You may not care where you download software from, but malware … – We Live Security
Why do people still download files from sketchy places and get compromised as a result?
One of the pieces of advice that security practitioners have been giving out for the past couple of decades, if not longer, is that you should only download software from reputable sites. As far as computer security advice goes, this seems like it should be fairly simple to practice.
But even when such advice is widely shared, people still download files from distinctly nonreputable places and get compromised as a result. I have been a reader of Neowin for over a couple of decades now, and a member of its forum for almost that long. But that is not the only place I participate online: for a little over three years, I have been volunteering my time to moderate a couple of Reddits forums (subreddits) that provide both general computing support as well as more specific advice on removing malware. In those subreddits, I have helped people over and over again as they attempted to recover from the fallout of compromised computers. Attacks these days are usually financially motivated, but there are other unanticipated consequences as well. I should state this is not something unique to Reddits users. These types of questions also come up in online chats on various Discord servers where I volunteer my time as well.
One thing I should point out is that both the Discord and Reddit services skew to a younger demographic than social media sites such as Twitter and Facebook. I also suspect they are younger than the average WeLiveSecurity reader. These people grew up digitally literate and have had access to advice and discussions about safe computing practices available since pre-school.
Despite having the advantage of having grown up with computers and information on securing them, how is it that these people have fallen victim to certain patterns of attacks? And from the information security practitioners side, where exactly is the disconnect occurring between what were telling people to do (or not do, as the case may be), and what they are doing (or, again, not doing)?
Sometimes, people will openly admit that they knew better but just did a dumb thing, trusting the source of the software when they knew it was not trustworthy. Sometimes, though, it appeared trustworthy, but was not. And at other times, they had very clearly designated the source of the malware as trustworthy even when it was inherently untrustworthy. Let us take a look at the most common scenarios that lead to their computers being compromised:
I would point out that these are not the only means by which people were tricked into running malware. WeLiveSecurity has reported on several notable cases recently that involved deceiving the user:
Do any of these scenarios seem similar to each other in any way? Despite the various means of receiving the file (seeking out versus being asked, using a search engine, video site or piracy site, etc.) they all have one thing in common: they exploited trust.
When security practitioners talk about downloading files only from reputable websites, it seems that we are often only doing half of the job of educating the public about them, or maybe even a little less, for that matter: weve done a far better job of telling people what kind of sites to go to (reputable ones, obviously) without explaining what makes a site safe to download from in the first place. So, without any fanfare, here is what makes a site reputable to download software from:
And thats it! In todays world of software, the publishers site could be a bit more flexible than what it historically has been. Yes, it could be a site with the same domain name as the publishers site, but it could also be that the files are located on GitHub, SourceForge, hosted on a content delivery network (CDN) operated by a third party, and so forth. That is still the publishers site, as it was explicitly uploaded by them. Sometimes, publishers provide additional links to additional download sites, too. This is done for a variety of reasons, such as to defray hosting costs, to provide faster downloads in different regions, to promote the software in other parts of the world, and so forth. These, too, are official download sites because they are specifically authorized by the author or publisher.
There are also sites and services that act as software repositories. SourceForge and GitHub are popular sites for hosting open-source projects. For shareware and trial versions of commercial software, there are numerous sites that specialize in listing their latest versions for downloading. These download sites function as curators for finding software in one place, which makes it easy to search and discover new software. In some instances, however, they also can have a darker side: Some of these sites place software wrappers around files downloaded from them that can prompt to install additional software besides the program you were looking for. These program bundlers may do things completely unrelated to the software they are attached to and may, in fact, install potentially unwanted applications (PUAs) on to your computer.
Other types of sites to be aware of are file locker services such as Box, Dropbox, and WeTransfer. While these are all very legitimate file sharing services, they can be abused by a threat actor: people may assume that because the service is trusted, programs downloaded from them are safe. Conversely, IT departments checking for the exfiltration of data may ignore uploads of files containing personal information and credentials because they are known to be legitimate services.
