Tag Archives: adware

Some Clarification…

Posted on by

By Nathan Collier

Recently Webroot posted a blog about an app called “London Olympics Widget” which was found in a third party market that may need further clarification.  This app is what we consider a Potentially Unwanted Application (PUA).  PUAs are apps are not considered to be good, nor are they considered malware either.  They are apps that walk a thin line and thus are in a grey area.  The app in question was classified as a PUA because the of the advertisement SDK add-ons it contains.  There are a lot of free apps out there that contain these advertisement SDK add-ons in order to create revenue, and that’s okay.  It’s when these advertisement SDK add-ons are overly aggressive and display behaviors such as creating ad related home screen icons and bookmarks, accessing the contact list, and displaying ads in your notification bar that we call these PUAs.  We detect these annoying apps in order to inform the user of its presence.  Google has recently taken the same stance against these aggressive advertisements and has updated their Ad Policies to warn developers that this type of aggressive advertising will no longer be allowed in the market: Google Play Developer Program Policies

In the case of “London Olympics Widget”, it is a simple app that displays what events are going on in the Olympics on which days.  Nothing wrong with that at all.  The reason we have classified this as a Potentially Unwanted Application is because it is using the Olympics to draw people into installing their apps so they can make money on multiple aggressive advertisement SDK add-ons.  It is the aggressive advertisement SDK add-ons that are requesting permissions to read contacts, look up device ids, and read SMS messages. Why do they want to read your SMS, collect your contacts and blast you with ads?  Probably not to make your mobile experience better.  Permissions are a scary thing, but just because an app has a permission to do something doesn’t necessarily mean it’s malicious.  It’s the code within the app that uses these permissions that makes the determination of good or bad.  Can “London Olympics Widget” read your contacts and read your SMS?  Yes, but that doesn’t mean they are using the data collected in a malicious way.  They are using the data to for advertisement reasons which isn’t considered blatantly malicious, but is considered something you may not want on your device which is why we detect it as a PUA.

As always, make sure you install apps from safe markets, and if it has more permissions than what you think it should, be cautious.  Scanning with Webroot SecureAnywhere Mobile will detect PUAs and malware to make sure users stay ad annoyance free, and safe while using a mobile device.

London Olympic Widget with shortcuts added by aggressive advertisement SDK

Screen shot of app showing Olympic event on August 11th

Ads that popped up in notification bar

Spamvertised bogus online casino themed emails serving W32/Casonline

Posted on by

By Dancho Danchev

Cybercriminals are currently spamvertising hundreds of thousands of emails enticing end and corporate users into clicking on links leading to bogus online casinos requiring the installation of an executable file.

This is the second bogus casino themed campaign I’ve intercepted in recent months, and the third time when I profile the distribution and infection vectors of W32/Casonline.

More details:

Continue reading

‘Create a Cartoon of You” ads serving MyWebSearch toolbar

Posted on by

By Dancho Danchev

On their way to attract new users, adware providers and online marketers often come up with new and creative ideas tailored to average Internet users. These often include free screensavers, browser plugins, toolbars, and that’s just for starters.

In this post, we’ll profile the market proposition of one of these online advertisers, previously known as a vendor of adware toolbars, and discuss what has changed over the years.

More details:

Continue reading

Seen Ad Pop-up’s in Your Mobile Browser Lately?

Posted on by

by Armando Orozco

Today, one of our Webroot SecureAnywhere for Android users reported seeing ad redirections while browsing on his Android device. As we began investigating, we noticed that there were a lot of other mobile users seeing the same thing – yes, on their iPhones as well! We were also able to reproduce the behavior on our devices.

This appears to be a clever Ad redirection using JavaScript. The pop-ups are survey offers for free electronics like iPads and iPhones. The users are asked to complete a survey, at the end of which their email address and phone number is also recorded. I know we’ve all seen these pop-ups before, but we’re not used to seeing them in our mobile world.

These pop-ups are not related to any apps you may have installed – they are a result of how the web page was written. Web developers use “alert()” function in JavaScript, which displays a message box requesting response from a user. The advertisers utilize this method to display their ads.

We are still investigating this issue and hope to track down the advertisers responsible. There does not appear to be anything malicious about these pop-ups for the time being, but we are sure malware authors will employ this tactic soon. With the rash of Rogue Applications and the recent discovery of a Rogue AV app (blog coming soon), we can see how this method could be exploited with malicious intent. Again, these are not platform or application-specific behaviors.

To remedy these pop-ups, you can disable JavaScript in your browser settings.

Thanks to JohnDeth of our Webroot Community for bringing this to our attention.

Pop-ups at popular torrent trackers serving W32/Casonline adware

Posted on by

By Dancho Danchev

Everyone knows that there’s no such thing as free lunch. The same goes for freely distributed pirated content online.

