Listed on the websites of these applications are three different companies that are supposedly behind these applications, “Sigma Software”, “GRAND MEDIA, TOV” and “Birmon Software”.
We found that the fake installer was pushed to the victims’ machines through automatic updates of one torrent client ( downloadstudio) and three adblockers ( netshieldkitcom, myadblockcom and netadblockcom). Since then, we spent some time reverse engineering the malware and investigating its infection vector. In our first report, we stated that we did not know how this fake installer was being distributed. The backdoor is most active in Russia, Ukraine and Kazakhstan. In fact, the installer’s main purpose was to open a backdoor to attacker-controlled servers in order to give its operators the ability to push additional malicious payloads to the infected machines.Ī map illustrating the distribution of Avast users protected from the FakeMBAM backdoor. However, that was all just a pretense, because the installer did not actually install Malwarebytes.
This installer attempted to pass itself off as the legitimate Malwarebytes installer, mimicking it to a great extent – it was distributed under the same filename, it used the same icon and it created a Malwarebytes installation directory containing legitimate PE files digitally signed by Malwarebytes. We recently reported on a fake Malwarebytes installer that we detected on over 100,000 machines protected by Avast. We reverse engineered this backdoor and describe its inner workings in the second part of this post. Specifically, we’ll show how one torrent client and three adblockers surreptitiously installed the FakeMBAM backdoor through automatic updates. In this blog post, we’ll show that this trust might sometimes be misplaced.
Unfortunately, users often have no choice but to trust the developers that they will only use the update channel for its intended purpose and that they will protect it from malicious third parties. However, automatic updates also carry an additional risk because they allow the software developers to push arbitrary code to users’ machines. This is commonly considered a good practice from the security point of view, since it allows for quick distribution of patches for critical vulnerabilities. Many applications can be updated automatically and without any user interaction.
0 kommentar(er)
