Friday, February 27, 2015

62% of the Top 50 Download.com applications bundle toolbars and other PUPs

CNET’s Download.com is considered to be one of, if not, the most popular download portal(s) hosting a conglomerate of different software (free and paid). We recently discussed the top ten methods of how toolbars, adware, homepage hijackers and other potentially unwanted programs (PUPs) can sneak onto your computer. Potentially unwanted programs are becoming a new epidemic that users must learn face to overcome on a regular basis. In fact, a recent Panda Security study shows that potentially unwanted programs are on the rise resulting in PUPs now comprising 24.77% of total malware infections.


A lot of potentially unwanted programs are delivered by installers hosted on download portals such as Download.com. But what kind of programs are frequently bundled and should you look out for? And how many of Download.com’s apps actually contain PUPs?


We researched both. First, here is a list of the most commonly bundled PUPs we see through Download.com:


Example 1: MyPC Backup – free trial with pop-ups


MyPC Backup is a commonly distributed potentially unwanted program that can often be found bundled with a wide variety of freeware applications. Once installed, MyPC Backup will nag the user to try and coax them into signing up for a “free account”. Afterwards, it will urge the user to back up their files and folders.


MyPCBackupPUP_150204


The con then comes into play stating that you need to purchase the full version in order to perform the backup. Please, never let appearances fool you: if it seems too good to be true, it most likely is. Also, expect to be inundated with pop-ups during your free trial period.


Example 2: IObit Products – are IObit products “useful” or “useless”?


Most users have more than likely used one or more of IObit’s free software offerings. Some users may wonder how IObit products are considered to be possibly unwanted. Well, IObit’s clever tactics of bundling one or more of their free software offerings within other similar freeware products is considered to be potentially unwanted. An example of this is: Advanced System Care will install IObit Uninstaller, while IObit Driver Booster may offer to install IObit Malware Fighter.


AdvancedSystemCare_CNET_150127


Plus, do you know if IObit’s privacy policy is one that you want to comply with? IObit has been accused in the past of using shady software development methods. Please be cautious when installing related IObit applications. Consider this: if an application that you may never use is unknowingly installed along with another application, why do you need it on your PC? IObit is also notorious for pushing their paid products by using “in program ad’s” (Activate Now) and questionable promotional and marketing tactics.


Example 3: Pro PC Cleaner – finds fake issues that you need to pay for to fix


Pro PC Cleaner has made its presence known and tagging along with it are its fake results. Pro PC Cleaner uses cleverly deceitful tactics and a colorful user interface in order to give the user a false sense of confidence and security.


ProPCCleanerPUP_150204


Once installed, this “professional” application will pester the user with a conglomerate of bogus errors and misleading display results. Afterwards, Pro PC Cleaner will “claim” that you need to pay money to register the application in order to repair the found “issues”. This software is a definitely unwanted program. If you find yourself facing this rogue like application, removal is highly recommended or you will continue to be plagued by its annoying presence.


Example 4: Skype – frequently bundled with freeware applications


Skype is a very popular application. One might ask: how can Skype be considered potentially unwanted? Skype as an independent application is not potentially unwanted at all. However, the situation with Skype is similar to that as mentioned above with IObit products.


SkypePUP_150204


Skype is bundled with a multitude of freeware installers. If a user happens to accidentally overlook the “I do not accept” or the check box to opt out of installing Skype: it can be considered just as unwanted as Pro PC Cleaner.


Example 5: YTD Video Downloader – more browser modifications than you’d want


Last, but not least, Spigot can be considered the most common potentially unwanted offer that is bundled with the vast majority of Download.com freeware. Spigot is rather nasty because it makes a plethora of browser modifications.


YTDVidDownloaderPUP_150204


Spigot modifies a user’s browser homepage, startup page, search engine and tab settings. As shown in the image above, Spigot also installs various browser add ons. If a user is not installing cautiously, a massive amount of junkware and unwanted changes could befall their browser(s). An offering such as this is definitely unwanted; however, avoiding it is as easy as clicking to decline. Please use definite caution when facing an installer such as this.


Download.com’s Top 50 downloads: what comes with them?


We looked into the top 50 most downloaded applications on Download.com and the various potentially unwanted programs installed with each. Shown below is the list of 50 applications and the bundled PUPs listed next to them. As of February 2015, these programs contain PUPs:


