You may not care where you download software from, but malware does | WeLiveSecurity

Why
do
people
still
download
files
from
sketchy
places
and
get
compromised
as
a
result?

You may not care where you download software from, but malware does | WeLiveSecurity

Why
do
people
still
download
files
from
sketchy
places
and
get
compromised
as
a
result?

One
of
the
pieces
of
advice
that
security
practitioners
have
been
giving
out
for
the
past
couple
of
decades,
if
not
longer,
is
that
you
should
only
download
software
from
reputable
sites.
As
far
as
computer
security
advice
goes,
this
seems
like
it
should
be
fairly
simple
to
practice.

But
even
when
such
advice
is
widely
shared,
people
still
download
files
from
distinctly
nonreputable
places
and
get
compromised
as
a
result.
I
have
been
a
reader
of
Neowin
for
over
a
couple
of
decades
now,
and
a
member
of
its
forum
for
almost
that
long.
But
that
is
not
the
only
place
I
participate
online:
for
a
little
over
three
years,
I
have
been
volunteering
my
time
to
moderate
a
couple
of
Reddit’s
forums
(subreddits)
that
provide
both
general
computing
support
as
well
as
more
specific
advice
on
removing
malware.
In
those
subreddits,
I
have
helped
people
over
and
over
again
as
they
attempted
to
recover
from
the
fallout
of
compromised
computers.
Attacks
these
days
are
usually
financially
motivated,
but
there
are
other
unanticipated
consequences
as
well.
I
should
state
this
is
not
something
unique
to
Reddit’s
users.
These
types
of
questions
also
come
up
in
online
chats
on
various
Discord
servers
where
I
volunteer
my
time
as
well.


One
thing
I
should
point
out
is
that
both
the
Discord
and
Reddit
services
skew
to
a
younger
demographic
than
social
media
sites
such
as
Twitter
and
Facebook.
I
also
suspect
they
are
younger
than
the
average
WeLiveSecurity
reader.
These
people
grew
up
digitally
literate
and
have
had
access
to
advice
and
discussions
about
safe
computing
practices
available
since
pre-school.

A
breakdown
in
communications

Despite
having
the
advantage
of
having
grown
up
with
computers
and
information
on
securing
them,
how
is
it
that
these
people
have
fallen
victim
to
certain
patterns
of
attacks?
And
from
the
information
security
practitioner’s
side,
where
exactly
is
the
disconnect
occurring
between
what
we’re
telling
people
to
do
(or
not
do,
as
the
case
may
be),
and
what
they
are
doing
(or,
again,
not
doing)?


Sometimes,
people
will
openly
admit
that
they
knew
better
but
just
did
a
“dumb
thing,”
trusting
the
source
of
the
software
when
they
knew
it
was
not
trustworthy.
Sometimes,
though,
it
appeared
trustworthy,
but
was
not.
And
at
other
times,
they
had
very
clearly
designated
the
source
of
the
malware
as
trustworthy
even
when
it
was
inherently
untrustworthy.
Let
us
take
a
look
at
the
most
common
scenarios
that
lead
to
their
computers
being
compromised:

  • They
    received
    a
    private
    message
    via
    Discord
    “from”
    an
    online
    friend
    asking
    them
    for
    feedback
    on
    a
    game
    the
    friend
    was
    writing.
    The
    “game”
    the
    online
    friend
    was
    writing
    was
    in
    a
    password-protected
    .ZIP
    file,
    which
    they
    had
    to
    download
    and
    extract
    with
    the
    password
    before
    running
    it.
    Unfortunately,
    the
    friend’s
    account
    had
    been
    compromised
    earlier,
    and
    the
    attacker
    was
    now
    using
    it
    to
    spread
    malicious
    software.
  • They
    used
    Google
    to

    search

    for
    a
    commercial
    software
    package
    they
    wanted
    to
    use
    but
    specified
    that
    they
    were
    looking
    for
    a
    free
    or
    a
    cracked
    version
    of
    it
    and
    downloaded
    it
    from
    a
    website
    in
    the
    search
    results.
    It
    is
    not
    always
    commercial
    software;
    even
    free
    or
    open-source
    programs
    have
    recently
    been
    targeted
    by
    malicious
    advertising
    (malvertising)

    campaigns

    using
    Google
    Ads.
  • Similarly,
    they
    searched
    YouTube
    for
    a
    video
    about
    how
    to
    download
    a
    free
    or
    cracked
    version
    of
    a
    commercial
    software
    package,
    and
    then
    went
    to
    the
    website
    mentioned
    in
    the
    video
    or
    listed
    in
    its
    comments
    to
    download
    it.
  • They
    torrented
    the
    software
    from
    a
    well-known
    site
    specializing
    in
    pirated
    software.
  • They
    torrented
    the
    software
    from
    a
    private
    tracker,
    Telegram
    channel,
    or
    Discord
    server
    in
    which
    they
    had
    been
    active
    for
    over
    a
    year.

