Mediaboss Marketing

Why do people still download files from sketchy places and get compromised as a result?

One of the pieces of advice that security practitioners have been giving out for the past couple of decades, if not longer, is that you should only download software from reputable sites. As far as computer security advice goes, this seems like it should be fairly simple to practice.

But even when such advice is widely shared, people still download files from distinctly nonreputable places and get compromised as a result. I have been a reader of Neowin for over a couple of decades now, and a member of its forum for almost that long. But that is not the only place I participate online: for a little over three years, I have been volunteering my time to moderate a couple of Reddits forums (subreddits) that provide both general computing support as well as more specific advice on removing malware. In those subreddits, I have helped people over and over again as they attempted to recover from the fallout of compromised computers. Attacks these days are usually financially motivated, but there are other unanticipated consequences as well. I should state this is not something unique to Reddits users. These types of questions also come up in online chats on various Discord servers where I volunteer my time as well.

One thing I should point out is that both the Discord and Reddit services skew to a younger demographic than social media sites such as Twitter and Facebook. I also suspect they are younger than the average WeLiveSecurity reader. These people grew up digitally literate and have had access to advice and discussions about safe computing practices available since pre-school.

Despite having the advantage of having grown up with computers and information on securing them, how is it that these people have fallen victim to certain patterns of attacks? And from the information security practitioners side, where exactly is the disconnect occurring between what were telling people to do (or not do, as the case may be), and what they are doing (or, again, not doing)?

Sometimes, people will openly admit that they knew better but just did a dumb thing, trusting the source of the software when they knew it was not trustworthy. Sometimes, though, it appeared trustworthy, but was not. And at other times, they had very clearly designated the source of the malware as trustworthy even when it was inherently untrustworthy. Let us take a look at the most common scenarios that lead to their computers being compromised:

I would point out that these are not the only means by which people were tricked into running malware. WeLiveSecurity has reported on several notable cases recently that involved deceiving the user:

Do any of these scenarios seem similar to each other in any way? Despite the various means of receiving the file (seeking out versus being asked, using a search engine, video site or piracy site, etc.) they all have one thing in common: they exploited trust.

When security practitioners talk about downloading files only from reputable websites, it seems that we are often only doing half of the job of educating the public about them, or maybe even a little less, for that matter: weve done a far better job of telling people what kind of sites to go to (reputable ones, obviously) without explaining what makes a site safe to download from in the first place. So, without any fanfare, here is what makes a site reputable to download software from:

And thats it! In todays world of software, the publishers site could be a bit more flexible than what it historically has been. Yes, it could be a site with the same domain name as the publishers site, but it could also be that the files are located on GitHub, SourceForge, hosted on a content delivery network (CDN) operated by a third party, and so forth. That is still the publishers site, as it was explicitly uploaded by them. Sometimes, publishers provide additional links to additional download sites, too. This is done for a variety of reasons, such as to defray hosting costs, to provide faster downloads in different regions, to promote the software in other parts of the world, and so forth. These, too, are official download sites because they are specifically authorized by the author or publisher.

There are also sites and services that act as software repositories. SourceForge and GitHub are popular sites for hosting open-source projects. For shareware and trial versions of commercial software, there are numerous sites that specialize in listing their latest versions for downloading. These download sites function as curators for finding software in one place, which makes it easy to search and discover new software. In some instances, however, they also can have a darker side: Some of these sites place software wrappers around files downloaded from them that can prompt to install additional software besides the program you were looking for. These program bundlers may do things completely unrelated to the software they are attached to and may, in fact, install potentially unwanted applications (PUAs) on to your computer.

Other types of sites to be aware of are file locker services such as Box, Dropbox, and WeTransfer. While these are all very legitimate file sharing services, they can be abused by a threat actor: people may assume that because the service is trusted, programs downloaded from them are safe. Conversely, IT departments checking for the exfiltration of data may ignore uploads of files containing personal information and credentials because they are known to be legitimate services.

When it comes to search engines, interpreting their results can be tricky for the uninitiated, or people who are just plain impatient. While the goal of any search enginewhether it is Bing, DuckDuckGo, Google, Yahoo, or another is to provide the best and most accurate results, their core businesses often revolve around advertising. This means that the results at the top of the page in the search engine results are often not the best and most accurate results, but paid advertising. Many people do not notice the difference between advertising and search engine results, and criminals will take advantage of this through malvertising campaigns where they buy advertising space to redirect people to websites used for phishing and other undesirable activities, and malware. In some instances, criminals may register a domain name using typosquatting or a similar-looking top-level domain to that of the software publisher in order to make their website address less noticeable at first glance, such as example.com versus examp1e.com (note how the letter l has been released by the number 1 in the second domain).

