May 3, 2013Tyler Moffitt By Tyler Moffitt

Rootkit infection sporadically redirects search results in hopes users ‘just live with it’

By Tyler Moffitt

Recently we have seen an increase in fake installer scams attempting to trick computer users into installing disguised rootkits directly on their machines. In this post, we want to highlight how a scam like this can be installed and infect a machine, including behavior to watch out for as well as how to remedy the situation if it were to arise.

In the case of this infection, we are utilizing a bogus Adobe Flash Player installer. Normally, this file would be downloaded from a website after a message stating “You need the latest version of Flash to view this video” appears. The file being downloaded would have a random name, such as ‘flashplayerinstallerxxxx.exe’.

For educational purposes, we will show how this file reacts with a system without Webroot installed.

After execution, the file launches as a bogus Adobe flash player installer. During this process, it deletes the source executable that was initially dropped.

5-2-2013 11-37-20 AM

After the fake Adobe Flash update finishes loading, it will display a message (see screenshot below). Note that it doesn’t matter what version of Adobe flash player you have; even if you have no flash player installed, it will still report this message.

5-2-2013 11-37-38 AM

After about 10 minutes, the program will download components and get everything into place for infection. Then a new svchost.exe protected process will launch and start taking huge amounts of the CPU. This process cannot be killed.

5-2-2013 11-37-51 AMWith the infection installed, all redirects are from Google search engine results. For this demonstration, we used Firefox and Internet Explorer, typed in “books”, and only clicked on the first 2 links (Amazon and NYTimes).

5-2-2013 11-38-03 AM

Since this is a rootkit, there are no toolbars/extensions/BHO’s added to the browser. There are also no modified proxy settings or modified hosts files. What is interesting about this rootkit sample is that the redirects do not happen every time. The action will occur about once every three attempts, where the user will get redirected to a series of sites that are shown below.

The number of redirects caps out around 4-5 and then everything will seem normal until a restart of the browser. This erratic action can make it extremely difficult to troubleshoot. It can also prove to be very frustrating for a user to explain as it is not consistent and once the redirection occurs enough times, the issue stops for the rest of the browsing session. We have seen instances where consumers have just been “living with it” for months.

Here are the loops of redirect sites:

This is not an issue that any user should have to live with, however. After the infected code was running, we did a fresh install of Webroot SecureAnywhere onto the machine, which immediately detected and removed the infection. Below are screenshots of Webroot’s alert and threat removal in progress. Utilizing Webroot’s technology, a user is protected from malicious actions such as this, decreasing stress and improving the overall web experience.

As always, with these types of scams being so easy for the user to miss, there are a number of things users need to remember.

  • Only install updates of software directly from the manufacturer’s website or from the software itself
  • Check the URL of the websites you are visiting to ensure they match where you want to be
  • Do not give out personal information (such as credit card information) through websites  you do not know
  • If in doubt, shut down your PC and contact Webroot

Removal:

Webroot SecureAnywhere automatically blocks the installation of this infection. If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot SecureAnywhere will remove the threat. Manually removing this threat is possible; however, there may be some system damage that will need to be repaired.

Webroot support is always available to help with removal and questions regarding this infection. Please visit the Webroot support web site for more detail at: http://www.webroot.com/support/.

Share Button

3 Responses to Rootkit infection sporadically redirects search results in hopes users ‘just live with it’

  1. Hi – this is a good and informative article – especially since the fake Adobe Installer looks and mimics the regular Adobe Updater as well as it seems to from the screenshots. As a System Admin that has purchased Webroot Corporate and deployed Webroot company-wide to our 31 locations, I appreciate an article like this. One request would be though to make the screenshots either larger (especially of the Fake Adober Installer) – or make them clickable so that we can see these in full quality to be able to see exactly what they look like. A LOT of Fake/Rogue Malware and Rootkits will have silly mispellings and things of that nature – but I can’t really tell by looking at those smaller shots if these do or not. The fact that the updates seem to ‘fail’ is a red-flag though. You would think they would just ‘act’ like it succeeded – and then if an actual Adobe Update came up with the same update later – a user would just ‘think’ it did not install correctly the last time. Thanks.

  2. Webroot SecureAnywhere automatically blocks the installation of this infection. If the PC has no AV software installed, booting into Safe Mode with networking and installing Webroot SecureAnywhere will remove the threat. Manually removing this threat is possible; however, there may be some system damage that will need to be repaired Diablo 3 Gold

  3. Pingback: Malware you can "live with", but shouldn'tInformation security & technology news

Leave a Reply

Your email address will not be published. Required fields are marked *

true