I
would
point
out
that
these
are
not
the
only
means
by
which
people
were
tricked
into
running
malware. 
WeLiveSecurity
has
reported
on
several
notable
cases
recently
that
involved
deceiving
the
user:

  • In
    one
    notable
    case,

    KryptoCibule
    ,
    cryptocurrency-focused
    malware
    that
    targeted
    Czech
    and
    Slovak
    users,
    was
    spread
    through
    a
    popular
    local
    file
    sharing
    service,
    masquerading
    as
    pirated
    games
    or

    downloadable
    content

    (DLC)
    for
    them.In
    a
    second,
    unrelated
    case,
    Chinese-language
    speakers
    in
    Southeast
    and
    East
    Asia
    were
    targeted
    with
    poisoned
    Google
    search
    results
    for
    popular
    applications
    such
    as
    the
    Firefox
    web
    browser,
    and
    popular
    messaging
    apps
    Telegram
    and
    WhatsApp,
    to
    install
    trojanized
    versions
    containing
    the

    FatalRAT

    remote
    access
    trojan.

Do
any
of
these
scenarios
seem
similar
to
each
other
in
any
way?
Despite
the
various
means
of
receiving
the
file
(seeking
out
versus
being
asked,
using
a
search
engine,
video
site
or
piracy
site,
etc.)
they
all
have
one
thing
in
common:
they
exploited
trust.

Safe(r)
downloads

When
security
practitioners
talk
about
downloading
files

only

from
reputable
websites,
it
seems
that
we
are
often
only
doing
half
of
the
job
of
educating
the
public
about
them,
or
maybe
even
a
little
less,
for
that
matter:
we’ve
done
a
far
better
job
of
telling
people

what

kind
of
sites
to
go
to
(reputable
ones,
obviously)
without
explaining
what
makes
a
site
safe
to
download
from
in
the
first
place.
So,
without
any
fanfare,
here
is
what

makes

a
site
reputable
to
download
software
from:

  • You
    should
    only
    download
    software
    direct
    from
    the
    author
    or
    publisher’s
    site,
    or
    a
    site
    expressly
    authorized
    by
    them.

And…
that’s
it!
In
today’s
world
of
software,
the
publisher’s
site
could
be
a
bit
more
flexible
than
what
it
historically
has
been.
Yes,
it
could
be
a
site
with
the
same
domain
name
as
the
publisher’s
site,
but
it
could
also
be
that
the
files
are
located
on
GitHub,
SourceForge,
hosted
on
a
content
delivery
network
(CDN)
operated
by
a
third
party,
and
so
forth.
That
is
still
the
publisher’s
site,
as
it
was
explicitly
uploaded
by
them.
Sometimes,
publishers
provide
additional
links
to
additional
download
sites,
too.
This
is
done
for
a
variety
of
reasons,
such
as
to
defray
hosting
costs,
to
provide
faster
downloads
in
different
regions,
to
promote
the
software
in
other
parts
of
the
world,
and
so
forth.
These,
too,
are

official

download
sites
because
they
are
specifically
authorized
by
the
author
or
publisher.

There
are
also
sites
and
services
that
act
as
software
repositories.
SourceForge
and
GitHub
are
popular
sites
for
hosting
open-source
projects.
For
shareware
and
trial
versions
of
commercial
software,
there
are
numerous
sites
that
specialize
in
listing
their
latest
versions
for
downloading.
These
download
sites
function
as
curators
for
finding
software
in
one
place,
which
makes
it
easy
to
search
and
discover
new
software.
In
some
instances,
however,
they
also
can
have
a
darker
side:
Some
of
these
sites
place

software
wrappers

around
files
downloaded
from
them
that
can
prompt
to
install
additional
software
besides
the
program
you
were
looking
for.
These
program
bundlers
may
do
things
completely
unrelated
to
the
software
they
are
attached
to
and
may,
in
fact,
install

potentially
unwanted
applications

(PUAs)
on
to
your
computer.

