Attacks to make Ask.com Toolbar a conduit for malware are nipped in the bud

The legitimate updater feature had been compromised to spread malicious code

Attacks to make Ask.com Toolbar a conduit for malware are nipped in the bud
Credit: Youtube

Attackers who were trying to turn the Ask.com Toolbar into a malware dispensary got caught early on when their scheme was picked up by security services that were looking for anomalies.

The malicious actors are unknown but they managed to get the legitimate Ask.com toolbar update feature to place a dropper/uploader into the computers of several customers of security firm Red Canary.

Once installed, the dropper would bring in secondary malware including banking Trojans and other online-fraud code, says Keith McCammon, CSO of Red Canary. The secondary payloads varied, and some of the dozen or so compromised machines his team found had downloaded more than one kind, he says.

That makes McCammon think the perpetrators were experimenting with various types of malware to zero in on which one would be most effective for their purposes. He detected no attempt to mass-distribute any one form of malware that could have become widespread. The CSO described these secondary applications as off-the-shelf.

When Red Canary contacted Ask.com, the Q&A/search service provider responded quickly and issued updates that blocked the attacks. McCammon says he hasn’t found evidence of attacks since. Ask.com’s parent company IAC, which Red Canary dealt with, has not responded to Network World’s request for information. This story will be updated when it does.

McCammon says the behavior of the computers after they had been contaminated raised a red flag. They were executing files with a .png extension, which is unusual, as was the fact that the first-stage dropper/downloaders were signed just hours before they were discovered.

In the normal course of things, a legitimate update would be signed, then run through quality assurance before being pushed, a process that takes days or weeks. Somehow the attackers got their malware signed by Ask.com and sent out quickly, he says.

These observations by Red Canary’s security platform flagged the activity for the company’s human analysts to check out. McCammon says he doubts the attack would have been discovered by a completely automated system that was analyzing anomalies on its own.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.