1. Avast Free Antivirus - Dropbox
2. KMPlayer - Spigot browser extensions – shopping aid, newtab Aid, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, Pro PC Cleaner, and Wajam
3. AVG Free Antivirus - AVG SafeGuard – changes homepage and search engine to AVG secure search, web tuneup
4. YAC (Yet Another Cleaner) - Considered to be a PUP itself
5. CCleaner - Chrome
6. Advanced System Care - Driver Booster, IObit Uninstaller
7. Free Youtube Download - Skype, PC Reviver
8. YTD Video Downloader - Spigot browser extensions – slick savings, browser Error assistant, Ebay shopping assistant, search protect, offers to change home and startup pages to Yahoo during installation, and GeniusBox
9. IObit Uninstaller - Advanced System Care
10. Download App - Spigot browser extensions – shopping new tab aid, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, and Pro PC Cleaner
11. 3DP Chip - nProtect, SpeedUpMyPC 2015
12. GOM Media Player - Skype, Clean Water
13. Virtual DJ 8 - NO PUPs
14. Malwarebytes Anti-Malware - NO PUPs
15. PhotoScape - Google Drive, PC Mechanic
16. Start Menu 8 - NO PUPs
17. Driver Booster - IObit Malware Fighter
18. VLC Media Player - NO PUPs
19. Ad Aware Free Antivirus - Ad Aware Web Companion – changes home page and search engine to secure search
20. Minitool Partition Wizard - NO PUPs
21. Irfan View – NO PUPs
22. mHotspot - Tuneup Utilities, PC Mechanic, Safer Browser, Clean Water, Driver Max
23. Panda Free Antivirus - Panda Security Toolbar – changes default homepage and search engine to Yahoo
24. Hotspot Shieldchanges default homepage and search engine to HotSpot web search, installs Hotspot shield toolbar during installation
25. Mozilla Firefox - NO PUPs
26. SlimDrivers – MyPC Backup
27. uTorrent - OWSLA Bundle , Skype
28. Virtual DJ 7 - NO PUPs
29. Any Video Converter - offers to change homepage and search engine to Yahoo during installation, Spigot browser extensions – shopping aid, new tab aid, slick savings, Ebay shopping assistant, search protect, and Pro PC Cleaner
30. AdwCleaner - NO PUPs
31. PrimoPDF - Open Candy
32. DriverMax - Open Candy, Safer Browser, Tuneup Utilities
33. Daemon Tools Lite - Spigot browser extensions – shopping aid, new tab aid, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, Pro PC Cleaner, iCinema, and Bo Browser
34. UMPlayer - NO PUPs
35. Screencast – O – Matic - NO PUPs
36. IObit Malware Fighter - MyPC Backup, Advanced System Care Ultimate
37. Spybot Search and Destroy - NO PUPs
38. FastStone Imager Viewer – NO PUPs
39. Google Chrome - NO PUPs
40. VLC Media Player (64 Bit) - NO PUPs
41. 7Zip - NO PUPs
42. Kingo Android Root - Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant , search protect, offers to change homepage and search engine to Yahoo during installation, and Pro PC Cleaner
43. Format Factory - Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, and Pro PC Cleaner
44. Media Player Codec Pack – NO PUPs
45. Macrium Reflect Free - NO PUPs
46. AOMEI Partition Assistant Standard Edition – NO PUPs
47. Youtube Music Downloader - Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, and Pro PC Cleaner
48. JetAudio Basic - offers to change homepage and search engine to Yahoo during installation, Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, Pro PC Cleaner, and AVG Toolbar – offers to change homepage and tabs to AVG Secure Search
49. Pandora Recovery - offers to change homepage and search engine to Yahoo during installation, Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, Pro PC Cleaner
50. Grand Theft Auto: Vice City Ultimate Vice City Mod - offers to change homepage and search engine to Yahoo, Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, and Pro PC Cleaner


To share and download the above research easily, we created a PDF file with our findings. Get it here. Feel free to share!


Conclusion: 31 out of 50 tested Download.com applications bundle PUPs


In conclusion: out of the top 50 freeware applications on Download.com, 31 out of 50 are being bundled with potentially unwanted programs. This means that 62% of the freeware applications on Download.com contain potentially unwanted software. Be sure to use this download portal with extreme caution or else you may risk the possibility of facing a potentially unwanted outbreak.


Here are several reminders on how to stay PUP free:


  • Instead of using download portals, go to the direct vendor website and download the desired software from there. Use caution here as well, because direct vendors can bundle PUPs themselves as well but at least it reduces the risk a little.

  • Read over the terms of agreement carefully.

  • Moreover, read the privacy policy of each bundled program carefully: what do they do with your data?

  • Avoid seemingly suspicious software (free and paid).

  • Uncheck boxes during installation since most PUPs use an opt-out approach.

  • Use an antivirus program that comes with PUP detection, such as Emsisoft Anti-Malware.

  • Do periodic scans for malware and PUPs with the free Emsisoft Emergency Kit, which scans and cleans your computer.

Download and share a summary of the findings here. Have a great (PUP-free) day!



Related Posts:


  • Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid…

  • Has The Antivirus Industry Gone Mad?!

