Why
do
people
still
download
files
from
sketchy
places
and
get
compromised
as
a
result?
One
of
the
pieces
of
advice
that
security
practitioners
have
been
giving
out
for
the
past
couple
of
decades,
if
not
longer,
is
that
you
should
only
download
software
from
reputable
sites.
As
far
as
computer
security
advice
goes,
this
seems
like
it
should
be
fairly
simple
to
practice.
But
even
when
such
advice
is
widely
shared,
people
still
download
files
from
distinctly
nonreputable
places
and
get
compromised
as
a
result.
I
have
been
a
reader
of
Neowin
for
over
a
couple
of
decades
now,
and
a
member
of
its
forum
for
almost
that
long.
But
that
is
not
the
only
place
I
participate
online:
for
a
little
over
three
years,
I
have
been
volunteering
my
time
to
moderate
a
couple
of
Reddit’s
forums
(subreddits)
that
provide
both
general
computing
support
as
well
as
more
specific
advice
on
removing
malware.
In
those
subreddits,
I
have
helped
people
over
and
over
again
as
they
attempted
to
recover
from
the
fallout
of
compromised
computers.
Attacks
these
days
are
usually
financially
motivated,
but
there
are
other
unanticipated
consequences
as
well.
I
should
state
this
is
not
something
unique
to
Reddit’s
users.
These
types
of
questions
also
come
up
in
online
chats
on
various
Discord
servers
where
I
volunteer
my
time
as
well.
One
thing
I
should
point
out
is
that
both
the
Discord
and
Reddit
services
skew
to
a
younger
demographic
than
social
media
sites
such
as
Twitter
and
Facebook.
I
also
suspect
they
are
younger
than
the
average
WeLiveSecurity
reader.
These
people
grew
up
digitally
literate
and
have
had
access
to
advice
and
discussions
about
safe
computing
practices
available
since
pre-school.
A
breakdown
in
communications
Despite
having
the
advantage
of
having
grown
up
with
computers
and
information
on
securing
them,
how
is
it
that
these
people
have
fallen
victim
to
certain
patterns
of
attacks?
And
from
the
information
security
practitioner’s
side,
where
exactly
is
the
disconnect
occurring
between
what
we’re
telling
people
to
do
(or
not
do,
as
the
case
may
be),
and
what
they
are
doing
(or,
again,
not
doing)?
Sometimes,
people
will
openly
admit
that
they
knew
better
but
just
did
a
“dumb
thing,”
trusting
the
source
of
the
software
when
they
knew
it
was
not
trustworthy.
Sometimes,
though,
it
appeared
trustworthy,
but
was
not.
And
at
other
times,
they
had
very
clearly
designated
the
source
of
the
malware
as
trustworthy
even
when
it
was
inherently
untrustworthy.
Let
us
take
a
look
at
the
most
common
scenarios
that
lead
to
their
computers
being
compromised:
-
They
received
a
private
message
via
Discord
“from”
an
online
friend
asking
them
for
feedback
on
a
game
the
friend
was
writing.
The
“game”
the
online
friend
was
writing
was
in
a
password-protected
.ZIP
file,
which
they
had
to
download
and
extract
with
the
password
before
running
it.
Unfortunately,
the
friend’s
account
had
been
compromised
earlier,
and
the
attacker
was
now
using
it
to
spread
malicious
software. -
They
used
Google
to
search
for
a
commercial
software
package
they
wanted
to
use
but
specified
that
they
were
looking
for
a
free
or
a
cracked
version
of
it
and
downloaded
it
from
a
website
in
the
search
results.
It
is
not
always
commercial
software;
even
free
or
open-source
programs
have
recently
been
targeted
by
malicious
advertising
(malvertising)
campaigns
using
Google
Ads. -
Similarly,
they
searched
YouTube
for
a
video
about
how
to
download
a
free
or
cracked
version
of
a
commercial
software
package,
and
then
went
to
the
website
mentioned
in
the
video
or
listed
in
its
comments
to
download
it. -
They
torrented
the
software
from
a
well-known
site
specializing
in
pirated
software. -
They
torrented
the
software
from
a
private
tracker,
Telegram
channel,
or
Discord
server
in
which
they
had
been
active
for
over
a
year.