When it comes to search engines, interpreting their results can be tricky for the uninitiated, or people who are just plain impatient. While the goal of any search enginewhether it is Bing, DuckDuckGo, Google, Yahoo, or another is to provide the best and most accurate results, their core businesses often revolve around advertising. This means that the results at the top of the page in the search engine results are often not the best and most accurate results, but paid advertising. Many people do not notice the difference between advertising and search engine results, and criminals will take advantage of this through malvertising campaigns where they buy advertising space to redirect people to websites used for phishing and other undesirable activities, and malware. In some instances, criminals may register a domain name using typosquatting or a similar-looking top-level domain to that of the software publisher in order to make their website address less noticeable at first glance, such as example.com versus examp1e.com (note how the letter l has been released by the number 1 in the second domain).
I will point out that there are many legitimate, safe places to go on the internet to download free and trial versions of software, because they link to the publishers own downloads. An example of this is Neowin, for whom the original version of this article was written. Neowins Software download section does not engage in any type of disingenuous behavior. All download links either go directly to the publishers own files or to their web page, making Neowin a reliable source for finding new software. Another reputable site that links directly to software publishers downloads is MajorGeeks, which has been listing them on a near-daily basis for over two decades.
While direct downloading ensures that you get software from the company (or individual) that wrote it, that does not necessarily mean it is free of malware: there have been instances where malicious software was included in a software package, unintentionally or otherwise. Likewise, if a software publisher bundles potentially unwanted applications or adware with their software, then you will still receive that with a direct download from their site.
Special consideration should be applied to the various application software stores run by operating system vendors, such as the Apple App Store, the Google Play store, Microsofts Windows App stores, and so forth. One might assume these sites to be reputable download sites, and for the most part they are exactly that, but there is no 100% guarantee: Unscrupulous software authors have circumvented app stores vetting processes to distribute software that invade peoples privacy with spyware, display egregious advertisements with adware, and engage in other unwanted behaviors. These app stores do have the ability to de-list such software from their stores as well as remotely uninstall it from afflicted devices, which offers some remedy; however, this could be days or weeks (or more) after the software has been made available. Even if you only download apps from the official store, having security software on your device to protect it is a must.
Device manufacturers, retailers, and service providers may add their own app stores to devices; however, these may not have the ability to uninstall apps remotely.
With all of that in mind, you are probably wondering exactly what the malware did on the affected computers. While there were different families of malware involved, each of which having its own set of actions and behaviors, there were two that basically stood out because they were repeat offenders, which generated many requests for assistance.
And just in case you were wondering: I have never heard of anyone successfully decrypting their files after paying the ransom to the STOP/DJVU criminals. Your best bet at decrypting your files is to back them up in case a decryptor is ever released.
As far as its functionality goes, Redline Stealer performs some fairly common activities for information-stealing malware, such as collecting information about the version of Windows the PC is running, username, and time zone. It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer. This may be to help determine if it is running in an emulator, virtual machine, or a sandbox, which could be a warning sign to the malware that it is being monitored or reverse engineered. And like other programs of its ilk, it can search for files on the PC and upload them to a remote server (useful for stealing private keys and cryptocurrency wallets), as well as download files and run them.
But the primary function of an information stealer is to steal information, so with that mind, what exactly does the Redline Stealer go after? It steals credentials from many programs including Discord, FileZilla, Steam, Telegram, various VPN clients such as OpenVPN and ProtonVPN), as well as cookies and credentials from web browsers such as Google Chrome, Mozilla Firefox, and their derivatives. Since modern web browsers do not just store accounts and passwords, but credit card info as well, this can pose a significant threat.
Since this malware is used by different criminal gangs, each of them might focus on something slightly different. In these instances, though, the targets were most often Discord, Google, and Steam accounts. The compromised Discord accounts were used to spread the malware to friends. The Google accounts were used to access YouTube and inflate views for certain videos, as well as to upload videos advertising various fraudulent schemes, causing the account to be banned. The Steam accounts were checked for games that had in-game currencies or items which could be stolen and used or resold by the attacker. These might seem like odd choices given all the things which can be done with compromised accounts, but for teenagers, these might be the most valuable online assets they possess.