Other
types
of
sites
to
be
aware
of
are
file
locker
services
such
as
Box,
Dropbox,
and
WeTransfer. 
While
these
are
all
very
legitimate
file
sharing
services,
they
can
be
abused
by
a
threat
actor:
people
may
assume
that
because
the
service
is
trusted,
programs
downloaded
from
them
are
safe. 
Conversely,
IT
departments
checking
for
the
exfiltration
of
data
may
ignore
uploads
of
files
containing
personal
information
and
credentials
because
they
are
known
to
be
legitimate
services.

When
it
comes
to
search
engines,
interpreting
their
results
can
be
tricky
for
the
uninitiated,
or
people
who
are
just
plain
impatient.
While
the
goal
of
any
search
engine—whether
it
is
Bing,
DuckDuckGo,
Google,
Yahoo,
or
another—
is
to
provide
the
best
and
most
accurate
results,
their
core
businesses
often
revolve
around
advertising.
This
means
that
the
results
at
the
top
of
the
page
in
the
search
engine
results
are
often
not
the
best
and
most
accurate
results,
but
paid
advertising.
Many
people
do
not
notice
the
difference
between
advertising
and
search
engine
results,
and
criminals
will
take
advantage
of
this
through
malvertising
campaigns
where
they
buy
advertising
space
to
redirect
people
to
websites
used
for
phishing
and
other
undesirable
activities,
and
malware.
In
some
instances,
criminals
may
register
a
domain
name
using

typosquatting

or
a
similar-looking

top-level
domain

to
that
of
the
software
publisher
in
order
to
make
their
website
address
less
noticeable
at
first
glance,
such
as
example.com
versus
examp1e.com
(note
how
the
letter
“l”
has
been
released
by
the
number
“1”
in
the
second
domain).

I
will
point
out
that
there
are
many
legitimate,
safe
places
to
go
on
the
internet
to
download
free
and
trial
versions
of
software,
because
they
link
to
the
publisher’s
own
downloads.
An
example
of
this
is
Neowin,
for
whom
the
original
version
of
this
article
was
written.
Neowin’s

Software

download
section
does
not
engage
in
any
type
of
disingenuous
behavior.
All
download
links
either
go
directly
to
the
publisher’s
own
files
or
to
their
web
page,
making
Neowin
a
reliable
source
for
finding
new
software. 
Another
reputable
site
that
links
directly
to
software
publishers’
downloads
is
MajorGeeks,
which
has
been
listing
them
on
a
near-daily
basis
for
over
two
decades.

While
direct
downloading
ensures
that
you
get
software
from
the
company
(or
individual)
that
wrote
it,
that
does
not
necessarily
mean
it
is
free
of
malware:
there
have
been
instances
where
malicious
software
was
included
in
a
software
package,

unintentionally

or

otherwise

Likewise,
if
a
software
publisher
bundles
potentially
unwanted
applications
or
adware
with
their
software,
then
you
will
still
receive
that
with
a
direct
download
from
their
site.

Special
consideration
should
be
applied
to
the
various
application
software
stores
run
by
operating
system
vendors,
such
as
the
Apple
App
Store,
the
Google
Play
store,
Microsoft’s
Windows
App
stores,
and
so
forth.
One
might
assume
these
sites
to
be
reputable
download
sites,
and
for
the
most
part
they
are
exactly
that,
but
there
is
no
100%
guarantee: 
Unscrupulous
software
authors
have
circumvented
app
stores’
vetting
processes
to
distribute
software
that
invade
people’s
privacy
with
spyware,
display
egregious
advertisements
with
adware,
and
engage
in
other
unwanted
behaviors.
These
app
stores
do
have
the
ability
to
de-list
such
software
from
their
stores
as
well
as
remotely
uninstall
it
from
afflicted
devices,
which
offers
some
remedy;
however,
this
could
be
days
or
weeks
(or
more)
after
the
software
has
been
made
available.
Even
if
you
only
download
apps
from
the
official
store,
having
security
software
on
your
device
to
protect
it
is
a
must.

Device
manufacturers,
retailers,
and
service
providers
may
add
their
own
app
stores
to
devices;
however,
these
may
not
have
the
ability
to
uninstall
apps
remotely.

About
the
malware
involved

With
all
of
that
in
mind,
you
are
probably
wondering
exactly
what
the
malware
did
on
the
affected
computers.
While
there
were
different
families
of
malware
involved,
each
of
which
having
its
own
set
of
actions
and
behaviors,
there
were
two
that
basically
stood
out
because
they
were
repeat
offenders,
which
generated
many
requests
for
assistance.