  • A Typical Day at Emsisoft’s Headquarters

  • A Typical Day at Emsisoft’s Headquarters

  • Stable Scan Engine Update Identifies Over 6000 New PUPs




62% of the Top 50 Download.com applications bundle toolbars and other PUPs

62% of the Top 50 Download.com applications bundle toolbars and other PUPs

CNET’s Download.com is considered to be one of, if not, the most popular download portal(s) hosting a conglomerate of different software (free and paid). We recently discussed the top ten methods of how toolbars, adware, homepage hijackers and other potentially unwanted programs (PUPs) can sneak onto your computer. Potentially unwanted programs are becoming a new epidemic that users must learn face to overcome on a regular basis. In fact, a recent Panda Security study shows that potentially unwanted programs are on the rise resulting in PUPs now comprising 24.77% of total malware infections.


A lot of potentially unwanted programs are delivered by installers hosted on download portals such as Download.com. But what kind of programs are frequently bundled and should you look out for? And how many of Download.com’s apps actually contain PUPs?


We researched both. First, here is a list of the most commonly bundled PUPs we see through Download.com:


Example 1: MyPC Backup – free trial with pop-ups


MyPC Backup is a commonly distributed potentially unwanted program that can often be found bundled with a wide variety of freeware applications. Once installed, MyPC Backup will nag the user to try and coax them into signing up for a “free account”. Afterwards, it will urge the user to back up their files and folders.


MyPCBackupPUP_150204


The con then comes into play stating that you need to purchase the full version in order to perform the backup. Please, never let appearances fool you: if it seems too good to be true, it most likely is. Also, expect to be inundated with pop-ups during your free trial period.


Example 2: IObit Products – are IObit products “useful” or “useless”?


Most users have more than likely used one or more of IObit’s free software offerings. Some users may wonder how IObit products are considered to be possibly unwanted. Well, IObit’s clever tactics of bundling one or more of their free software offerings within other similar freeware products is considered to be potentially unwanted. An example of this is: Advanced System Care will install IObit Uninstaller, while IObit Driver Booster may offer to install IObit Malware Fighter.


AdvancedSystemCare_CNET_150127


Plus, do you know if IObit’s privacy policy is one that you want to comply with? IObit has been accused in the past of using shady software development methods. Please be cautious when installing related IObit applications. Consider this: if an application that you may never use is unknowingly installed along with another application, why do you need it on your PC? IObit is also notorious for pushing their paid products by using “in program ad’s” (Activate Now) and questionable promotional and marketing tactics.


Example 3: Pro PC Cleaner – finds fake issues that you need to pay for to fix


Pro PC Cleaner has made its presence known and tagging along with it are its fake results. Pro PC Cleaner uses cleverly deceitful tactics and a colorful user interface in order to give the user a false sense of confidence and security.


ProPCCleanerPUP_150204


Once installed, this “professional” application will pester the user with a conglomerate of bogus errors and misleading display results. Afterwards, Pro PC Cleaner will “claim” that you need to pay money to register the application in order to repair the found “issues”. This software is a definitely unwanted program. If you find yourself facing this rogue like application, removal is highly recommended or you will continue to be plagued by its annoying presence.


Example 4: Skype – frequently bundled with freeware applications


Skype is a very popular application. One might ask: how can Skype be considered potentially unwanted? Skype as an independent application is not potentially unwanted at all. However, the situation with Skype is similar to that as mentioned above with IObit products.


SkypePUP_150204


Skype is bundled with a multitude of freeware installers. If a user happens to accidentally overlook the “I do not accept” or the check box to opt out of installing Skype: it can be considered just as unwanted as Pro PC Cleaner.


Example 5: YTD Video Downloader – more browser modifications than you’d want


Last, but not least, Spigot can be considered the most common potentially unwanted offer that is bundled with the vast majority of Download.com freeware. Spigot is rather nasty because it makes a plethora of browser modifications.


YTDVidDownloaderPUP_150204


Spigot modifies a user’s browser homepage, startup page, search engine and tab settings. As shown in the image above, Spigot also installs various browser add ons. If a user is not installing cautiously, a massive amount of junkware and unwanted changes could befall their browser(s). An offering such as this is definitely unwanted; however, avoiding it is as easy as clicking to decline. Please use definite caution when facing an installer such as this.


Download.com’s Top 50 downloads: what comes with them?


We looked into the top 50 most downloaded applications on Download.com and the various potentially unwanted programs installed with each. Shown below is the list of 50 applications and the bundled PUPs listed next to them. As of February 2015, these programs contain PUPs:


