Showing posts with label adware. Show all posts
Showing posts with label adware. Show all posts

Thursday, 16 May 2013

Scareware page pushing PC Speed Maximizer


Everybody should by now be aware how most scareware (aka rogueware aka fake antivirus) operates:
you receive a warning message your PC is infected with malware, and a scan needs to run immediately to help you remedy the infections.

The latest scareware is System Care Antivirus:
System Care Antivirus. (Source: BleepingComputer)





















In the past, it was just that. Scareware pushes scareware. Scareware installs scareware. Not programs that can be considered as adware or Potentially Unwanted Program (PUP/PUA).



Thanks to a headsup from Maxstar on Twitter, I was able to see how scareware was pushing "PC Speed Maximizer", which can be considered as a PUP, but not as scareware.

PC Speed Maximizer, unlike "real" scareware does not have the following behaviour:

  • Annoying pop-ups everywhere, all the time
  • Blocking internet access
  • Blocking other programs (like Task Manager for example)
  • Showing numerous errors & malware infections (where there are none)
  • No real uninstall option (because it's malware)
  • Autostarts with the PC
  • Wants to rip off users


PC Speed Maximizer however does have the following behaviour:

  • Annoying pop-ups, but not constantly
  • Showing numerous errors (where there are none)
  • Autostarts with the PC
  • Wants to rip off users



So let's get to the point here. What is the purpose of this post? To show you an apparently new tactic on how PC Speed Maximizer wants to gather money from not technically savvy users.

A new page has been set up at hxxp://pcspeedplus.com
URLVoid Result
PasteBin script


When visiting this page, you are presented with the following message:

"Critical Security Warning!" Oh really?















This pop-up or messagebox is typical for scareware, clicking the X or clicking OK has the same result...


A "scan" starts running right away:


"Virus infections have been detected!" - XP Micro Antivirus

















The following file gets downloaded:
PCSpeedMaximizer.exe
MD5:  e557bf40e5b374b2fe65cfb2502f0a99
Result: 3/46
VirusTotal Result
Anubis Result
Malwr Result
ThreatExpert Result


This file is also digitally signed:
File is digitally signed with its own cert...














Thanks to a great post here, you can find the extracted digital certificate on Pastebin:
http://pastebin.com/50cUYHEc

Surely, this is not an "APT", but it's still interesting such a piece of crap is digitally signed.



PC Speed Maximizer Setup:

Setup screen

Items to clean and optimize on your PC


Obviously there aren't that many errors on my machine, interestingly enough, it's as good as fresh out of the box. To actually be able to fix the errors you have to pay up, what a surprise.

When looking around on Google a bit, it seems others are suffering from the same scareware page and the pushing of this... software:
http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/url-httppcspeedpluscomscan-keeps-bringing-up-fake/30ed02a6-2bb0-4165-84ac-56a188cfb131

This user was apparently getting fake messages when clicking on a Yahoo ad, when I received this headsup, it apparently spreads through Google Images as well.



Prevention


- Be careful when visiting any webpage. A useful trick is to check the real URL behind the image. Most of the times you can verify this by checking in the left corner of your browser:

Clicked on a picture and started loading this website instead of the original one

- Use browser extentions to verify the integrity of an image or URL. Useful add-ons for Google Chrome are for example NotScripts and WOT . For Firefox you have NoScript and WOT as well.

- Keep your Antivirus and browser, as well as your browser add-ons up-to-date.

- If it is too late and a 'scan' is already starting, immediately close your browser by bringing up Task Manager (CTRL+ALT+DEL or CTRL+SHIFT+ESC) and killing your browser's process:
  • a) For Google Chrome: chrome.exe or chrome.exe *32
  • b) For Mozilla Firefox: firefox.exe or firefox.exe *32
  • c) For Microsoft's Internet Explorer: iexplore or iexplore.exe *32




Desinfection

If the harm is already done and you are getting warnings, messages or pop-ups stating there are several errors and you need to take 'immediate action' to clean your computer, go to your
C:\Program Files\PC Speed Maximizer or C:\Program Files (x86)\PC Speed Maximizer folder and double-click on unins000.exe. The program will now uninstall itself. In that perspective, it is way less intrusive than real scareware.