  • STOP/DJVU,
    detected
    by
    ESET
    as

    Win32/Filecoder.STOP
    ,
    is
    a
    family
    of
    ransomware
    that
    seemed
    to
    heavily
    target
    students.
    While
    not
    all
    of
    those
    affected
    were
    targeted
    in
    the
    same
    fashion,
    several
    students
    reported
    that
    the
    ransomware
    appeared
    after
    pirating
    commercial
    VST
    plugins
    intended
    for
    school
    or
    personal
    projects
    while
    at
    university.
    This
    is
    despite
    the
    plugins
    having
    been
    downloaded
    from
    “high
    reputation”
    torrents
    shared
    by
    long-time
    users
    and
    having
    dozens
    or
    sometimes
    even
    hundreds
    of
    seeders
    for
    that
    particular
    magnet
    link.


  • Shortly
    after
    the
    software
    piracy
    occurred,
    the
    students
    found
    fairly
    standard
    ransomware
    notes
    on
    their
    desktop.
    What
    was
    unusual
    about
    the
    extortion
    notes
    was
    that
    instead
    of
    asking
    to
    be
    paid
    tens
    or
    hundreds
    of
    thousands
    of
    dollars,
    much
    lower
    amounts
    were
    asked
    for
    by
    the
    criminals

    around
    US$1,000-1,200
    (in
    cryptocurrency).
    But
    that’s
    not
    all:
    victims
    paying
    within
    the
    first
    24-72
    hours
    of
    notification
    were
    eligible
    for
    a
    50%
    discount.
    While
    the
    amount
    being
    extorted
    seems
    very
    low
    compared
    to
    what
    criminals
    targeting
    businesses
    ask
    for,
    the
    lower
    amount
    may
    mean
    a
    greater
    likelihood
    of
    payment
    by
    the
    victim,
    especially
    when
    faced
    with
    such
    high-pressure
    tactics.It
    is
    possible
    that
    the
    STOP/DJVU
    ransomware
    is
    marketed
    as
    ransomware-as-a-service
    (RaaS),
    which
    means
    its
    developers
    lease
    it
    out
    to
    other
    criminals
    in
    exchange
    for
    payment
    and
    a
    share
    of
    the
    profits.
    Other
    criminals
    may
    be
    using
    it
    as
    well,
    but
    it
    appears
    that
    at
    least
    one
    group
    has
    found
    its
    sweet
    spot
    in
    targeting
    students.

And
just
in
case
you
were
wondering:
I
have
never
heard
of
anyone
successfully
decrypting
their
files
after
paying
the
ransom
to
the
STOP/DJVU
criminals.
Your
best
bet
at
decrypting
your
files
is
to
back
them
up
in
case
a
decryptor
is
ever
released.

  • Redline
    Stealer,
    as
    the
    name
    implies,
    is
    a
    family
    of
    customizable
    information-stealing
    trojans
    that
    are
    detected
    by
    ESET
    as

    MSIL/Spy.RedLine

    and

    MSIL/Spy.Agent
    .
    Like
    the
    STOP/DJVU
    ransomware,
    it
    appears
    to
    be
    leased
    out
    as
    part
    of
    the
    Criminal
    software
    as
    a
    Service
    family
    of
    tools.
    While
    I
    have
    seen
    multiple
    reports
    of
    it
    being
    spread
    through
    Discord,
    since
    it
    is
    “sold”
    as
    a
    service
    offering,
    there
    are
    probably
    many
    criminal
    gangs
    distributing
    it
    in
    different
    fashions
    for
    a
    variety
    of
    purposes.
    In
    these
    instances,
    the
    victims
    received
    direct
    messages
    from
    compromised
    friends’
    accounts
    asking
    them
    to
    run
    software
    that
    was
    delivered
    to
    them
    in
    a
    password-protected
    .ZIP
    file.
    The
    criminals
    even
    told
    the
    victims
    that
    if
    their
    antivirus
    software
    detected
    anything,
    that
    it
    was
    a
    false
    positive
    alarm
    and
    to
    ignore
    it.


