Adrozek

Last updated

Adrozek
Initial releaseMay 1, 2020 (2020-05-01) (or earlier)
Operating system Windows

Adrozek is malware that injects fake ads into online search results. Microsoft announced the malware threat on 10 December 2020, and noted that many different browsers are affected, including Google Chrome, Microsoft Edge, Mozilla Firefox and Yandex Browser. [1] [2] [3] [4] [5] [6] [7] The malware was first detected in May 2020 and, at its peak in August 2020, controlled over 30,000 devices a day. But during the December 2020 announcement, Microsoft claimed "hundreds of thousands" of infected devices worldwide between May and September 2020. [3]

Contents

According to Microsoft, if not detected and blocked, Adrozek adds browser extensions, modifies a specific DLL per target browser, and changes browser settings to insert additional, unauthorized ads into web pages, often on top of legitimate ads from search engines. [1] For each user tricked into clicking on the fake ads, the scammers earn affiliate advertising dollars. [6] The malware has been observed to extract device data and, in some cases, steal credentials, sending them to remote servers. [6]

Users may unintentionally install the malware because of a drive-by download, by visiting a tampered website, opening an e-mail attachment, or clicking on a deceptive link or a deceptive pop-up window. [4] The main malware program is downloaded to the “Programs Files” folder using file names such as Audiolava.exe, QuickAudio.exe, and converter.exe. [4] According to PC Magazine, a good way to avoid, or mitigate, infection by Adrozek is to keep browser and related software programs up to date. [4]

See also

Related Research Articles

Spyware is any software with malicious behavior that aims to gather information about a person or organization and send it to another entity in a way that harms the user by violating their privacy, endangering their device's security, or other means. This behavior may be present in malware and in legitimate software. Websites may engage in spyware behaviors like web tracking. Hardware devices may also be affected.

CoolWebSearch is a spyware or virus program that installs itself on Microsoft Windows based computers. It first appeared in May 2003.

Ad blocking or ad filtering is a software capability for blocking or altering online advertising in a web browser, an application or a network. This may be done using browser extensions or other methods.

<span class="mw-page-title-main">SpywareBlaster</span> Microsoft Windows software

SpywareBlaster is an antispyware and antiadware program for Microsoft Windows designed to block the installation of ActiveX malware.

<span class="mw-page-title-main">Adblock Plus</span> Content-filtering and ad blocking browser extension

Adblock Plus (ABP) is a free and open-source browser extension for content-filtering and ad blocking. It is developed by Eyeo GmbH, a German software company. The extension has been released for Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Opera, Safari, Yandex Browser, and Android.

Browser hijacking is a form of unwanted software that modifies a web browser's settings without a user's permission, to inject unwanted advertising into the user's browser. A browser hijacker may replace the existing home page, error page, or search engine with its own. These are generally used to force hits to a particular website, increasing its advertising revenue.

<span class="mw-page-title-main">WinFixer</span> Rogue security software

WinFixer was a family of scareware rogue security programs developed by Winsoftware which claimed to repair computer system problems on Microsoft Windows computers if a user purchased the full version of the software. The software was mainly installed without the user's consent. McAfee claimed that "the primary function of the free version appears to be to alarm the user into paying for registration, at least partially based on false or erroneous detections." The program prompted the user to purchase a paid copy of the program.

Christopher Boyd, also known by his online pseudonym Paperghost, is a computer security researcher.

The Vundo Trojan is either a Trojan horse or a computer worm that is known to cause popups and advertising for rogue antispyware programs, and sporadically other misbehavior including performance degradation and denial of service with some websites including Google and Facebook. It also is used to deliver other malware to its host computers. Later versions include rootkits and ransomware.

A browser extension is a software module for customizing a web browser. Browsers typically allow users to install a variety of extensions, including user interface modifications, cookie management, ad blocking, and the custom scripting and styling of web pages.

A browser toolbar is a toolbar that resides within a browser's window. All major web browsers provide support to browser toolbar development as a way to extend the browser's GUI and functionality. Browser toolbars are considered to be a particular kind of browser extensions that present a toolbar. Browser toolbars are specific to each browser, which means that a toolbar working on a browser does not work on another one. All browser toolbars must be installed in the corresponding browser before they can be used and require updates when new versions are released.

The Zlob Trojan, identified by some antiviruses as Trojan.Zlob, is a Trojan horse which masquerades as a required video codec in the form of ActiveX. It was first detected in late 2005, but only started gaining attention in mid-2006.

