Ask toolbar updates hijacked by attackers to install suspicious code

Another reason to just say no to the Ask toolbar.

Ask toolbar updates hijacked by attackers to install suspicious code

An unknown attacker hijacked the update mechanism employed by Ask Partner Network (APN) to download suspicious code onto unsuspecting users' PCs.

APN is best known for the Ask.com search engine browser toolbar. It's a potentially unwanted program (PUP) that is infamously bundled with installers for Java.

The Ask toolbar and other software designed by APN, a so-called provider of "solutions to help software developers acquire and monetize users," have annoyed users for years.

Ask toolbar and Java - they deserve each other

Given their bundling-based distribution method, the manipulation of search results, and their persistence as downloaded software, it's no wonder Microsoft decided to block the Ask toolbar in 2015.

Even so, many users have chosen to not remove the Ask Toolbar. That might be because the programs themselves have - for the most part - never directly threatened people's computer security... that is, until recently.

The research team at Red Canary came across an issue in the beginning of November, as they explain in a blog post:

"On 5 November, Red Canary detected suspicious activity associated with Windows applications distributed by the Ask Partner Network (a.k.a. APN, Ask.com, or simply Ask). Upon further inspection, we discovered that Ask’s software was being co-opted by a malicious actor to execute malicious software on victims’ endpoints"

The team spotted some Windows processes associated with Portable Executable (PE, or "binary") files having abnormal extensions. In particular, they detected apnmcp.exe, the update mechanism for Ask Partner Network, associated with a image file named logo.png that was signed a bit too recently for their liking.

Curious, the researchers dug a little bit deeper and observed some suspicious behaviour:

Discovery timeline

"Note the network connection initiated by logo.png, which was used to pull down 2-3 unique, later-stage binary files that were then executed by logo.png before logo.png itself was deleted from the disk.

"Of the dozen victims that we observed, all of the first stage (logo.png) binaries were unique, but the later-stage payloads were the same across all victims. Our suspicion is that we caught this during the early stages of deployment or testing, as these processes took very few actions on the victim endpoints. This may have been intentional, or it may have been due to bad payloads or configurations."

A complete listing of the binaries is available on Red Canary's website.

So what can we learn from this story?

We already know that PUPs are a nuisance. But what we don't know is to what degree providers like APN invest in maintaining their solutions. They might not be following security best practices, which means an attacker could compromise their software and try to infect unsuspecting users.

With that being said, it doesn't matter what the potentially unwanted program is. It still constitutes a potential security threat. Therefore, if an unwanted program downloads itself onto their computer, users should remove it as soon as possible. Period.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

No comments yet.

Leave a Reply