For more than a decade, adware has helped software creators earn money while bringing free applications to the masses. Headliner games and applications have become widely available to computer and mobile users the world over, with no financial strings attached.
While generating untold revenue for the companies that run these programs, adware has witnessed constant improvements over the years in both data collection and resilience to removal. The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user. This whitepaper details an extremely sophisticated piece of rootkit-based spyware that has been running covertly since early 2012, generating revenue for its operators and compromising the privacy of its victims.
Download the whitepaper below for a complete analysis of the malware’s components, its internal structure and a list of associated samples and IoCs.
one year to write this report?
helping people or marketing….
Why would you think that? We have had detection for this strain of malware since second zero, so we've done our fair share of helping people out. We are trying to document attacks whenever time allows us, but our main focus is developing technologies and threat intelligence to protect people from such attacks. This is where most of our efforts go, the rest is provided on a "best effort" basis.
wow, incredible good and detailed report. amazing job bogdan!!! 🙂
You guys did an outstanding job with this report.
A few questions:
1. Approximately how many machines were infected with this malware?
2. Is there a link to the IOCs in a format other than PDF? (example: as text files or CSVs on GitHub or elsewhere) … The PDF format makes it difficult to use these IOCs "as is".
3. What has your interaction been with Microsoft (or others) to invalidate these certificates in use, and remove this malware from all Windows systems?
Any chance can you guys share the latest hash of "Main Downloader"? There are 691 hashes. Not sure which one is working.
May I know when this research is done? Whatever hash I test, it's not even making 1 http request.
What is most effective tool(s) for determining if this or any other RAT/root kit is active on a machine?
Currently, occasionally I boot from a live CD to run a series of scanners. Will this method detect this malware?
This is the recommended method when scanning for rootkits. Just boot a rescue CD and run a full system scan.