I
would
point
out
that
these
are
not
the
only
means
by
which
people
were
tricked
into
running
malware.
WeLiveSecurity
has
reported
on
several
notable
cases
recently
that
involved
deceiving
the
user:
-
In
one
notable
case,
KryptoCibule,
cryptocurrency-focused
malware
that
targeted
Czech
and
Slovak
users,
was
spread
through
a
popular
local
file
sharing
service,
masquerading
as
pirated
games
or
downloadable
content
(DLC)
for
them.In
a
second,
unrelated
case,
Chinese-language
speakers
in
Southeast
and
East
Asia
were
targeted
with
poisoned
Google
search
results
for
popular
applications
such
as
the
Firefox
web
browser,
and
popular
messaging
apps
Telegram
and
WhatsApp,
to
install
trojanized
versions
containing
the
FatalRAT
remote
access
trojan.
Do
any
of
these
scenarios
seem
similar
to
each
other
in
any
way?
Despite
the
various
means
of
receiving
the
file
(seeking
out
versus
being
asked,
using
a
search
engine,
video
site
or
piracy
site,
etc.)
they
all
have
one
thing
in
common:
they
exploited
trust.
Safe(r)
downloads
When
security
practitioners
talk
about
downloading
files
only
from
reputable
websites,
it
seems
that
we
are
often
only
doing
half
of
the
job
of
educating
the
public
about
them,
or
maybe
even
a
little
less,
for
that
matter:
we’ve
done
a
far
better
job
of
telling
people
what
kind
of
sites
to
go
to
(reputable
ones,
obviously)
without
explaining
what
makes
a
site
safe
to
download
from
in
the
first
place.
So,
without
any
fanfare,
here
is
what
makes
a
site
reputable
to
download
software
from:
-
You
should
only
download
software
direct
from
the
author
or
publisher’s
site,
or
a
site
expressly
authorized
by
them.
And…
that’s
it!
In
today’s
world
of
software,
the
publisher’s
site
could
be
a
bit
more
flexible
than
what
it
historically
has
been.
Yes,
it
could
be
a
site
with
the
same
domain
name
as
the
publisher’s
site,
but
it
could
also
be
that
the
files
are
located
on
GitHub,
SourceForge,
hosted
on
a
content
delivery
network
(CDN)
operated
by
a
third
party,
and
so
forth.
That
is
still
the
publisher’s
site,
as
it
was
explicitly
uploaded
by
them.
Sometimes,
publishers
provide
additional
links
to
additional
download
sites,
too.
This
is
done
for
a
variety
of
reasons,
such
as
to
defray
hosting
costs,
to
provide
faster
downloads
in
different
regions,
to
promote
the
software
in
other
parts
of
the
world,
and
so
forth.
These,
too,
are
official
download
sites
because
they
are
specifically
authorized
by
the
author
or
publisher.
There
are
also
sites
and
services
that
act
as
software
repositories.
SourceForge
and
GitHub
are
popular
sites
for
hosting
open-source
projects.
For
shareware
and
trial
versions
of
commercial
software,
there
are
numerous
sites
that
specialize
in
listing
their
latest
versions
for
downloading.
These
download
sites
function
as
curators
for
finding
software
in
one
place,
which
makes
it
easy
to
search
and
discover
new
software.
In
some
instances,
however,
they
also
can
have
a
darker
side:
Some
of
these
sites
place
software
wrappers
around
files
downloaded
from
them
that
can
prompt
to
install
additional
software
besides
the
program
you
were
looking
for.
These
program
bundlers
may
do
things
completely
unrelated
to
the
software
they
are
attached
to
and
may,
in
fact,
install
potentially
unwanted
applications
(PUAs)
on
to
your
computer.
Other
types
of
sites
to
be
aware
of
are
file
locker
services
such
as
Box,
Dropbox,
and
WeTransfer.
