A just-in-time catch by sharp-eyed analysts at Red Canary has thwarted what looks like early stage development and deployment of malicious software delivered via Ask.com’s toolbar.
The PE (Portable Executeable) delivered by Ask.com, which is often bundled with Oracle Java installers, is a common browser search toolbar often viewed by users as an annoyance in the best case scenario or an example of a PUP (Potentially Unwanted Program) and malware in the worst case.
From Ask’s own homepage they define what they do as “[We]… provide solutions to help software developers acquire and monetize users. We bring tremendous value to our partners via new revenue streams, increased customer engagement, and ongoing brand promotion.” This by its very definition describes the function of adware.
Red Canary immediately reported their findings to Ask who they later thanked in their swift response in supplying a fix to mitigate the malicious threat.
The CSO at Red Canary, Scott McCammon, outlined the details of their investigation as well as Ask’s response and potential threat surface, stating:
“The impact of this event was minimized by the combination of Red Canary’s ability to identify behaviors not easily detected by software alone, our customers’ ability to respond, and the software vendor’s diligence with respect to mitigation. But we cannot allow the impact of one event to mask the substantial risk that this class of attack exposes. A software supply chain attack targeting a vendor with this type of reach could easily infect thousands or perhaps millions of endpoints worldwide.”
Once the compromised toolbar was installed, the included dropper called additional malicious programs such as banking Trojans and other online fraud warez.
As the secondary payloads varied across the dozen or so compromised machines, the security researchers concluded that the malware was in early stages of development with the malicious actors experimenting with which kind of malware the exploit would ultimately deliver.
The CSO stated that there was no evidence to suggest that any one type of malware had been identified at this stage to be propagated in widespread across the board fashion and that what was being delivered was described as “Off the shelf.”
Although no explanation has yet been offered by Ask as to the root cause of the compromise, Red Canary only spotted the anomalies in the toolbar software by human interaction. McCammon stated that automated software processes wouldn’t have been able to intelligently identify the Indicators of Compromise (IoCs) within the code as the software itself passed all of the standard criteria of expected behavior.
In this case the toolbar’s binaries were signed as legitimate by ask, however, the dates and times of the signing were one of the giveaways of the malicious embedded code. The dates and times were noted as being signed mere hours before the discovery, normal lifecycle timescales would mark at least several days normally as software is passed through typical layers of assurance.
The initial .exe spawned an additional .png file which was in itself executing additional code, another red flag which further alerted the fast acting research team at Red Canary.
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
(Security Affairs – Ask.com toolbar, malware)