1. Avast Free Antivirus - Dropbox
2. KMPlayer - Spigot browser extensions – shopping aid, newtab Aid, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, Pro PC Cleaner, and Wajam
3. AVG Free Antivirus - AVG SafeGuard – changes homepage and search engine to AVG secure search, web tuneup
4. YAC (Yet Another Cleaner) - Considered to be a PUP itself
5. CCleaner - Chrome
6. Advanced System Care - Driver Booster, IObit Uninstaller
7. Free Youtube Download - Skype, PC Reviver
8. YTD Video Downloader - Spigot browser extensions – slick savings, browser Error assistant, Ebay shopping assistant, search protect, offers to change home and startup pages to Yahoo during installation, and GeniusBox
9. IObit Uninstaller - Advanced System Care
10. Download App - Spigot browser extensions – shopping new tab aid, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, and Pro PC Cleaner
11. 3DP Chip - nProtect, SpeedUpMyPC 2015
12. GOM Media Player - Skype, Clean Water
13. Virtual DJ 8 - NO PUPs
14. Malwarebytes Anti-Malware - NO PUPs
15. PhotoScape - Google Drive, PC Mechanic
16. Start Menu 8 - NO PUPs
17. Driver Booster - IObit Malware Fighter
18. VLC Media Player - NO PUPs
19. Ad Aware Free Antivirus - Ad Aware Web Companion – changes home page and search engine to secure search
20. Minitool Partition Wizard - NO PUPs
21. Irfan View – NO PUPs
22. mHotspot - Tuneup Utilities, PC Mechanic, Safer Browser, Clean Water, Driver Max
23. Panda Free Antivirus - Panda Security Toolbar – changes default homepage and search engine to Yahoo
24. Hotspot Shieldchanges default homepage and search engine to HotSpot web search, installs Hotspot shield toolbar during installation
25. Mozilla Firefox - NO PUPs
26. SlimDrivers – MyPC Backup
27. uTorrent - OWSLA Bundle , Skype
28. Virtual DJ 7 - NO PUPs
29. Any Video Converter - offers to change homepage and search engine to Yahoo during installation, Spigot browser extensions – shopping aid, new tab aid, slick savings, Ebay shopping assistant, search protect, and Pro PC Cleaner
30. AdwCleaner - NO PUPs
31. PrimoPDF - Open Candy
32. DriverMax - Open Candy, Safer Browser, Tuneup Utilities
33. Daemon Tools Lite - Spigot browser extensions – shopping aid, new tab aid, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, Pro PC Cleaner, iCinema, and Bo Browser
34. UMPlayer - NO PUPs
35. Screencast – O – Matic - NO PUPs
36. IObit Malware Fighter - MyPC Backup, Advanced System Care Ultimate
37. Spybot Search and Destroy - NO PUPs
38. FastStone Imager Viewer – NO PUPs
39. Google Chrome - NO PUPs
40. VLC Media Player (64 Bit) - NO PUPs
41. 7Zip - NO PUPs
42. Kingo Android Root - Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant , search protect, offers to change homepage and search engine to Yahoo during installation, and Pro PC Cleaner
43. Format Factory - Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, and Pro PC Cleaner
44. Media Player Codec Pack – NO PUPs
45. Macrium Reflect Free - NO PUPs
46. AOMEI Partition Assistant Standard Edition – NO PUPs
47. Youtube Music Downloader - Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, offers to change homepage and search engine to Yahoo during installation, and Pro PC Cleaner
48. JetAudio Basic - offers to change homepage and search engine to Yahoo during installation, Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, Pro PC Cleaner, and AVG Toolbar – offers to change homepage and tabs to AVG Secure Search
49. Pandora Recovery - offers to change homepage and search engine to Yahoo during installation, Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, Pro PC Cleaner
50. Grand Theft Auto: Vice City Ultimate Vice City Mod - offers to change homepage and search engine to Yahoo, Spigot browser extensions – shopping aid, new tab, slick savings, Ebay shopping assistant, search protect, and Pro PC Cleaner


To share and download the above research easily, we created a PDF file with our findings. Get it here. Feel free to share!


Conclusion: 31 out of 50 tested Download.com applications bundle PUPs


In conclusion: out of the top 50 freeware applications on Download.com, 31 out of 50 are being bundled with potentially unwanted programs. This means that 62% of the freeware applications on Download.com contain potentially unwanted software. Be sure to use this download portal with extreme caution or else you may risk the possibility of facing a potentially unwanted outbreak.


Here are several reminders on how to stay PUP free:


  • Instead of using download portals, go to the direct vendor website and download the desired software from there. Use caution here as well, because direct vendors can bundle PUPs themselves as well but at least it reduces the risk a little.

  • Read over the terms of agreement carefully.

  • Moreover, read the privacy policy of each bundled program carefully: what do they do with your data?

  • Avoid seemingly suspicious software (free and paid).

  • Uncheck boxes during installation since most PUPs use an opt-out approach.

  • Use an antivirus program that comes with PUP detection, such as Emsisoft Anti-Malware.

  • Do periodic scans for malware and PUPs with the free Emsisoft Emergency Kit, which scans and cleans your computer.

Download and share a summary of the findings here. Have a great (PUP-free) day!



Related Posts:


  • Top 10 Ways PUPs Sneak Onto Your Computer. And How To Avoid…

  • Has The Antivirus Industry Gone Mad?!

