People love to try and get something for nothing, especially on the Internet where there’s all kinds of things available for nothing. But a lot of those free things are illegal and attackers have become very adept at taking advantage of users’ desire for free episodes of Gilmore Girls or bonus Dragon Ball Z content.
Researchers at Zscaler have been tracking a long-term campaign that dupes users who are looking for various pirated content such as games or TV shows into installing adware. Rather than getting the content they’re looking for, users download a file that appears to be legitimate but includes the malicious content instead. This is an old trick that malware authors have been using for years, but has become more popular in the adware and spyware worlds of late.
The researchers found that two adware families in particular, Outbrowse and MultiPlug, are being used to serve unwanted targeted ads to users.
“Once installed, the user is shown unsolicited advertisements and experiences a substantial increase in browser tracking activity. We noticed the cyber-criminals involved in these campaigns heavily leverage .info TLD domains,” Chris Mannon of Zscaler wrote in a post analyzing the campaign.
“The OutBrowse family authors leverage popular TV shows, software applications and trending news to deliver custom payloads that monitor the user’s browsing activity. Their business model is to direct users to a pay site that provide various services.”
Once on a machine, the adware collects and sends out a variety of information about the computer, including IP address, MAC address, installed browser versions, and other data. The information then is used to target ads to the affected user’s machine. Researchers said users typically can find the adware on their machines by looking in the C:\Documents And Settings\user\Local Settings\Temp\ folder.
MultiPlug behaves much the same way, Zscaler said, but installs an executable file that directs users to more potentially unwanted software.
“Once MultiPlug is installed, it starts downloading and installing additional packages in the background while displaying unsolicited advertisements,” Mannon said.
“The best way to remediate this attack is to review all installed programs through Windows Control Panel and odds are good that MultiPlug installed at least multiple unwanted software packages.”
Mannon said that Zscaler has been seeing no indication that these campaigns will slow down anytime soon.