To summarize, here we have two different types of malware that are sold as services for use by other criminals. In these instances, those criminals seemed to target victims in their teens and early twenties. In one case, extorting victims for an amount proportional to what sort of funds they might have; in the other case, targeting their Discord, YouTube (Google), and online games (Steam). Given the victimology, one has to wonder whether these criminal gangs are composed of people in similar age ranges, and if so, chose specific targeting and enticement methods they know would be highly effective against their peers.
Security practitioners advise people to keep their computers operating systems and applications up to date, to only use their latest versions, and to run security software from established vendors. And, for the most part: people do that, and it protects them from a wide variety of threats.
But when you start looking for sketchy sources to download from, things can take a turn for the worse. Security software does try to account for human behavior, but so do criminals who exploit concepts such as reputation and trust. When a close friend on Discord asks you to look at a program and warns that your antivirus software may incorrectly detect it as a threat, who are you going to believe, your security software or your friend? Programmatically responding to and defending against attacks on trust, which are essentially types of social engineering, can be difficult. In the type of scenarios explained here, it is user education and not computer code that may be the ultimate defense, but that is only if the security practitioners get the right messaging across.
The author would like to thank his colleagues Bruce P. Burrell, Alexandre Ct Cyr, Nick FitzGerald, Tom Foltn, Luk tefanko, and Righard Zwienenberg for their assistance with this article, as well as Neowin for publishing the original version of it.
Aryeh GoretskyDistinguished Researcher, ESET
Note: An earlier version of this article was published on tech news site Neowin.
View original post here:
You may not care where you download software from, but malware ... - We Live Security
- KIA installs free anti-theft software this weekend in St. Louis area - KSDK.com - April 28th, 2024 [April 28th, 2024]
- KIA installing free anti-theft software to impacted car owners - WHAS11.com - April 28th, 2024 [April 28th, 2024]
- Free Windows Apps and Software for PC Gamers to Take Gaming to the Next Level - Gizchina.com - April 28th, 2024 [April 28th, 2024]
- Best survey tool of 2024 - TechRadar - April 28th, 2024 [April 28th, 2024]
- Grand Rapids Police and Hyundai Offer Free Anti-Theft Software Upgrades Amid Vehicle Theft Wave - Hoodline - April 26th, 2024 [April 26th, 2024]
- Blueprint Software Systems Announces Free Trial for RPA Analytics Solution - PR Web - April 26th, 2024 [April 26th, 2024]
- Houston Police, Hyundai to host free anti-theft security event for vehicle owners - Houston Public Media - April 26th, 2024 [April 26th, 2024]
- Descartes Systems buys Aerospace Software Developments Winnipeg Free Press - Winnipeg Free Press - April 26th, 2024 [April 26th, 2024]
- Kia offers free software upgrades in Cleveland this weekend - WKYC.com - April 20th, 2024 [April 20th, 2024]
- Free software lets you design and test warp drives with real physics - New Atlas - April 20th, 2024 [April 20th, 2024]
- Clinic offering free Kia software updates continuing through weekend - Yahoo! Voices - April 20th, 2024 [April 20th, 2024]
- Hyundai providing free anti-theft software installation this weekend at Greenspoint Mall - KHOU.com - April 20th, 2024 [April 20th, 2024]
- Kia offers free software upgrades in Cleveland this weekend: How to get yours - WKYC.com - April 20th, 2024 [April 20th, 2024]
- Hyundai providing free anti-theft software installion in Houston - KHOU.com - April 20th, 2024 [April 20th, 2024]
