In the early days of computing, viruses and malicious software infections were relatively easy to spot and thus somewhat easy to mitigate. In the modern computer world it’s becoming extremely difficult to spot such threats. One of the most prolific types of infections that occur today are third party installs (aka foistware). These installations are executed as a byproduct of the installation of common software that we all use. Components like Java, Adobe Reader, CCleaner, iTunes, Skype, mTorrent, and Facebook Messenger all come with some type of third party installation that, if you’re not careful to opt out, will install software that you may not want. Even worse, search engines have joined the fray of irresponsible marketing practices and this seems to be currently the most common way these threats occur.
Google, for example, will show you Ad sponsored search results on top of the contextual search results you’re after. These Ad sponsored results are simply companies and individuals that pay Google to show their advertised link before more pertinent results are displayed. Because of this, anyone, to include criminals and yes state sponsored agencies, can pay Google to put a link to whatever it is they see fit at the top of your search result. To add insult to injury, the manner in which these links are displayed become somewhat difficult to discern. Let’s take a look at what happens when one searches Google for iTunes.
Notice the results that occur above the Apple website link listed. They are denoted by an orange Ad icon to the left of the destination address colored green. This means that these links are one of many “paid for” advertising programs offered by Google. As one clicks on these links, they are taken to a page that appears to be a completely innocuous in nature.
Both malicious links above lead to these two pages. On both pages you can see download buttons that appear to provide the software we sought. The latter of the two even has an icon displaying “McAfee SECURE” to give the semblance of legitimacy. Notice that neither website is actually located on Apple.com’s domain even though one has apple in the name. A further examination of the contents of these pages will show that each informs you of what they claim is the size of the iTunes installer. One claims a size of 12 megabytes and the other 197 kilobytes. The actual size of the latest version of iTunes 64-bit (version 11.1.5 for Windows) is 142 megabytes. Looking up the whois registration database of these pages shows the host locations to be in Scottsdale, Arizona and Manacor, Estonia respectively. This goes to show that scams such as these know no national boundaries.
It is only after we have downloaded and executed the respective files do we see what they actually install. As a result of executing the downloaded files we indeed do get iTunes, however, we also get several pieces of malicious software, web pages offering more malicious software, untrustworthy services running in the background, and hijacked web browser home pages (see images below).
As you can see, just mindlessly clicking links without reading and understanding what they are can create quite a mess on a computer. What’s worse, banking and making on-line purchases on such a computer could expose your finances to criminal elements, potentially funding criminal enterprise. It has also been observed that scams such as these frequently elude antivirus software due to possessing an industry wide classification as Potentially Unwanted Programs (PUPs) instead of viruses or spy-ware.
With some research and analysis one can form organizational heat maps of search engine results, and using them, begin to discern what and where to click safely. Below are some examples from a few of the most popular search engines. Red represents potentially non-pertinent and dangerous results. Green is search contextual.
As we mentioned before, search engines aren’t your only worry when it comes to third party installations. Many commonly available applications can install them as well. Let us take for example the Java Runtime Engine from Oracle and mTorrent from BitTorrent Inc.
Java is a programming language that developers use to create applications on your computer. Chances are you’ve downloaded a program that required the Java runtime, and so you probably have it installed on your system. Java also has a web plug-in that allows you to run these apps in your browser. Some common web based tasks that utilize Java are playing video games on or from websites such as Big Fish, Wild Tangent and Pogo as well as the interactive games and media players found on Facebook and SoundCloud.
mTorrent is a bit-torrent client that is commonly used to download files from multiple IP addresses on the Internet. The ability to download files from multiple sources at once vastly increases the potential speed at which the download occurs. While there are a great many legitimate reasons one would use this application to download various files, one of the more common and controversial uses is in illegally downloading copyrighted material such as games, music and movies. If you have this or any other torrent client installed on your machine and you don’t know how it got there, then it may be wise to question who did put it there and whether its being used legally before you receive an unexpected warning from your Internet Service Provider for copyright infringement.
Neither of these programs in and of themselves are malicious in the traditional sense. They do however come with caveats in the form of third party installers. To the right and below are screen-shots of particular windows that are displayed to the user during the respective installations. These windows present the user with options for handling the third party software they attempt to install.
It turns out that the Ask.com changes made in the dialog above have a timed install mechanism. After the Java installer finishes, the Ask installer continues to run, but it delays execution for 10 minutes. If you are an advanced Windows user and you overlooked the initial checkbox, then your natural instinct may be to open the Control Panel and check Programs and Features to remove it quickly. When you do, you will see that only the Java update has been installed and no reference to Ask at all. You might also check your browser settings to confirm that no changes have been made. Given this, you might conclude that you dodged a bullet and that the unwanted software wasn’t installed. You would be wrong. The Ask installer is still running, and after waiting 10 minutes it drops two programs on the target system. Many consider this to be extremely deceptive marketing practices. Alas, Java is not the only software that does this but it is among the most prevalent.
mTorrent’s foistware also does some tricky things. It replaces your single homepage with two homepages. The first is a faked Yahoo.com page produced by the Spigot Redirector software. While there indeed is some data you input that actually transfers between you and Yahoo, it is all being intercepted and search results redirected by Spigot. If you click the link in the middle of the page that appears to take you to the real Yahoo.com, you are still being misled to a fake web page, albeit now with an email login button to capture your login credentials. The second homepage is set to a We-Care.com reminder page which acts as another traffic redirector and claims to provide donations for revenue earned through purchases on their website and services used. Both are protected by background processes that accompanied their installs which are designed to prevent removal.
This is why it is so important to read and understand dialogs like these when installing programs on any computer. Failure to do so could result in a great many negative things and amount to some hefty repair costs. Lets take a moment to look at the result of these dialogs when affirming these third part installs. Keep in mind that if left this way without removal, there is reason to believe that more are going to get installed and your computer may cease to function properly or at all.
Remember that a good antivirus is extremely important on proprietary operating systems like Windows, but its only half the battle. The other half is the user’s understanding and vigilance when it comes to these types of deceptive practices. Be mindful that your computer is your home and there are traces of who you are all over it. Don’t let strangers in your house without getting to know them first.