Researchers at Cisco Talos discovered that a backdoor program had been installed onto approximately 12 million...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
PCs, via adware called OneSoftPerDay from a French tutorial website called Tuto4PC. The software, which is supposed to give users ad-supported free tutorials, has the ability to download and install other software programs, as well as collect user data. While Talos researchers argue that OneSoftPerDay is a backdoor program, it seems to have escaped notice of antimalware systems. How was OneSoftPerDay able to evade detection and hide its true nature? What can enterprises do to mitigate risks posed by adware programs like this? The steps a security vendor needs to go through to determine if a particular binary or action is malicious are significant, in order to ensure that few false positives are included in detection and prevention tools. The vendor knows that the consequences of blocking or quarantining a legitimate file are disruptions for customers, so it is rightfully thorough in its analysis of something potentially malicious. This is especially true when security vendors and enterprises share threat intelligence with each other. Each vendor takes different steps, and may come up with different analyses and use different naming conventions, which can lead to some confusion in the community while it is trying to come to a consensus. The binary might even change in the wild to include new features that make it look more malicious. This is the case with the OneSoftPerDay adware that Cisco Talos discovered.
OneSoftPerDay could have hidden its true nature as a backdoor program because it appears to have some potentially legitimate uses, such as providing access to free or cheap software. As Talos describes, there seems to be little question that OneSoftPerDay is malware. It doesn't appear to exploit any vulnerabilities on the system, but takes extensive anti-analysis steps such as detecting antivirus programs and sandboxes and hiding encrypted payloads within embedded text resources of the binary.
Enterprises can mitigate risks posed by adware programs like OneSoftPerDay by following standard antimalware security advice, such as conducting regular patching and checking that their security tools have signatures or detection for the malware. It is especially important for an enterprise to monitor what applications or binaries are running on an endpoint and to determine if the files are supposed to be there. If an enterprise limits what applications can be installed or binaries can be executed, and an unapproved binary or application is found on an endpoint, then it should be investigated to determine how it got on the system, because there could potentially be an exploitable vulnerability on the system that should be fixed.
Learn what a backdoor is and how to prevent potential threats
Find out how to prevent Vonteera adware from disabling antimalware tools
Read about the key criteria for selecting antimalware products
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.