small company from Redmond Wa. recently spent a considerable amount of time and money in an extended, losing court battle over a very similar proposition. Get your ducks in line before your next comment in an adult forum.
      materva
      • RE: Social engineering in action: how web ads can lead to malware

        @materva Really? so Apple is a Marxist company is it? Read the last line in your comment, to yourself, whilst standing in front of a mirror.
        spin498
      • RE: Social engineering in action: how web ads can lead to malware

        @materva
        Your paranoia is showing, Ms. Palin (I know that's you...) I'm not worried.... Yuns' gun-toters will never let the Marx brothers back in office! You're aware, I'm sure, that standardized electrical voltages are a Communist plot too.... shouldn't you be at CPAC convention with the other flamethrowers?
        tooltym
    • RE: Social engineering in action: how web ads can lead to malware

      @Imrhien

      try download.com If I need a codec package etc, I go there first. Often it has updates of programs as well. They run scans on the software to make sure it's legit, and has software for both PC and Mac. They also link to the homepage of the software, so I sometimes use that to make sure I have the right source.
      Drakaran
  • really?

    @Cylon Centurion

    Eliminates? So even after all the YEARS of people attempting to protect software with more software, only to see the situation get worse, you are STILL of the opinion that throwing more software at the problem will fix it?

    gary
    gdstark13
    • Really.

      @gdstark13 It works - No cost, easy to apply, and actually enhances your surfing experience. Where's the downside? Much more realistic as a solution than waiting for the situation to magically correct itself. As long as there are plenty of sheeple that scoff like you do, it'll remain effective. Once folks start to get smart and defend against it, THEN the bad guys will move on to something else.
      ejhonda