Attacks to make Ask.com Toolbar a conduit for malware are nipped in the bud
- 19 November, 2016 07:09
Attackers who were trying to turn the Ask.com Toolbar into a malware dispensary got caught early on when their scheme was picked up by security services that were looking for anomalies.
The malicious actors are unknown but they managed to get the legitimate Ask.com toolbar update feature to place a dropper/uploader into the browsers of several customers of security firm Red Canary.
Once installed, the dropper would bring in secondary malware including banking Trojans and other online-fraud code, says Keith McCammon, CSO of Red Canary. The secondary payloads varied, and some of the dozen or so compromised machines his team found had downloaded more than one kind, he says.
That makes McCammon think the perpetrators were experimenting with various types of malware to zero in on which one would be most effective for their purposes. He detected no attempt to mass-distribute any one form of malware that could have become widespread. The CSO described these secondary applications as off-the-shelf.
When Red Canary contacted Ask.com, the Q&A/search service provider responded quickly and issued updates that blocked the attacks. McCammon says he hasn’t found evidence of attacks since. Ask.com’s parent company IAC, which Red Canary dealt with, has not responded to Network World’s request for information. This story will be updated when it does.
McCammon says the behavior of the browser after it had been contaminated raised a red flag. It was executing files with a .png extension, which is unusual, as was the fact that the first-stage dropper/downloader was signed just hours before they were discovered.
In the normal course of things, a legitimate update would be signed, then run through quality assurance before being pushed, a process that takes days or weeks. Somehow the attackers got their malware signed by Ask.com and sent out quickly, he says.
These observations by Red Canary’s security platform flagged the activity for the company’s human analysts to check out. McCammon says he doubts the attack would have been discovered by a completely automated system that was analyzing anomalies on its own.