Piriform Software Ltd. is a British software company based in London, owned since 2017 by Avast which itself became part of NortonLifeLock in 2022. The company develops cleaning and optimisation tools for Microsoft Windows, macOS and Android operating systems, including CCleaner, CCleaner Browser, Defraggler, Recuva and Speccy. On 22 September 2015, Piriform launched CCleaner Cloud, a tool to maintain computers remotely.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software, but a 2011 report concluded that additional measures on top of antivirus software were needed.

Trusteer is a Boston-based computer security division of IBM, responsible for a suite of security software. Founded by Mickey Boodaei and Rakesh K. Loonkar, in Israel in 2006, Trusteer was acquired in September 2013 by IBM for $1 billion.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

<span class="mw-page-title-main">Google Safe Browsing</span> Service that warns about malicious URLs

Google Safe Browsing is a service from Google that warns users when they attempt to navigate to a dangerous website or download dangerous files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem. This protection works across Google products and is claimed to “power safer browsing experiences across the Internet”. It lists URLs for web resources that contain malware or phishing content. Browsers like Google Chrome, Safari, Firefox, Vivaldi, Brave, and GNOME Web use these lists from Google Safe Browsing to check pages against potential threats. Google also provides a public API for the service.

Download Valley is a cluster of software companies in Israel, producing and delivering adware to be installed alongside downloads of other software. The primary purpose is to monetize shareware and downloads. These software items are commonly browser toolbars, adware, browser hijackers, spyware, and malware. Another group of products are download managers, possibly designed to induce or trick the user to install adware, when downloading a piece of desired software or mobile app from a certain source.

A potentially unwanted program (PUP) or potentially unwanted application (PUA) is software that a user may perceive as unwanted or unnecessary. It is used as a subjective tagging criterion by security and parental control products. Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method. Antivirus companies define the software bundled as potentially unwanted programs which can include software that displays intrusive advertising (adware), or tracks the user's Internet usage to sell information to advertisers (spyware), injects its own advertising into web pages that a user looks at, or uses premium SMS services to rack up charges for the user. A growing number of open-source software projects have expressed dismay at third-party websites wrapping their downloads with unwanted bundles, without the project's knowledge or consent. Nearly every third-party free download site bundles their downloads with potentially unwanted software. The practice is widely considered unethical because it violates the security interests of users without their informed consent. Some unwanted software bundles install a root certificate on a user's device, which allows hackers to intercept private data such as banking details, without a browser giving security warnings. The United States Department of Homeland Security has advised removing an insecure root certificate, because they make computers vulnerable to serious cyberattacks. Software developers and security experts recommend that people always download the latest version from the official project website, or a trusted package manager or app store.

<span class="mw-page-title-main">AdGuard</span> Ad blocking and privacy protection software

AdGuard is an ad blocking service for Microsoft Windows, Linux, MacOS, Android and iOS. AdGuard is also available as a browser extension.

References

  1. 1 2 Microsoft 365 Defender Research Team (10 December 2020). "Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers". Security Blog. Microsoft . Retrieved 13 December 2020.{{cite news}}: CS1 maint: numeric names: authors list (link)
  2. Goodin, Dan (10 December 2020). "4 major browsers are getting hit in widespread malware attacks - Chrome, Firefox, Edge, and Yandex are all affected in widespread ad-injection campaign". Ars Technica . Retrieved 13 December 2020.
  3. 1 2 Cimpanu, Catalin (10 December 2020). "Microsoft exposes Adrozek, malware that hijacks Chrome, Edge, and Firefox - Microsoft says that at its peak, Adrozek had controlled more than 30,000 devices a day". ZDNet . Retrieved 13 December 2020.
  4. 1 2 3 4 Kan, Michael (11 December 2020). "'Adrozek' Malware Is Infecting Thousands of PCs to Insert Ads, Microsoft Warns". PC Magazine . Retrieved 13 December 2020.
  5. Wagensell, Paul (11 December 2020). "This nasty malware is infecting every web browser — what to do now - New malware is stealing passwords and shows bogus search results". Tom's Guide . Retrieved 13 December 2020.
  6. 1 2 3 Bracken, Becky (11 December 2020). "Adrozek Malware Delivers Fake Ads to 30K Devices a Day". ThreatPost.com. Retrieved 13 December 2020.
  7. Wilson, Luke (15 December 2020). "Google Chrome, Firefox, Edge hijacked by massive malware attack: What you need to know - Microsoft has reported a 'shapeshifting' variant of a well-known malware strain that attacks browsers to embed malicious ads". T3 . Retrieved 15 December 2020.