Researchers at Cisco Talos discovered that a backdoor program had been installed onto approximately 12 million PCs, via adware called OneSoftPerDay from a French tutorial website called Tuto4PC. The software, which is supposed to give users ad-supported free tutorials, has the ability to download and install other software programs, as well as collect user data. While Talos researchers argue that OneSoftPerDay is a backdoor program, it seems to have escaped notice of antimalware systems. How was OneSoftPerDay able to evade detection and hide its true nature? What can enterprises do to mitigate risks posed by adware programs like this?
The steps a security vendor needs to go through to determine if a particular binary or action is malicious are significant, in order to ensure that few false positives are included in detection and prevention tools. The vendor knows that the consequences of blocking or quarantining a legitimate file are disruptions for customers, so it is rightfully thorough in its analysis of something potentially malicious. This is especially true when security vendors and enterprises share threat intelligence with each other. Each vendor takes different steps, and may come up with different analyses and use different naming conventions, which can lead to some confusion in the community while it is trying to come to a consensus. The binary might even change in the wild to include new features that make it look more malicious. This is the case with the OneSoftPerDay adware that Cisco Talos discovered.
OneSoftPerDay could have hidden its true nature as a backdoor program because it appears to have some potentially legitimate uses, such as providing access to free or cheap software. As Talos describes, there seems to be little question that OneSoftPerDay is malware. It doesn't appear to exploit any vulnerabilities on the system, but takes extensive anti-analysis steps such as detecting antivirus programs and sandboxes and hiding encrypted payloads within embedded text resources of the binary.
Enterprises can mitigate risks posed by adware programs like OneSoftPerDay by following standard antimalware security advice, such as conducting regular patching and checking that their security tools have signatures or detection for the malware. It is especially important for an enterprise to monitor what applications or binaries are running on an endpoint and to determine if the files are supposed to be there. If an enterprise limits what applications can be installed or binaries can be executed, and an unapproved binary or application is found on an endpoint, then it should be investigated to determine how it got on the system, because there could potentially be an exploitable vulnerability on the system that should be fixed.
Learn what a backdoor is and how to prevent potential threats
Find out how to prevent Vonteera adware from disabling antimalware tools
Read about the key criteria for selecting antimalware products