While
these
are
all
very
legitimate
file
sharing
services,
they
can
be
abused
by
a
threat
actor:
people
may
assume
that
because
the
service
is
trusted,
programs
downloaded
from
them
are
safe.
Conversely,
IT
departments
checking
for
the
exfiltration
of
data
may
ignore
uploads
of
files
containing
personal
information
and
credentials
because
they
are
known
to
be
legitimate
services.
When
it
comes
to
search
engines,
interpreting
their
results
can
be
tricky
for
the
uninitiated,
or
people
who
are
just
plain
impatient.
While
the
goal
of
any
search
engine—whether
it
is
Bing,
DuckDuckGo,
Google,
Yahoo,
or
another—
is
to
provide
the
best
and
most
accurate
results,
their
core
businesses
often
revolve
around
advertising.
This
means
that
the
results
at
the
top
of
the
page
in
the
search
engine
results
are
often
not
the
best
and
most
accurate
results,
but
paid
advertising.
Many
people
do
not
notice
the
difference
between
advertising
and
search
engine
results,
and
criminals
will
take
advantage
of
this
through
malvertising
campaigns
where
they
buy
advertising
space
to
redirect
people
to
websites
used
for
phishing
and
other
undesirable
activities,
and
malware.
In
some
instances,
criminals
may
register
a
domain
name
using
typosquatting
or
a
similar-looking
top-level
domain
to
that
of
the
software
publisher
in
order
to
make
their
website
address
less
noticeable
at
first
glance,
such
as
example.com
versus
examp1e.com
(note
how
the
letter
“l”
has
been
released
by
the
number
“1”
in
the
second
domain).
I
will
point
out
that
there
are
many
legitimate,
safe
places
to
go
on
the
internet
to
download
free
and
trial
versions
of
software,
because
they
link
to
the
publisher’s
own
downloads.
An
example
of
this
is
Neowin,
for
whom
the
original
version
of
this
article
was
written.
Neowin’s
Software
download
section
does
not
engage
in
any
type
of
disingenuous
behavior.
All
download
links
either
go
directly
to
the
publisher’s
own
files
or
to
their
web
page,
making
Neowin
a
reliable
source
for
finding
new
software.
Another
reputable
site
that
links
directly
to
software
publishers’
downloads
is
MajorGeeks,
which
has
been
listing
them
on
a
near-daily
basis
for
over
two
decades.
While
direct
downloading
ensures
that
you
get
software
from
the
company
(or
individual)
that
wrote
it,
that
does
not
necessarily
mean
it
is
free
of
malware:
there
have
been
instances
where
malicious
software
was
included
in
a
software
package,
unintentionally
or
otherwise.
Likewise,
if
a
software
publisher
bundles
potentially
unwanted
applications
or
adware
with
their
software,
then
you
will
still
receive
that
with
a
direct
download
from
their
site.
Special
consideration
should
be
applied
to
the
various
application
software
stores
run
by
operating
system
vendors,
such
as
the
Apple
App
Store,
the
Google
Play
store,
Microsoft’s
Windows
App
stores,
and
so
forth.
One
might
assume
these
sites
to
be
reputable
download
sites,
and
for
the
most
part
they
are
exactly
that,
but
there
is
no
100%
guarantee:
Unscrupulous
software
authors
have
circumvented
app
stores’
vetting
processes
to
distribute
software
that
invade
people’s
privacy
with
spyware,
display
egregious
advertisements
with
adware,
and
engage
in
other
unwanted
behaviors.
These
app
stores
do
have
the
ability
to
de-list
such
software
from
their
stores
as
well
as
remotely
uninstall
it
from
afflicted
devices,
which
offers
some
remedy;
however,
this
could
be
days
or
weeks
(or
more)
after
the
software
has
been
made
available.
Even
if
you
only
download
apps
from
the
official
store,
having
security
software
on
your
device
to
protect
it
is
a
must.
Device
manufacturers,
retailers,
and
service
providers
may
add
their
own
app
stores
to
devices;
however,
these
may
not
have
the
ability
to
uninstall
apps
remotely.
About
the
malware
involved
With
all
of
that
in
mind,
you
are
probably
wondering
exactly
what
the
malware
did
on
the
affected
computers.