I will point out that there are many legitimate, safe places to go on the internet to download free and trial versions of software, because they link to the publishers own downloads. An example of this is Neowin, for whom the original version of this article was written. Neowins Software download section does not engage in any type of disingenuous behavior. All download links either go directly to the publishers own files or to their web page, making Neowin a reliable source for finding new software. Another reputable site that links directly to software publishers downloads is MajorGeeks, which has been listing them on a near-daily basis for over two decades.

While direct downloading ensures that you get software from the company (or individual) that wrote it, that does not necessarily mean it is free of malware: there have been instances where malicious software was included in a software package, unintentionally or otherwise. Likewise, if a software publisher bundles potentially unwanted applications or adware with their software, then you will still receive that with a direct download from their site.

Special consideration should be applied to the various application software stores run by operating system vendors, such as the Apple App Store, the Google Play store, Microsofts Windows App stores, and so forth. One might assume these sites to be reputable download sites, and for the most part they are exactly that, but there is no 100% guarantee: Unscrupulous software authors have circumvented app stores vetting processes to distribute software that invade peoples privacy with spyware, display egregious advertisements with adware, and engage in other unwanted behaviors. These app stores do have the ability to de-list such software from their stores as well as remotely uninstall it from afflicted devices, which offers some remedy; however, this could be days or weeks (or more) after the software has been made available. Even if you only download apps from the official store, having security software on your device to protect it is a must.

Device manufacturers, retailers, and service providers may add their own app stores to devices; however, these may not have the ability to uninstall apps remotely.

With all of that in mind, you are probably wondering exactly what the malware did on the affected computers. While there were different families of malware involved, each of which having its own set of actions and behaviors, there were two that basically stood out because they were repeat offenders, which generated many requests for assistance.

And just in case you were wondering: I have never heard of anyone successfully decrypting their files after paying the ransom to the STOP/DJVU criminals. Your best bet at decrypting your files is to back them up in case a decryptor is ever released.

As far as its functionality goes, Redline Stealer performs some fairly common activities for information-stealing malware, such as collecting information about the version of Windows the PC is running, username, and time zone. It also collects some information about the environment where it is running, such as display size, the processor, RAM, video card, and a list of programs and processes on the computer. This may be to help determine if it is running in an emulator, virtual machine, or a sandbox, which could be a warning sign to the malware that it is being monitored or reverse engineered. And like other programs of its ilk, it can search for files on the PC and upload them to a remote server (useful for stealing private keys and cryptocurrency wallets), as well as download files and run them.

But the primary function of an information stealer is to steal information, so with that mind, what exactly does the Redline Stealer go after? It steals credentials from many programs including Discord, FileZilla, Steam, Telegram, various VPN clients such as OpenVPN and ProtonVPN), as well as cookies and credentials from web browsers such as Google Chrome, Mozilla Firefox, and their derivatives. Since modern web browsers do not just store accounts and passwords, but credit card info as well, this can pose a significant threat.

Since this malware is used by different criminal gangs, each of them might focus on something slightly different. In these instances, though, the targets were most often Discord, Google, and Steam accounts. The compromised Discord accounts were used to spread the malware to friends. The Google accounts were used to access YouTube and inflate views for certain videos, as well as to upload videos advertising various fraudulent schemes, causing the account to be banned. The Steam accounts were checked for games that had in-game currencies or items which could be stolen and used or resold by the attacker. These might seem like odd choices given all the things which can be done with compromised accounts, but for teenagers, these might be the most valuable online assets they possess.

To summarize, here we have two different types of malware that are sold as services for use by other criminals. In these instances, those criminals seemed to target victims in their teens and early twenties. In one case, extorting victims for an amount proportional to what sort of funds they might have; in the other case, targeting their Discord, YouTube (Google), and online games (Steam). Given the victimology, one has to wonder whether these criminal gangs are composed of people in similar age ranges, and if so, chose specific targeting and enticement methods they know would be highly effective against their peers.

Security practitioners advise people to keep their computers operating systems and applications up to date, to only use their latest versions, and to run security software from established vendors. And, for the most part: people do that, and it protects them from a wide variety of threats.

But when you start looking for sketchy sources to download from, things can take a turn for the worse. Security software does try to account for human behavior, but so do criminals who exploit concepts such as reputation and trust. When a close friend on Discord asks you to look at a program and warns that your antivirus software may incorrectly detect it as a threat, who are you going to believe, your security software or your friend? Programmatically responding to and defending against attacks on trust, which are essentially types of social engineering, can be difficult. In the type of scenarios explained here, it is user education and not computer code that may be the ultimate defense, but that is only if the security practitioners get the right messaging across.

The author would like to thank his colleagues Bruce P. Burrell, Alexandre Ct Cyr, Nick FitzGerald, Tom Foltn, Luk tefanko, and Righard Zwienenberg for their assistance with this article, as well as Neowin for publishing the original version of it.

Aryeh GoretskyDistinguished Researcher, ESET

Note: An earlier version of this article was published on tech news site Neowin.

View original post here:
You may not care where you download software from, but malware ... - We Live Security