Recently, Webroot decided to sample malicious activity within some of the most popular Eastern European torrent trackers, based in Bulgaria, Ukraine, and Romania for starters. The results? Countless backdoored key generators and cracks for popular games and software, and most interestingly, monetization of the huge traffic by delivering pop-ups promoting the ubiquitous W32/Casonline adware, which in case you remember was recently spamvertised to millions of end and corporate users.

More details:

Continue reading

Spamvertised bogus online casino themed emails serving adware

Posted on by

By Dancho Danchev

Cybercriminals are currently spamvertising online casino themed emails, which ultimately redirect users to a bogus casino site offering an executable download. Upon deeper examination, it appears that the download is actually adware.

More details:

Continue reading

AutoCAD Adware Trojans Target Techies

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090630-autocad-propertiesEvery once in a while, you hear whispers or rumors about specially-crafted, targeted malware designed to steal a specific piece of data from a particular victim. The data thieves, in these limited cases, tend to be clever, thoughtful, and methodical in both the creation and deployment of their creations.

Rarely do malware researchers encounter these files. But it does happen occasionally, and I thought I had stumbled upon one of these kinds of spies a few weeks ago. It’s a peculiar Trojan horse which has been written not as a standard Windows application, but as an ObjectARX application — an application which can only run if you have AutoCAD, the engineering and design program from AutoDesk, installed on your PC.

Now, why do you suppose a malware author would write a Trojan that can only run on computers with AutoCAD; a Trojan that is so well designed that it prevents antivirus applications from running, and downloads specific, tailored updates for itself, depending on which version of AutoCAD the victim has on his or her PC?

Sounds a lot like a slick tool for corporate espionage, right? Well, not quite. Fark: It’s just another stupid adware client. We’re calling this dumb gimmick Trojan-Pigrig.

Continue reading

Adware client tags you as its pitchman

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

20090520_btb_promoimgOver the past week, someone has been spamming the file sharing site ThePirateBay.org with comments advertising a new “product” called BittorrentBooster. According to the site’s administrators, the spammer used a large number of fraudulently registered accounts to post the messages as feedback, attached to hundreds, possibly thousands, of downloadable .torrent files, which file-sharers use to initiate a peer-to-peer download session.

I decided to take a closer look, because the product’s claims — to be able to give file-sharers a massive speed boost during the “leeching” (or, downloading) phase of their torrent session — sounded pretty implausible. Impossible is more like it: The spammed ads for the product state, in characteristically broken English, it can help users “get your torrents download in 10 times faster!!”

The simple fact is, the amount of bandwidth available to you, network congestion, the number of people sharing a file, their bandwidth capabilities, and many other factors out of any individual PC’s control determine the download speed for a given torrent. No program can deliver a download performance increase of the scale promised by this product.

So, assuming the claims were snake oil, I took a closer look at what else the program was capable of. As it turns out, it’s a very capable delivery mechanism for advertising—in places I didn’t expect.
Continue reading

Adware Purveyors Panning for Search Gold

Posted on by

SnappyAdz money nooseBy Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

We know most adware companies are shameless in their pursuit of revenue, but it’s been a while since we’ve seen anything as bizarre (or hilariously bold) as the sales pitch from a relative neophyte to the world of adware, which calls itself SnappyAds. On its homepage, SnappyAds posits the hypothetical glee of two business-suited online ad men counting the thousands of dollars they’ve allegedly earned from their allegedly lucrative venture.

Behind the SnappyAds facade, however, is an adware client we (and a few other AV companies) call SearchPan. The installer for the adware client application is hosted on SnappyAds’ webserver, and it modifies both the IE and Firefox browsers to add code which redirects searches through a number of search engines of dubious distinction.

There really isn’t a whole lot to discuss technically about SnappyAds. It really only came to our attention because the Threat Research group as a whole just couldn’t stop laughing when we all saw the pictures of the guy leaning back in his cushy leather chair counting out his Benjamins. They do arrive, as SnappyAds claims, by the ton. So make sure you invest in a forklift before you sign up as a SnappyAds affiliate. You’ll need one to move your palette-loads of cash.

Continue reading

New Malware Ruins Firefox

Posted on by

By Andrew Brandt

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to FurlAdd to Newsvine

Late last year, we read all the buzz about ChromeInject, a malicious DLL that was being billed as the first malware specifically targeting Firefox. It was interesting to see Installashunthat someone built a phishing Trojan for a different browser platform, but ChromeInject was also clearly an early phase in Firefox malware development: It was fairly obvious, and it was easy to eliminate, because it generated an entry in the Plugins menu called “Basic Example Plugin for Mozilla” which you could simply disable with a single mouse click.

Well now it looks like the bar’s been raised. In the past few weeks, we’ve seen malware writers up the ante in their bets against Firefox. Two new spies came across the transom in the past week, and easily managed to load themselves into a freshly installed copy of Firefox 3.0.7. I should note that this isn’t due to any problem or negligence on Mozilla’s part; once you execute malicious code on your PC, any application is vulnerable. Firefox just happens to be a big target.

Continue reading