While
there
were
different
families
of
malware
involved,
each
of
which
having
its
own
set
of
actions
and
behaviors,
there
were
two
that
basically
stood
out
because
they
were
repeat
offenders,
which
generated
many
requests
for
assistance.
-
STOP/DJVU,
detected
by
ESET
as
Win32/Filecoder.STOP,
is
a
family
of
ransomware
that
seemed
to
heavily
target
students.
While
not
all
of
those
affected
were
targeted
in
the
same
fashion,
several
students
reported
that
the
ransomware
appeared
after
pirating
commercial
VST
plugins
intended
for
school
or
personal
projects
while
at
university.
This
is
despite
the
plugins
having
been
downloaded
from
“high
reputation”
torrents
shared
by
long-time
users
and
having
dozens
or
sometimes
even
hundreds
of
seeders
for
that
particular
magnet
link.
-
Shortly
after
the
software
piracy
occurred,
the
students
found
fairly
standard
ransomware
notes
on
their
desktop.
What
was
unusual
about
the
extortion
notes
was
that
instead
of
asking
to
be
paid
tens
or
hundreds
of
thousands
of
dollars,
much
lower
amounts
were
asked
for
by
the
criminals
—
around
US$1,000-1,200
(in
cryptocurrency).
But
that’s
not
all:
victims
paying
within
the
first
24-72
hours
of
notification
were
eligible
for
a
50%
discount.
While
the
amount
being
extorted
seems
very
low
compared
to
what
criminals
targeting
businesses
ask
for,
the
lower
amount
may
mean
a
greater
likelihood
of
payment
by
the
victim,
especially
when
faced
with
such
high-pressure
tactics.It
is
possible
that
the
STOP/DJVU
ransomware
is
marketed
as
ransomware-as-a-service
(RaaS),
which
means
its
developers
lease
it
out
to
other
criminals
in
exchange
for
payment
and
a
share
of
the
profits.
Other
criminals
may
be
using
it
as
well,
but
it
appears
that
at
least
one
group
has
found
its
sweet
spot
in
targeting
students.
And
just
in
case
you
were
wondering:
I
have
never
heard
of
anyone
successfully
decrypting
their
files
after
paying
the
ransom
to
the
STOP/DJVU
criminals.
Your
best
bet
at
decrypting
your
files
is
to
back
them
up
in
case
a
decryptor
is
ever
released.
-
Redline
Stealer,
as
the
name
implies,
is
a
family
of
customizable
information-stealing
trojans
that
are
detected
by
ESET
as
MSIL/Spy.RedLine
and
MSIL/Spy.Agent.
Like
the
STOP/DJVU
ransomware,
it
appears
to
be
leased
out
as
part
of
the
Criminal
software
as
a
Service
family
of
tools.
While
I
have
seen
multiple
reports
of
it
being
spread
through
Discord,
since
it
is
“sold”
as
a
service
offering,
there
are
probably
many
criminal
gangs
distributing
it
in
different
fashions
for
a
variety
of
purposes.
In
these
instances,
the
victims
received
direct
messages
from
compromised
friends’
accounts
asking
them
to
run
software
that
was
delivered
to
them
in
a
password-protected
.ZIP
file.
The
criminals
even
told
the
victims
that
if
their
antivirus
software
detected
anything,
that
it
was
a
false
positive
alarm
and
to
ignore
it.
As
far
as
its
functionality
goes,
Redline
Stealer
performs
some
fairly
common
activities
for
information-stealing
malware,
such
as
collecting
information
about
the
version
of
Windows
the
PC
is
running,
username,
and
time
zone.
It
also
collects
some
information
about
the
environment
where
it
is
running,
such
as
display
size,
the
processor,
RAM,
video
card,
and
a
list
of
programs
and
processes
on
the
computer.
This
may
be
to
help
determine
if
it
is
running
in
an
emulator,
virtual
machine,
or
a
sandbox,
which
could
be
a
warning
sign
to
the
malware
that
it
is
being
monitored
or
reverse
engineered.