  • A Typical Day at Emsisoft’s Headquarters

  • A Typical Day at Emsisoft’s Headquarters

  • Stable Scan Engine Update Identifies Over 6000 New PUPs




62% of the Top 50 Download.com applications bundle toolbars and other PUPs

Wednesday, February 25, 2015

PrivDog, a Comodo add-on also bypasses SSL security

5158594_sSuperfish, the adware that was being distributed by Lenovo sounded bad enough, right? Well, here’s worse: PrivDog, a tool that tampers with SSL certificates is being promoted by Comodo, a security company. PrivDog has a massive vulnerability that basically allows the same man-in-the-middle attack as the adware, Superfish. However, it is important to note that the version of PrivDog with the problem was never directly distributed by Comodo. It seems the version with the vulnerability was avoided and the previous version of the software was bundled with Comodo Internet Security. In any case association with such an incident is bound to be questionable.


Analyzing the Problem


In order to replace ads on HTTPS protected websites, PrivDog installs a self generated root certificate on the system. Thus, whenever a user tries to access a secure HTTPS website, PrivDog replaces the SSL certificate of the original website with its own local certificates signed with its own, locally installed, root certificate which is essentially a man-in-the-middle proxy. This means PrivDog can be used to decrypt and manipulate otherwise secure traffic.


According to the US Computer Emergency Readiness Team (CERT):


Adtrustmedia PrivDog is a Windows application that advertises “… safer, faster and more private web browsing.” Privdog installs a Man-in-the-Middle (MITM) proxy as well as a new trusted root CA certificate. The MITM capabilities are provided by NetFilterSDK.com. Although the root CA certificate is generated at install time, resulting in a different certificate for each installation, Privdog does not use the SSL certificate validation capabilities that the NetFilter SDK provides. This means that web browsers will not display any warnings when a spoofed or MITM-proxied HTTPS website is visited. We have confirmed that PrivDog version 3.0.96.0 is affected.


Adtrustmedia PrivDog is promoted by the Comodo Group, which is an organization that offers SSL certificates and authentication solutions.



Since it turns out that PrivDog does not properly validate the original website certificates, it could easily be exploited by an attacker and could lead to phishing. This makes the problem even more serious than the one in Superfish.


As stated by PC World:


“Superfish’s mistake was using the same root certificate across all deployments. PrivDog’s mistake is not validating certificates at all.”



 


banner_spyware_700x290


Mark James, an ESET security specialist also mentioned:


“The standalone version of PrivDog, when installed, creates [a root SSL] certificate, and it will intercept every certificate it finds and then replace it with one signed by its root key. This enables it to replace adverts in web pages with its own ads from ‘trusted sources’.”


“The implications are massive. One of the biggest problems here is the fact that it will replace certificates with a valid certificate even if the original cert was not valid for any reason. This means it essentially makes your browser accept every HTTPS certificate regardless if it’s been signed by a certificate authority or not”



This major issue is present in PrivDog versions 3.0.96.0 and 3.0.97.0 and anyone using one of these versions should remove the application immediately.


Making Amends


The Adtrustmedia-PrivDog team have released a security advisory warning people of the vulnerability, but surprisingly have assigned it a threat level of “low”. A newer version is also available for download at the company’s site.


The PrivDog team have reported:


A maximum of 6,294 users in the USA and 57,568 users globally are potentially affected by the issue and they will be updated automatically to a patched version



It seems the problem has been patched fairly fast but fixing the reputation of the company will take much longer, especially since PrivDog’s sole purpose is ensuring user privacy and blocking unwanted ads.


Comodo on the other hand responded by saying that the affected version of PrivDog was never distributed by them. The version bundled with Comodo Internet Security was version 2 which was not affected by the vulnerability. Although this is a fair point, it is baffling that an SSL certificate company is supporting and closely related to such software. You would expect a security company to know better.


An Unpleasant Surprise


The most surprising thing in this case are the parties involved. PrivDog (an application that promises safer, faster and more trusted web browsing) and Comodo (a security company that specializes in SSL certificates). Both these companies will have an uphill battle when it comes to regaining the trust of their users. It is definitely shocking that applications that claim to improve security actually end up making their users more vulnerable and prone to attacks.


Have a nice (vulnerability-free) day!



Related Posts:


  • Warning! Lenovo pre-loads “Superfish” adware…

  • ALERT: Fake ID Lets Malware Impersonate Legit Android Apps

  • What is a Digital Certificate?

  • Protecting Yourself from Heartbleed

  • The Heartbleed Bug: A Critical Vulnerability in OpenSSL




PrivDog, a Comodo add-on also bypasses SSL security

Monday, February 23, 2015

Beware of Babar: the spyware created by the French Secret Service

142409288_fe2b17ace2_mThe NSA has made the news headlines a lot lately with frequent attempts to infringe on people’s privacy, but the US is not the only player in the game. French service DGSE is responsible for creating a spyware called Babar which was recently leaked by Edward Snowden. More details on the leak can be found here. This so called monitoring program was used against Iranian nuclear research institutes and universities, European financial institutions, former French colonies and a media organization in Canada.


