Tag Archives: adware

Blog Post Shout Out: Google Chrome Cleanup and GDPR

Google have made available a clean-up tool within Google Chrome to remove threats such as adware, browser hijackers, fake system optimizers, & tracking software which may impacting your browsing experience.

This tool from ESET appears to be a revised version of the tool I discussed over 3 years ago. This blog post from Lawrence Abrams of Bleeping Computer provides more details of how to use it and what data it collects (and sends to Google who retain it for 14 days). If you are experiencing issues with Google Chrome, this tool is a good place to start your troubleshooting. If necessary a full reset can later be performed.

====================
Separately with the European General Data Protection Regulation (GDPR) (written by Dr. Jessica Barker) due to come into effect on the 25th of May; you may be receiving emails from every online service or account that you have advising of their approach to the new regulation.

Most of the emails do not ask you to take any action however some will request you to review the information they have on file/record and update it if necessary. My advice for these emails is treat them as you would any email you receive regarding an online account, with caution.

If for example you receive an email purporting to be from PayPal but you don’t have a PayPal account, delete it! For the emails you do receive; if you suspect they are fraudulent, as per past advice from SANS call the company yourself and verify they are sending such emails and what if any actions they wish you to take? Be very careful if you do click on the links and think before you provide any personal information (in almost all cases you won’t have to enter anything).

====================
I hope the above blog posts which I have provided a respectful shout out for provide a useful resolution if you are experiencing issues with Google Chrome and guidance on how to approach the large volume of email you are likely receiving.

====================
Update: 24th May 2018
====================
I received a call yesterday from one online account I hold stating they sent me an email yesterday relating to GDPR and asking me to update my preferences. While it was a genuine call (I did receive the email that very morning); I had not yet acted on it. The person even offered to call me back today to check I had updated my preferences. I explained I would update them and a call back would not be necessary.

This very much is the exception, no other online account have called me. As always; be cautious accepting calls and don’t provide any personal information to someone you do not know; they may not be who they claim to be.

Thank you.

Blog Post Shout Out (late November 2015)

In recent weeks the security firm Malwarebytes have encountered an updated variant of the Vonteera adware (see Aside below for a definition).

This updated variant uses a technique that involves certificates (which were also discussed in a recent blog post) in an effort to prevent anti-malware software attempting to remove this adware from an affected device.

Within the blog post mentioned below, Malwarebytes detail how to bypass the protection technique used by the Vonteera adware so that you can remove this threat from your computer:

Vonteera Adware Uses Certificates to Disable Anti-Malware by Pieter Arntz (Malwarebytes)

If you or anyone you know is affected by this adware, the above mentioned blog post should be of assistance in removing this threat.

Thank you.

=======================
Aside:
What is adware?

Adware is software that is either a program on your computer that displays adverts to you or changes your web browser home page to a website it wishes to promote. Such adware can collect personal information without your consent and send it back to a particular company/entity. A complete definition of adware is provided here.
=======================

Detecting and Removing Apple iOS YiSpecter Malware

Early this month news of a new malware threat for Apple iOS devices (iPhone and iPad) began to circulate. This threat has been named YiSpecter by Palo Alto Networks.

This threat has been primarily seen in East Asia, particularly in China and Taiwan. However the method of infection and it’s effects could easily be used by other threats in the future and thus Apple iOS users should take the appropriate precautions which I will discuss below.

Why Should This Threat Be Considered Important?
This threat is distributed from a number of different places (my thanks to Symantec for the full list of where this threat originates from):

  • Hijacked Internet Service Provider (ISP) Traffic causing websites to redirect to another page where the threat is downloaded
  • Forums
  • Social media
  • Alternative App Stores

The threat allows an adversary to perform a range of actions of their choice namely by first installing a backdoor (defined) and installing adware (defined here and here). The backdoor provides the malware authors with the following capabilities:

  • To download and install fraudulent apps (that appear to be legitimate iOS system apps)
  • Change Apple Safari bookmarks to all point to a link as specified by the command and control server (see Aside below for a definition) of this malware.
  • Uninstalling apps
  • Displaying adverts within installed apps
  • Change your default search engine
  • Steal information about you

This malware can infect both jailbroken (defined) and non-jailbroken Apple devices. This is possible since it makes uses of a legitimate means of app installation normally used by large corporations to allow the installation of customized corporate apps by their employees that are not otherwise available in the official Apple App Store. Such apps are not checked by Apple and can thus have the potential to incorporate malicious functionality (that would otherwise be blocked/not allowed by Apple).

Through the malware’s use of private APIs (Application Programming Interface)(defined) the malware can install malicious apps of it’s choice without notifying the user. Private APIs are a means of using functions within Apple iOS that Apple has not publically document since such functions are not considered stable namely that these functions are not guaranteed to be still present in future releases of the iPhone SDK or that such functions may work slightly differently than before.

These malicious apps can replace legitimate apps with malicious versions of the same name (by installing the legitimate apps). These private APIs are also used to show adverts within apps not known to the malware. Finally such private APIs are used to gather a list of the installed apps on your phone.