And
like
other
programs
of
its
ilk,
it
can
search
for
files
on
the
PC
and
upload
them
to
a
remote
server
(useful
for
stealing
private
keys
and
cryptocurrency
wallets),
as
well
as
download
files
and
run
them.
But
the
primary
function
of
an
information
stealer
is
to
steal
information,
so
with
that
mind,
what
exactly
does
the
Redline
Stealer
go
after?
It
steals
credentials
from
many
programs
including
Discord,
FileZilla,
Steam,
Telegram,
various
VPN
clients
such
as
OpenVPN
and
ProtonVPN),
as
well
as
cookies
and
credentials
from
web
browsers
such
as
Google
Chrome,
Mozilla
Firefox,
and
their
derivatives.
Since
modern
web
browsers
do
not
just
store
accounts
and
passwords,
but
credit
card
info
as
well,
this
can
pose
a
significant
threat.
Since
this
malware
is
used
by
different
criminal
gangs,
each
of
them
might
focus
on
something
slightly
different.
In
these
instances,
though,
the
targets
were
most
often
Discord,
Google,
and
Steam
accounts.
The
compromised
Discord
accounts
were
used
to
spread
the
malware
to
friends.
The
Google
accounts
were
used
to
access
YouTube
and
inflate
views
for
certain
videos,
as
well
as
to
upload
videos
advertising
various
fraudulent
schemes,
causing
the
account
to
be
banned.
The
Steam
accounts
were
checked
for
games
that
had
in-game
currencies
or
items
which
could
be
stolen
and
used
or
resold
by
the
attacker.
These
might
seem
like
odd
choices
given
all
the
things
which
can
be
done
with
compromised
accounts,
but
for
teenagers,
these
might
be
the
most
valuable
online
assets
they
possess.
To
summarize,
here
we
have
two
different
types
of
malware
that
are
sold
as
services
for
use
by
other
criminals.
In
these
instances,
those
criminals
seemed
to
target
victims
in
their
teens
and
early
twenties.
In
one
case,
extorting
victims
for
an
amount
proportional
to
what
sort
of
funds
they
might
have;
in
the
other
case,
targeting
their
Discord,
YouTube
(Google),
and
online
games
(Steam).
Given
the
victimology,
one
has
to
wonder
whether
these
criminal
gangs
are
composed
of
people
in
similar
age
ranges,
and
if
so,
chose
specific
targeting
and
enticement
methods
they
know
would
be
highly
effective
against
their
peers.
Where
do
we
go
from
here?
Security
practitioners
advise
people
to
keep
their
computer’s
operating
systems
and
applications
up
to
date,
to
only
use
their
latest
versions,
and
to
run
security
software
from
established
vendors.
And,
for
the
most
part:
people
do
that,
and
it
protects
them
from
a
wide
variety
of
threats.
But
when
you
start
looking
for
sketchy
sources
to
download
from,
things
can
take
a
turn
for
the
worse.
Security
software
does
try
to
account
for
human
behavior,
but
so
do
criminals
who
exploit
concepts
such
as
reputation
and
trust.
When
a
close
friend
on
Discord
asks
you
to
look
at
a
program
and
warns
that
your
antivirus
software
may
incorrectly
detect
it
as
a
threat,
who
are
you
going
to
believe,
your
security
software
or
your
friend?
Programmatically
responding
to
and
defending
against
attacks
on
trust,
which
are
essentially
types
of
social
engineering,
can
be
difficult.
In
the
type
of
scenarios
explained
here,
it
is
user
education
and
not
computer
code
that
may
be
the
ultimate
defense,
but
that
is
only
if
the
security
practitioners
get
the
right
messaging
across.
The
author
would
like
to
thank
his
colleagues
Bruce
P.
Burrell,
Alexandre
Côté
Cyr,
Nick
FitzGerald,
Tomáš
Foltýn,
Lukáš
Štefanko,
and
Righard
Zwienenberg
for
their
assistance
with
this
article,
as
well
as
Neowin
for
publishing
the
original
version
of
it.
Aryeh
Goretsky
Distinguished
Researcher,
ESET