- Kia gives free software upgrades this weekend at the Cleveland Aquarium - WKYC.com - April 20th, 2024 [April 20th, 2024]
- Ubuntu Studio in new LTS beta; still the easiest creative Linux distro - CDM Create Digital Music - Create Digital Music - April 20th, 2024 [April 20th, 2024]
- Free anti-theft software upgrades available for Central Texas Hyundai drivers - KEYE TV CBS Austin - March 15th, 2024 [March 15th, 2024]
- How to get free help with income tax prep, or free software | Business | postandcourier.com - The Post and Courier - February 23rd, 2024 [February 23rd, 2024]
- Best encryption software of 2024 - TechRadar - February 23rd, 2024 [February 23rd, 2024]
- The best free VPN in 2024 - TechRadar - February 23rd, 2024 [February 23rd, 2024]
- AI imaging software generates a gallery of stereotypes, says Univ. of ... - GeekWire - November 28th, 2023 [November 28th, 2023]
- Roku's free update that makes it easier to find new shows and ... - TechRadar - November 28th, 2023 [November 28th, 2023]
- How To Find Alternatives To ChatGPT Forbes Advisor UK - Forbes - November 28th, 2023 [November 28th, 2023]
- How To Find Alternatives To ChatGPT Forbes Advisor Australia - Forbes - November 28th, 2023 [November 28th, 2023]
- Assassin's Creed Syndicate is now free to keep on Ubisoft Connect - OC3D - November 28th, 2023 [November 28th, 2023]
- Google Confirms Its Schedule for Disabling Third-Party Cookies in ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Tata Consultancy Services Ordered To Cough Up $210 Million In ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Meta Knowingly Collected Data on Pre-Teens, Unredacted ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- US, Britain, Other Countries Ink Agreement To Make AI 'Secure by ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- Plex Users Fear New Feature Will Leak Porn Habits To Their ... - Slashdot - November 28th, 2023 [November 28th, 2023]
- This free software converts drone videos into 2D maps in minutes! - DroneDJ - November 14th, 2023 [November 14th, 2023]
- How 'Hour of Code' Will Teach Students About Issues with AI - Slashdot - November 14th, 2023 [November 14th, 2023]
- Nothing is Bringing iMessage To Its Android Phone - Slashdot - November 14th, 2023 [November 14th, 2023]
- How To Build A WordPress Website In 9 Steps - Forbes - November 1st, 2023 [November 1st, 2023]
- Best Adobe Acrobat free alternatives - PC Guide - For The Latest PC Hardware & Tech News - November 1st, 2023 [November 1st, 2023]
- Monday.com Pricing and Plans 2023 Forbes Advisor Canada - Forbes - November 1st, 2023 [November 1st, 2023]
- PIRG Petitions Microsoft To Extend the Life of Windows 10 - Slashdot - November 1st, 2023 [November 1st, 2023]
- Kidsoft launches free calculator to simplify "Free Kindy" fee working - The Sector - November 1st, 2023 [November 1st, 2023]
- Drugmakers Are Set To Pay 23andMe Millions To Access Consumer ... - Slashdot - November 1st, 2023 [November 1st, 2023]
- Biden Signs Executive Order To Oversee and Invest in AI - Slashdot - November 1st, 2023 [November 1st, 2023]
- Meta's Next AI Attack on OpenAI: Free Code-Generating Software - The Information - August 18th, 2023 [August 18th, 2023]
- Millions of Samsung Galaxy S23 users just got a sweet free software ... - Yahoo Life - August 18th, 2023 [August 18th, 2023]
- Red Hat unlikely to be standard for enterprise Linux in future, says ... - iTWire - August 18th, 2023 [August 18th, 2023]
- Observing Basics: Astrophotography without a scope | Astronomy.com - Astronomy Magazine - August 18th, 2023 [August 18th, 2023]
- Chattanooga trucking and logistics companies are among the fastest ... - Chattanooga Times Free Press - August 18th, 2023 [August 18th, 2023]
- How Google is Planning To Beat OpenAI - Slashdot - August 18th, 2023 [August 18th, 2023]
- Tesla Says It Will Build New 'First of Its Kind' Data Centers - Slashdot - August 18th, 2023 [August 18th, 2023]