Conclusion


  • Don't be fooled by warnings or message trying to scare you, it's all fake.
  • Follow the above prevention tips to decrease the chance of your computer becoming infected.


Final word: adware and/or PUP has always been annoying, and in a "grey" area for antivirus & antimalware applications to detect or not, since most of the times the EULA clearly states it's installing this software and you (as "the user") agree(s). However, pushing PUP via scareware is a new concept. I've made an earlier post about PUP and how you can prevent it as well:
http://bartblaze.blogspot.com/2013/01/about-youtube-top-comments.html

Stay safe.






By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , ,

Thursday, 17 January 2013

About YouTube top comments


Have you seen  the top comments on YouTube recently? Mostly, they're about the videoclip itself, or about other artists that do not live up to the talent of said videoclip ;-) .

Sometimes, however, spam reaches the top comments (whether or not with a lot of upvotes):
Another user is being addressed, "confirming" the site is real








I've seen this kind of Youtube spam unfold into 2 scenarios:
1) The usual survey scams, promising an iPad for example
2) The download of adware or a PUP (Potentially Unwanted Program) to your machine


Let's take a look at both scenarios, we will go more in depth about the second one, as it is the most interesting. This post includes prevention methods, a removal process and a conclusion at the bottom if you want to skip the investigation.



Investigation


1) Survey scam

As seen in above picture, another user is being addressed. This user did not make any comments on the video at all. I'm guessing they use this little trick to 'confirm' someone asked about it and they are 'just helping out'. The comment has several upvotes as well, thanks to the use of bots.

Clicking on the bit.ly link, you are being redirected to another website:
hxxp://alllightsfull.info/prize/prize.html
2/30 - URLvoid Result
2/33 - VirusTotal Result
AllLightsFull.info - Whois Record

Screenshot:
Congratulations! You won a... Survey scam!
















After clicking on Start Now!, you'll get redirected to fill in a survey for a chance in winning an iPad... Which will redirect you to another survey... To another survey.... Until you need to fill in personal details such as your email address. In my case, I had to subscribe to about 20 other instances (read: Brace yourselves, spam is coming) to win the iPad.

 Obviously, you won't win anything and your email address will end up on several spamlists.

 

 2) Adware / Potentially Unwanted Program

In this scenario, you end up on a different website, but with a similar, easy layout:
Download Youtube videos with "YouTubeSaved"



























Some information about the website:  
hxxp://www.youtubesaved.com 
1/30 - URLVoid Result
0/34 - VirusTotal Result 
YoutubeSaved.com - Whois Record

You can download from Download.com/CNET or directly via their website. I'm not sure what's worse: the fact that you can download this beautiful piece of crap via CNET or that it's Norton/VeriSign Secured.

The following file is downloaded:
cid_185425_sono.exe
Result: 3/46
MD5: a3675a8439b09049a76da7f9c93c4a34
VirusTotal Report
Anubis Report
ThreatExpert Report


In the following minutes, I got several new screens to install additional software:
FLV Media Player coming along with WhiteSmoke


FLV Media Player coming along with PriceGong, Freetwittube,...

















Some readers might remember WhiteSmoke from a few years ago, when it came bundled with a rootkit and was particularly annoying as well as hard to remove.

While I was eagerly clicking Next on all of the screens, there were a few connections. In fact, in those 5 minuts of installing FLV Media Player, (and thus also: Yontoo, Relevant Knowledge, Free Ride Games, Moyea, Remote Programs, PriceGong, Conduit and WhiteSmoke) there were about 1140 outbound HTTP requests installing even more adware.

If you're interested in these connections, I have uploaded a Fiddler log to Pastebin:
http://pastebin.com/QxcHca1Z


Interesting to note is that Firefox gave a warning about a particular toolbar:
https://addons.mozilla.org/en/firefox/blocked/i226
From that page:
This add-on is silently side-installed by other software, and doesn't do much more than changing the users' settings, without reverting them on removal.