An Elephant Problem


The malware Babar is named after Babar the elephant, the hero of a French children’s book series. However, its actions are far from heroic. The spyware Babar is capable of logging keystrokes, taking screenshots and even logging audio conversations through Skype and Yahoo, which is very disturbing. It also uses a Tor network to communicate secretly. Such features clearly indicate that the malware is pretty advanced and stealthy.


Babar was initially discovered by the Canadian intelligence agency CSEC and later brought into the spotlight when Snowden leaked the NSA documents. Reports suggest that this spyware may be a complete espionage tool and could have been used for various political reasons.


This clearly tells us that the internet is no child’s playground. It could easily turn into a cyber-war-zone with all these weapons around, and with so many possibilities, there are definitely a lot of things that could go terribly wrong. Babar is another example of government agencies actively using malware and hack tools to spy. Here is a list of other cute characters who now represent security problems.


Government Spying



Snowden once reported that the NSA were using iPhones to spy on users. Babar is very similar to the Regin malware family associated with GCHQ, the British Intelligence agency. Although it is almost impossible to prove who is behind Babar, one thing is for certain. The NSA and GCHQ are definitely not alone. Intelligence agencies all around the world are actively using malware and cyber-tools to sniff around corners. This kind of behavior is hard to justify under any circumstances. It is a shame that users are being spied upon by the very agencies who should, on moral grounds, be responsible for defending their privacy.


Have a nice (spyware-free) day!



Related Posts:


  • iPhones having spyware built-in?

  • Cyber Fallout! South Korean nuclear reactor breached with…

  • Apps like StealthGenie make mobile spyware accessible to…

  • 2013: The Year We Were “Snowden”

  • Apps wie StealthGenie machen Handy-Spyware für jeden…




Beware of Babar: the spyware created by the French Secret Service

Friday, February 20, 2015

Warning! Lenovo pre-loads “Superfish” adware that bypasses SSL security on new laptops

34841129_sIt’s a known fact that most consumer desktop and laptop manufacturers like to add bloatware to their machines. Most new laptops come with plenty of unwanted software including lots of trials and add-ons. Computer manufacturer Lenovo seems to have taken it to a new level by pre-loading active adware on new consumer laptops. Adware is usually just advertising software but there is a thin line between being just opportunistic and actually shady and malicious. SuperFish, the adware pre-installed in this case comes dangerously close to that boundary and also has some major security holes.






Super F(Ph)ishing?


Superfish has been reported to be pre-installed on several Lenovo laptops. The adware is known to inject third-party ads on Google searches and websites without the user’s permission. Superfish affects the browsers Internet Explorer and Chrome and has proven to be a major annoyance for most users. It is even flagged by most major antivirus or anti-malware companies, including Emsisoft Anti-Malware. Superfish’s file certificate is on Emsisoft’s blacklist and shows behavior blocker alerts when someone tries to execute their adware.


16139795_sUsers report that the adware installs its own self-signed certificate authority which effectively allows it to spy on secure connections, like the ones used in banking websites. This malicious technique is known as man-in-the-middle attack, similar to those used in Heartbleed. Superfish bypasses SSL security, and it has been reported that users who have Superfish installed are now vulnerable to hacking and spying attacks due to it’s cracked certificate. It is surprising and disturbing that a major computer manufacturer like Lenovo is distributing such shady software.


Lenovo claims Superfish is useful software, but temporarily removed it after criticism


Lenovo defended their decision to include Superfish in their computers with a statement:


“Superfish helps users find and discover products visually and instantly analyzes images on the web and presents identical and similar product offers that may have lower prices.”



However due to a lot of complaints from users and pressure form the industry, Lenovo has temporarily removed Superfish from their bloatware list.


“We have temporarily removed Superfish from our consumer systems until such time as Superfish is able to provide a software build that addresses these issues. As for units already on the market, we have requested that Superfish auto-updates a fix that addresses these issues.”



How to scan for and remove Superfish from your computer


If you suspect you have the adware Superfish on your computer, perform a scan with the free Emsisoft Emergency Kit which flags the adware on your computer. To remove Superfish, perform the following steps:


  • Press the Windows key + “R” to open the run window.

  • Type “certmgr.msc” and hit Enter to open the Windows Certificate Manager.

  • Navigate to “Trusted Root Certification Authorities” and its sub-element “Certificates” in the folder tree to the left.

  • Check for the certificate entry “Superfish, Inc” on the right side of the window.

  • Select it and press the Delete key or right-click and select “Delete”.

Now, your browser doesn’t trust made-up SSL certificates of that adware anymore and you’re on the safe side.