How Can I Protect Myself From This Threat?
If you suspect that your iPhone is infected with this malware e.g. you have seen full screen adverts when using apps on your phone, please follow the steps provided at the end of this Palo Alto Networks blog post to manually remove this threat.

As mentioned by Palo Alto Networks the most effective means of avoiding being infected by this threat is to only download apps from the official Apple App Store and not to trust unknown app developers. However they also acknowledge that this will prevents most infections (from similar threats) but not all.

In addition, Apple has confirmed that Apple iPhone users with iOS version 8.4 and later are not vulnerable to this threat. However it would still be recommended to use the most recent iOS update to benefit from the security improvements that it includes. iOS 9.0 and later will also make the installation of this malware a more deliberate action on your part and thus you are less likely to install the malware inadvertently. This change involves manually setting a related provisioning profile to “trusted” in the Settings menu before you can install enterprise/corporate provisioned apps rather than simply choosing “OK” when you are about to launch the app. The latest iOS at the time of writing is 9.0.2.

I hope that the above information and suggestions are useful in removing this threat if you have been affected by it and in preventing this threat from being installed on your Apple device in the first instance.

Thank you.

=======================
Aside:
What is a command and control server?

When malware can be controlled by it’s author remotely that control is usually carried out using a server.

The command and control server (sometimes shortened to the “C2” server) allows the malware author to administer the devices under their control in a convenient manner. This control can include issuing commands to multiple devices to carry out an action at a desired time. Examples would be changing the type of data being collected by the malware (if the malware has this capability), requesting the malware to send all of it’s collected data back to the server for later review, uninstalling the malware and updating the malware to provide it with more capabilities of the author’s choice.

Command and control servers are usually separate to the devices they control. The servers communicate with the controlled device using a customized protocol.
=======================

How To Protect Against Ad Injectors (Updated)

Late last week I read about a particular form of adware that Google is continuing to work to prevent it from interfering with search engine results or obscuring your view of a popular website.

These ad injectors display pop up dialog boxes on your screen obscuring the website that you wish to view and instead offer tech support scams. They can also place ads that they wish to promote over the genuine search results that you have just requested from Google (or another search engine). For more signs/symptoms to look for, this blog post provides more details.

These ad injectors come to be installed on your computer from browser extensions/plugins as well as more traditional advertising toolbars.

In order to remove and prevent such ad injectors from disrupting your browsing experience I would recommend running a quick scan with your preferred anti-malware software (run a full scan if anything is detected). If you are still seeing annoying pop up dialogs or unwanted ads (that overlay the genuine search engine results) you could also try a free scan with one or all of the tools mentioned below (that I also mentioned on my Tools and Resources page).

In addition, before installing any free browser extension, check/read the reviews of it before downloading it and research it online a little before installing it. If you begin to see unwanted ads just after installing a new browser extension, uninstall that extension. To be even more careful, consider running the scans that I mention above after installing the extension just to ensure the legitimacy of what you have just downloaded.

Please consider supporting the future development of these free scanning tools by donating via their websites (especially if they find and remove any adware for you):

Adwcleaner:
http://general-changelog-team.fr/en/tools/15-adwcleaner

Junkware Removal Tool:
http://thisisudax.org/

RogueKiller:
http://www.adlice.com/softwares/roguekiller/

Note: For the Junkware Removal Tool, I would recommend backing up your data to another external destination (e.g. an external hard drive or offsite backup, don’t have the backup accessible on your computer when running the tool) before running this tool. This is because it can delete any application installer that includes advertising toolbars as part of its installation (even if such toolbars are optional). You may not be expecting such installers e.g. Oracle Java to be deleted (without any prompts) and having a backup reduces the inconvenience of such application installers being deleted.

Update: 6th May 2015:

Since this post was originally posted Google have since provided more details on their findings from a research study detailing the extent of the ad injector ecosystem.

Google have worked to remove extensions from the Chrome Web Store that were deceptive and their Safe Browsing API continues to protect users from downloading software that is not what it appears to be. In addition changes to their AdWords policies have seen the number of Safe Browsing warnings being presented to users drop by 95% (i.e. users are no longer being manipulated into attempting to download dubious software/ad injectors and thus the warnings are not necessary).

The advice that I provided above still remains valid; however Google have since released a software removal tool to remove existing ad injector software. If you suspect that you may have such an ad injector installed, please consider running this tool. I have used this tool and it’s scan takes less than five seconds to complete (for me the scan showed no malicious results and thus no action was required).

=======================
Update: 25th September 2015:
Earlier in September Google mentioned that they have made adjustments to their online advertising system so that ads that appear as a result of the ad injectors mentioned in this post are no longer bid on and thus no revenue is generated.

Google acknowledges that this measure won’t stop all of these ads from appearing but it makes it much less profitable for those who create these unwanted ads.

Thank you.
=======================
I hope that the above page is useful to you in keeping your computer free from unwanted adware and ensuring a safe and predictable online browsing experience.

Thank you.