As
far
as
its
functionality
goes,
Redline
Stealer
performs
some
fairly
common
activities
for
information-stealing
malware,
such
as
collecting
information
about
the
version
of
Windows
the
PC
is
running,
username,
and
time
zone.
It
also
collects
some
information
about
the
environment
where
it
is
running,
such
as
display
size,
the
processor,
RAM,
video
card,
and
a
list
of
programs
and
processes
on
the
computer.
This
may
be
to
help
determine
if
it
is
running
in
an
emulator,
virtual
machine,
or
a
sandbox,
which
could
be
a
warning
sign
to
the
malware
that
it
is
being
monitored
or
reverse
engineered.
And
like
other
programs
of
its
ilk,
it
can
search
for
files
on
the
PC
and
upload
them
to
a
remote
server
(useful
for
stealing
private
keys
and
cryptocurrency
wallets),
as
well
as
download
files
and
run
them.

But
the
primary
function
of
an
information
stealer
is
to
steal
information,
so
with
that
mind,
what
exactly
does
the
Redline
Stealer
go
after?
It
steals
credentials
from
many
programs
including
Discord,
FileZilla,
Steam,
Telegram,
various
VPN
clients
such
as
OpenVPN
and
ProtonVPN),
as
well
as
cookies
and
credentials
from
web
browsers
such
as
Google
Chrome,
Mozilla
Firefox,
and
their
derivatives.
Since
modern
web
browsers
do
not
just
store
accounts
and
passwords,
but
credit
card
info
as
well,
this
can
pose
a
significant
threat.

Since
this
malware
is
used
by
different
criminal
gangs,
each
of
them
might
focus
on
something
slightly
different.
In
these
instances,
though,
the
targets
were
most
often
Discord,
Google,
and
Steam
accounts.
The
compromised
Discord
accounts
were
used
to
spread
the
malware
to
friends.
The
Google
accounts
were
used
to
access
YouTube
and
inflate
views
for
certain
videos,
as
well
as
to
upload
videos
advertising
various
fraudulent
schemes,
causing
the
account
to
be
banned.
The
Steam
accounts
were
checked
for
games
that
had
in-game
currencies
or
items
which
could
be
stolen
and
used
or
resold
by
the
attacker.
These
might
seem
like
odd
choices
given
all
the
things
which
can
be
done
with
compromised
accounts,
but
for
teenagers,
these
might
be
the
most
valuable
online
assets
they
possess.

To
summarize,
here
we
have
two
different
types
of
malware
that
are
sold
as
services
for
use
by
other
criminals.
In
these
instances,
those
criminals
seemed
to
target
victims
in
their
teens
and
early
twenties.
In
one
case,
extorting
victims
for
an
amount
proportional
to
what
sort
of
funds
they
might
have;
in
the
other
case,
targeting
their
Discord,
YouTube
(Google),
and
online
games
(Steam).
Given
the
victimology,
one
has
to
wonder
whether
these
criminal
gangs
are
composed
of
people
in
similar
age
ranges,
and
if
so,
chose
specific
targeting
and
enticement
methods
they
know
would
be
highly
effective
against
their
peers.

Where
do
we
go
from
here?

Security
practitioners
advise
people
to
keep
their
computer’s
operating
systems
and
applications
up
to
date,
to
only
use
their
latest
versions,
and
to
run
security
software
from
established
vendors.
And,
for
the
most
part:
people
do
that,
and
it
protects
them
from
a
wide
variety
of
threats.

But
when
you
start
looking
for
sketchy
sources
to
download
from,
things
can
take
a
turn
for
the
worse.
Security
software
does
try
to
account
for
human
behavior,
but
so
do
criminals
who
exploit
concepts
such
as
reputation
and
trust.
When
a
close
friend
on
Discord
asks
you
to
look
at
a
program
and
warns
that
your
antivirus
software
may
incorrectly
detect
it
as
a
threat,
who
are
you
going
to
believe,
your
security
software
or
your
friend?
Programmatically
responding
to
and
defending
against
attacks
on
trust,
which
are
essentially
types
of
social
engineering,
can
be
difficult.
In
the
type
of
scenarios
explained
here,
it
is
user
education
and
not
computer
code
that
may
be
the
ultimate
defense,
but
that
is
only
if
the
security
practitioners
get
the
right
messaging
across.

The
author
would
like
to
thank
his
colleagues
Bruce
P.
Burrell,
Alexandre
Côté
Cyr,
Nick
FitzGerald,
Tomáš
Foltýn,
Lukáš
Štefanko,
and
Righard
Zwienenberg
for
their
assistance
with
this
article,
as
well
as
Neowin
for
publishing
the
original
version
of
it.

Aryeh
Goretsky
Distinguished
Researcher,
ESET


Note:
An
earlier
version
of
this
article
was

published

on
tech
news
site
Neowin.

About Author

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.