Outlook for quick cash makes vendors blind for security issues


The fact that Lenovo has taken some action and contacted the developers is re-assuring, but the bigger picture is that adware is becoming more and more “acceptable” in the industry and manufacturers shamelessly add such software pre-loaded to their devices. The greater concern is that software like Superfish could turn rogue anytime and do some serious damage to the thousands of users who have unknowingly fallen in their grasp. Vendors blindly trust their advertising partners and don’t question what these actually may install on a system. Apparently, the outlook for quick cash makes them completely blind for security issues they may buy.


Have a great (adware-free) day!



Related Posts:


  • Warning: Adobe Flash Zero Day CVE-2014-0515

  • Dangers to your bank account – how to perform…

  • Warning: Internet Explorer Zero Day CVE-2014-1776

  • Zberp Banking Trojan: A Hybrid of Carberp and Zeus

  • Protect your laptop data from theft – Here’s how




Warning! Lenovo pre-loads “Superfish” adware that bypasses SSL security on new laptops

Sunday, February 15, 2015

Hackers steal up to $1 billion from banks through malware “Carbanak”

Imagine standing in front of an ATM machine that suddenly starts to dispense money. That’s apparently what sparked a large investigation the end of 2013. It has now been discovered that this was part of what may be the largest bank theft ever.


“In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.” reported the New York Times.



10777282_sKaspersky Lab revealed on Saturday that a multinational gang of cyber criminals has stolen up to $1 billion from as many as 100 financial institutions around the world in a few years time. Attacks on ATM machines or individual bank accounts are quite common nowadays. This time the criminals took the unusual approach of stealing directly from banks by targeting bank employee’s computers. The hackers sent emails to hundreds of bank employees that included a malicious link. Once clicked on, a malware program called Carbanak would install which allowed the hackers to get onto the bank’s internal network and spy on the staff’s activities. The malware program recorded keystrokes and took screen shots of the bank’s computers, so that hackers could learn bank procedures and get access to the bank’s administrative system.


Controlling ATM machines remotely was on of the methods


The hackers then stole money from the bank in a few different methods that are known so far:


  • Directing ATM machines to dispense money at set times and locations, where a gang member would wait to collect.

  • Transferring money into hacker’s fraudulent bank accounts

  • Using online payment systems to send money to fraudulent accounts worldwide

  • Inflating account balances of individual accounts before pocketing the extra money, so that the account holder would not suspect a problem.

No bank has come forward yet to acknowledge the theft


The majority of the targets were in Russia, but also many in the US, Japan and Europe. According to the New York Times, no bank has come forward acknowledging the theft, a common problem that US President Obama addressed recently. The full report will be published by the New York times this Monday. Kaspersky Lab says that the scope of this attack on more than 100 banks and other financial institutions in 30 nations could make it one of the largest bank thefts ever. The affected banks are aware of what’s going on, but Kaspersky says it can’t name them because of non-disclosure pacts.


Kaspersky said it’s working with Interpol, Europol and authorities from different countries to try to uncover more details on what it being called an unprecedented robbery. While it’s always a good idea to keep an eye out for suspicious bank account activity, you now have an even better reason to be cautious. More details will most likely be revealed this week, after the full report has been published.


Have a great (malware-free) day!



Related Posts:


  • Syrian hackers deface the 5th largest bank in the United…

  • Dangers to your bank account – how to perform…

  • Banking Alert: JPMorgan Chase Hack Affects Over 76 Million…

  • Warning: Don’t Get Vished

  • Spam email Emotet steals bank account credentials from…




Hackers steal up to $1 billion from banks through malware “Carbanak”

Friday, February 13, 2015

Facebook launches new network ThreatExchange to share internet threats

Facebook_logoFacebook has recently launched a new, dedicated social platform called ThreatExchange. It aims to allow security experts to come together, collaborate and benefit from each other’s information. With cybercrime on the rise, this is a welcome step and could help prevent several large scale attacks in the future.


What is ThreatExchange?


ThreatExchange is a social network for companies that allows them to share important information about all kinds of online threats. This includes information about bad URLs, malware, phishing, large scale cyber attacks and more. Many major attempts to breach security in the past have remained unnoticed until it was too late. ThreatExchange hopes to change that. Initial partners to ThreatExchange include the companies Bitly, Dropbox, Facebook, Pinterest, Tumblr, Twitter, and Yahoo.


According to the information on the official website:


ThreatExchange is a platform created by Facebook that enables security professionals anywhere to share threat information more easily, learn from each other’s discoveries, and make their own systems safer. We included a set of privacy controls so that participants can help protect any sensitive data by specifying who can see the threat information they contribute.


That’s the beauty of working together on security. When one company gets stronger, so do the rest of us.



Why is it necessary?