- Bank of Ireland IT Blunder Allows Customers To Withdraw More ... - Slashdot - August 18th, 2023 [August 18th, 2023]
- LK-99 Isn't a Superconductor - How Science Sleuths Solved the ... - Slashdot - August 18th, 2023 [August 18th, 2023]
- Mayor Bowser Announces Hyundai Anti-Theft Mobile Clinic | mayormb - Executive Office of the Mayor - July 30th, 2023 [July 30th, 2023]
- Responding to Data Breach at Contractor | CMS - CMS - July 30th, 2023 [July 30th, 2023]
- Five Auburn Alumni Receive Award for Work to Advance Tax Prep ... - CPAPracticeAdvisor.com - July 30th, 2023 [July 30th, 2023]
- Codeiums Varun Mohan and Jeff Wang on Unleashing the Power of ... - Nvidia - July 30th, 2023 [July 30th, 2023]
- Banner Health provides free concussion baseline testing for every ... - Queen Creek Sun Times - July 30th, 2023 [July 30th, 2023]
- Hugging Face, GitHub and More Unite To Defend Open Source in ... - Slashdot - July 30th, 2023 [July 30th, 2023]
- Lindsey Graham and Elizabeth Warren: When It Comes To Big Tech ... - Slashdot - July 30th, 2023 [July 30th, 2023]
- Best Dogecoin Casinos & Gambling Sites Ranked by DOGE Bonuses, Games, and More - The Hudson Reporter - July 2nd, 2023 [July 2nd, 2023]
- GCC Steering Committee Announces a Code of Conduct - Slashdot - July 2nd, 2023 [July 2nd, 2023]
- AI Predicts Diseases, Advancing Toward HIV Cure, Acquisitions ... - Bio-IT World - July 2nd, 2023 [July 2nd, 2023]
- WISeKey upgrades its WISeID digital identity and privacy platform - Help Net Security - July 2nd, 2023 [July 2nd, 2023]
- FBI Forms National Database To Track and Prevent 'Swatting' - Slashdot - July 2nd, 2023 [July 2nd, 2023]
- BYU Library offers free software classes - The Daily Universe - Universe.byu.edu - June 16th, 2023 [June 16th, 2023]
- Free Streaming Software Market to Witness an Outstanding Growth ... - The Bowman Extra - June 16th, 2023 [June 16th, 2023]
- How to build a virtual studio for free with free plugins and music ... - MusicRadar - June 16th, 2023 [June 16th, 2023]
- Battlebit Remastered Price - Is it free? - PC Guide - For The Latest PC Hardware & Tech News - June 16th, 2023 [June 16th, 2023]
- How to Install the iPadOS 17 Developer Beta on Your iPad for Free - MacRumors - June 16th, 2023 [June 16th, 2023]
- Human Resources Software: 4 HR Tools for Small Businesses - CO by the U.S. Chamber of Commerce - June 16th, 2023 [June 16th, 2023]
- YouTube Tells Open-Source Privacy Software 'Invidious' to Shut Down - Slashdot - June 16th, 2023 [June 16th, 2023]
- Arctic Could Be Sea Ice-Free in the Summer by the 2030s - Slashdot - June 16th, 2023 [June 16th, 2023]
- The IRS Will Test Out Its Own Free Tax Prep Software in 2024 - Money - May 20th, 2023 [May 20th, 2023]
- The IRS is working on software to allow taxpayers to file online - NPR - May 20th, 2023 [May 20th, 2023]
- RIB Software launches free-to-use RIB Carbon Quantifier for ... - GlobeNewswire - May 20th, 2023 [May 20th, 2023]
- Read the letter: Twitter accuses Microsoft of using its data in unauthorized ways - CNBC - May 20th, 2023 [May 20th, 2023]
- Police Facial Recognition Technology Can't Tell Black People Apart - Scientific American - May 20th, 2023 [May 20th, 2023]
- Porsche Taycan Gets EV Charging Station Finder in Apple Maps - Car and Driver - May 20th, 2023 [May 20th, 2023]
- Tesla to roll out free Full Self-Driving software, but there's a catch. Know here - HT Auto - May 20th, 2023 [May 20th, 2023]
- Meta Made Its AI Tech Open-Source. Rivals Say Its a Risky Decision. - The New York Times - May 20th, 2023 [May 20th, 2023]
- Generative AI needs guardrails as businesses add it to software ... - CIO Dive - May 20th, 2023 [May 20th, 2023]
- International cooperation and the challenge of internet accessibility ... - BMC Medical Education - May 20th, 2023 [May 20th, 2023]
- IRS Might Make Tax Season a Whole Lot Easier - The Journal ... - The Wall Street Journal - May 20th, 2023 [May 20th, 2023]