Actually it does more than that, it redirects your searches (through ad-sponsored networks), changes your homepage, annoys you with pop-ups, .... This does not solely apply to WhiteSmoke.

A total of 63 newly created PE files was found on my machine. Seems like they really wanted me to install as much toolbars and adware as possible. Sometimes, besides being referred to as a PUP or adware, this kind of software is called foistware.

You can find a Pastebin here with all VirusTotal results:http://pastebin.com/87HspUgu



Prevention

Now, how do we prevent these applications from ever entering our system? Here are a few tips:

  • Carefully consider what you are installing. Is this program known at all? What does it do? Do I really need this installed? A simple Google search reveals a lot of answers.
  • Don't click Next, Next, Next or OK to everything or in any of the screens you get. This is a golden rule in general.
  • Read the EULA. No wait, what? Those EULAs are always way too long! That's right, luckily there's a tool available which can assist us in identifying unwanted behaviour. The tools is called EULAlyzer, by the same developer as SpywareBlaster (which also helps prevent these).

    I did a scan on a EULA from PriceGong which uncovered the following results:
    EULA states advertising, your searches being submitted and more










  • Use the extension WOT (Web of Trust) to get a second opinion about website X or Y.
  • If you encounter a link that is shortened (for example bit.ly, t.co, tinyurl, ....) you can use a website as GetLinkInfo or Unshorten to acquire more information on that link. Awesome!



Removal

Of course, it might be too late for some users. They are already seeing pop-ups everywhere, getting amazing deals or are getting redirect in their search engines. Again, you can find some hints:

  • Most of these programs can be easily removed via the Control Panel > Add/Remove Programs. There's also a small guide by Microsoft on how to do that. After uninstallation, these programs will open your browser and offer to reinstall the "product". Just close the browser when that happens.
  • "I removed these programs but am still getting redirected. Why?"
    Probably the Add-On, Extension or Plugin is still installed and active in your browser. Remove or disable this manually by following these steps:
    Removing extensions from Internet Explorer
    Removing extensions from Mozilla Firefox
    Removing extensions from Google Chrome

    Restart your browser afterwards and confirm the changes. It's possible you need to manually reset your homepage as well.

  • "Not everything is gone and I don't see anything in the Add/Remove Programs."
    When this happens, you can use a tool like AdwCleaner. Please keep the following in mind:
    - Close all browsers before executing AdwCleaner
    - Click on Search. A logfile will open. Review this carefully! AdwCleaner is pretty strict in removing adware. Then, you can select delete to delete all the unwanted/malicious entries.
    - More information can be found on the download page of AdwCleaner (see above).
  • After following these steps, use your already installed Antivirus and perform a full scan. When that's finished, you can also use Malwarebytes to perform a Quick Scan and ensure everything is gone. Be sure to select in the Settings tab > Scanner Settings that PUPs are shown in the scan results.
  • If you are having difficulties or are not too sure of following these steps all by yourself, you can always make a post on one of the several forums out there specialized in removing malware and other nonsense from a machine. An example forum where you can get help is BleepingComputer.



Conclusion

After reading this post, I'm sure you can now differentiate the thin line between goodware and foistware, adware, or Potentially Unwanted Programs. With the tips above, you should be able to weapon yourself against this kind of threats.

Some legit programs like Java or Adobe also offer these "toolbars". Don't be fooled! The same above rules should be applied here. Tick off those boxes and read carefully through the installation wizard! Why are these things still around you might ask? There's an interesting article here by Ed Bott:
Why does crapware still exist? Follow the Silicon Valley money trail

You might wonder why your antivirus didn't ring any bells when installing this software. The easy answer is: it is hard to differentiate if this is malicious behaviour, as the users consents and agrees on the EULA - which is basically an agreement to all these unwanted modifications!
The hard and longer answer is something to discuss in a future blogpost.

Conclusion: don't install something when you have no idea what it is or does. Google can be your friend.


By at No comments:
Labels:forex, iqoption, pubg Hacked , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)