In the past few months the internet has been plagued with several attacks from different hacker groups and cybercriminals, with the attack on Sony as the most prominent example. Apart from disrupting services, such attacks also lead to privacy leaks and data breaches. Recent cyber attacks on large internet-based companies is probably what caught Facebook’s attention.


As useful as it may seem, the effectiveness of any network depends on those who use it. Now it is up to security professionals and companies to make use of this mutually beneficial system to reduce response time to threats and discover vulnerabilities before they are widely exploited.


Have a nice (malware-free) day!



Related Posts:


  • Warning: All unpatched Drupal 7 sites assumed to be…

  • Warning: Dropbox and Box File Sharing Security Bug

  • Facebook Fights Malware, Calls Greek Police and Wins

  • New Facebook Privacy Feature: More Control, But More Ads Too

  • Privacy Alert: Adobe’s Digital Editions eReader is…




Facebook launches new network ThreatExchange to share internet threats

Saturday, February 7, 2015

Internet Explorer vulnerability puts user credentials at risk

223px-Internet_Explorer_10_logo.svgThe latest/updated version of Internet Explorer seems to have a serious security glitch that makes it possible for hackers to inject malicious code into a user’s browsing session and steal their login credentials. The bug is present in IE 11 and affects users on both Windows 7 and Windows 8.1.


This bug allows hackers and phishers to easily steal authentication cookies which could be used to access several accounts linked to the victim. Most email service providers, banks and social networking websites use such cookies to grant users access to their data.


 


Once in the hands of a cybercriminal, this information could be used to gain access to the victim’s credit card information and more, possibly resulting in identity theft.


When the internet explores you…


An experiment that demonstrates the vulnerability that could be used to exploit  IE can be found here. Normally, same origin policy (an important concept in Web application security model) prevents one site from accessing/modifying browser cookies or other content set by any other site. However, this vulnerability allows attackers to bypass the policy by injecting client side script into web pages viewed by users. This is known as universal cross-site scripting (XSS).


Microsoft, in defence, pointed out that in order to do any harm a hacker would first have to lure the victim to a malicious website which may be blocked by smart screen filter. This was the statement issued:


“We are not aware of this vulnerability being actively exploited and are working on a security update. To exploit this, an adversary would first need to lure the user to a malicious website, often through phishing. SmartScreen, which is on by default in newer versions of Internet Explorer, helps protect against phishing websites. We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”



At the moment it is best to stay away from Internet Explorer (until a patch is released in the form of a security update).  After all, there are tons of malicious websites that smart screen filter does not protect you against. Emsisoft Anti-malware though, comes with surf protection which can protect you against all kinds of malicious and phishing websites regardless of what browser you use.


Have a nice (exploit-free) day!



Related Posts:


  • PayPal Vulnerability Publically Disclosed

  • Zero Day Alert: Flash Player vulnerability exploited

  • Alert! Default Browser app on 75% of Androids is vulnerable

  • Attack of the Qbot: 6 years, 800,000 online banking…

  • Covert Redirect Security Flaw in Sites Using OAuth and…




Internet Explorer vulnerability puts user credentials at risk

Wednesday, February 4, 2015

Another Flash vulnerability

broken-flash


Adobe Flash may have been a great multimedia platform in the past but it has not been holding up well recently. Multiple vulnerabilities have made it a prime target for hackers. According to an official announcement on Monday, a new critical vulnerability has been discovered which is being exploited by cybercriminals using drive-by download attacks. This vulnerability affects Windows,OS X and even Linux.


A patch is expected later this week.


This was the Adobe advisory:


“A critical vulnerability (CVE-2015-0313) exists in Adobe Flash Player 16.0.0.296 and earlier versions for Windows and Macintosh.  Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.  We are aware of reports that this vulnerability is being actively exploited in the wild via drive-by-download attacks against systems running Internet Explorer and Firefox on Windows 8.1 and below”



It looks like Adobe is well aware of the issue and is working on developing a patch. In the meantime though, all users need to be cautious.


Exploited in a flash


Over the past few weeks several major security flaws have been discovered in Flash, making it one of the most exploited platforms alongside Java. Some of the specifics of these attacks can be found in this previous article. This is not helping Adobe. YouTube recently moved away from the Flash platform and is now entirely using HTML 5. Users who are having security concerns should also consider removing Flash from their computers to avoid being exploited. However if you continue to use Flash, you should have a solid security program that protects you from exploits and drive-by downloads. Luckily, Emsisoft Anti-Malware is well equipped to protect you against such zero day threats.


Have a nice (exploit-free) day!



Related Posts:


  • Zero Day Alert: Flash Player vulnerability exploited

  • Adobe Flash Zero Day: Operation GreedyWonk

  • Warning: Adobe Flash Zero Day CVE-2014-0515

  • Achtung: Flash Player Schwachstelle wird ausgenutzt

  • IE Zero Day Update: Microsoft Issues Emergency Patch, Even…




Another Flash vulnerability