Training Your Family to Spot Malware

January 22, 2014 - By Chris Larsen

Security guys are always on call. Last night, as I'm spending a moment away from hunting for Bad Guys, my daughter says "Hey Dad, come take a look at this -- my browser just opened a new tab, with something about a software upgrade."

(Alarm bells go off in head... Looks like the anti-malware crusader is back on the job...)

So I look at her browser: she's got a tab open to grooveshark.com (she was listening to music as she did her homework), and not one, but two tabs are open to a site called getsoftfree.com.

Just looking at the domain name, I said, "Yep, that's an evil site."

See what you think:

screenshot of getsoftfree_com

 

Sure enough, when I downloaded the setup.exe file, and ran it through VirusTotal for a quick check, here's what I got:

screenshot of virustotal results

 

So it's a confirmed case of PUS (Potentially Unwanted Software). Actually, in my case, a better acronym would be DUST (Definitely Unwanted Software Trash)...

 

One notable development in this PUS gang is that when I uploaded the setup.exe file to VT, it was scanned as a new file -- that is, VT hadn't seen a copy previously. This made me suspect that the Bad Guys were morphing the program: changing some encryption, obfuscation, or packing, with each download. Sure enough, when I downloaded another copy a few minutes later, this version of setup.exe was also seen as a first-time submission. (But with an identical detection rate of 9 hits.)

In the past, the PUS networks tended to stick with a particular version of their junk files for relatively longer periods of time, and it was just the "real malware" that used tricks like polymorphic downloads. They're clearly learning some new tricks from the pros -- and showing their evil nature in the process.

 

Anyway, back to the story...

So then my daughter wanted to know where those new browser tabs had come from.

"That's easy," I said. "Grooveshark is selling you out.* They're running ads that include an unscrupulous ad provider somewhere in the chain. And that's what is popping open the new tabs."

(And right about then, as I was mousing over the ads on the page, to illustrate my point that it could be coming from any of them, right on cue another browser tab popped open to the evil site. I should also note that Grooveshark showed up in the initial blog post on the big malvertising network we busted last fall, so this wouldn't be their first brush with malvertising.)

 

This is why I've tried to train my family to never trust a browser window telling them they need to upgrade, or offering any sort of software, and I'm glad they pay attention. But it's discouraging, to see so much of this junk out there...

I'm not sure what the solutions are. Maybe if enough brands are hurt by the perception that they're selling out their users to scammers and spyware/adware purveyors, they'll start putting more pressure on their ad providers to screen out the trash.

 

--C.L.

@bc_malware_guy

* Disclaimer: I don't have Wireshark on the family homework laptop, so I don't have absolute proof that it was a malvertising attack on Grooveshark. But that was the only site open in the browser, and those other tabs had to be opening from something on that page...