Jump to content

Search the Community

Showing results for tags 'adware'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 16 results

  1. When you think of malware, it's understandable if your mind first goes to elite hackers launching sophisticated dragnets. But unless you're being targeted by a nation-state or advanced crime syndicate, you're unlikely to encounter these ultra-technical threats yourself. Run-of-the-mill profit-generating malware, on the other hand, is rampant. And the type you're most likely to encounter is adware. In your daily life you probably don't think much about adware, software that illicitly sneaks ads into your apps and browsers as a way of generating bogus revenue. Remember pop-up ads? It's like that, but with special software running on your device, instead of rogue web scripts, throwing up the ads. Advertisers often pay out based on impressions, or the number of people who load their ads. So scammers have realized that the more ads they can foist upon you, the more money they pocket. Ad It Up Your smartphone offers attackers the perfect environment to unleash ad malware. Attackers can distribute apps tainted with adware through third-party app stores for Android and even sneak adware-laced apps into the Google Play Store or Apple's App Store. They can reach millions of devices quickly, lurking on your phone, say, while their servers spew ads that run in the background of your device or right on the screen. It doesn't require elaborate hacking techniques. It isn't trying to steal your money. At worst, it makes your device a little slower or forces you to close out some unexpected ads. Adware could be on your phone right now. "With adware—which is in my opinion one of the boldest types of malware on the mobile front—we can see that the actors are basically following the money," says Aviran Hazum, analysis and response team leader at security firm Check Point. "A lot of victims will pay a ransomware ransom, or attackers can gain access to a bank account, but the probability of that is relatively low compared to the amount of money they can generate by displaying ads. More audience, more adware, more revenue." Strains of adware regularly infect tens of millions or even hundreds of millions of devices at a time. Even though adware detections have declined year over year, security firm Malwarebytes still ranked it as the most prevalent type of consumer malware in 2018. Check Point published findings on one example last week, dubbed Agent Smith, which infected more than 25 million Android devices around the world. Fifteen million of those are in India, but Check Point also found more than 300,000 infections in the US. Check Point sees signs that attackers started developing Agent Smith adware in 2016 and have been refining it ever since. Distributed largely through the third-party Android app store 9Apps, the adware was originally a more clunky, obvious type of malware that masqueraded as legitimate apps but asked for a suspicious number of device permissions to run and displayed a lot of intrusive ads. In spring 2018, though, Agent Smith evolved. Attackers added other malware components so that once the adware was installed, it would search through the device's third-party apps and replace as many as possible with malicious decoys. The initial malware would be in apps like shoddy games, photo services, or sex-related apps. But once installed, it would masquerade as a Google update utility—like a fake app called Google Updater—or apps that pretended to sell Google products, to have a better chance of hiding in plain sight. Agent Smith also infiltrated the Google Play Store during 2018, hidden in 11 apps that contained a software development kit related to the campaign. Some of these apps had about 10 million downloads in total, but the Agent Smith functionality was dormant and may have represented a planned next step for the actors. Google has removed these tainted apps. Check Point's Hazum points out that the actors behind Agent Smith also overhauled its infrastructure in 2018 and moved its command and control framework to Amazon Web Services. This way, the attackers could expand features like logging and more easily monitor analytics like download stats. Campaigns like adware and cryptojacker distribution can often function on legitimate infrastructure platforms like AWS, because it's difficult to distinguish their malicious activity from legitimate operations. In other recent adware campaigns, researchers have found innovations like malware that takes advantage of smartphone display and accessibility settings to overlay invisible ads that give them credit with ad networks without users even seeing anything. "You’re starting to see actors realizing that just regular adware won’t do these days," Check Point's Hazum says. "If you want the big money you need to invest in infrastructure and research and development." It's an Ad, Ad, Ad, Ad World Agent Smith is just one wave, though, in a sea of massive adware campaigns that impact hundreds of millions of users combined. For example, in late 2017, adware known as Fireball infected more than 250 million PCs. Imposter Fortnite apps started spreading adware on Android during the summer of 2018. And in April researchers found 50 adware-ridden apps in Google Play that had been down­loaded more than 30 million times. Almost any popular app spawns adware clones almost immediately—even FaceApp. Though adware isn't necessarily an immediate threat to users, even when it's on their devices, it opens the door for attackers to add other malicious functionality in the future that could endanger users' data or accounts. And adware can also come bundled with other types of malware, portending worse attacks to come. “Specific to adware, a lot of the risk to the user comes in applications that download extra stuff or redirect users to other websites,” says Ronnie Tokazowski, a senior threat researcher at email security firm Agari. “Many forms of adware are sold through a pay-to-install model, so the more things that get installed on an end user’s phone or PC, the more the actor gets.” To avoid downloading adware in the first place, use official app stores to download software, stick to prominent, mainstream apps as much as possible, and always double-check that you're actually downloading, say, the real Twitter app and not Twltter. To eliminate adware that could already be on your device, go through your apps and delete anything you don't use anymore, or any apps that are particularly glitchy or ad-ridden, such as random games or utilities like flashlight apps. And if you want an outside opinion, you can download reputable adware scanners from antivirus companies like Bitdefender, Malwarebytes, or Avast. Most offer a free trial. But be careful to download the real deal—adware and other malware loves to hide in apps that pretend to be adware scanners. Adware isn't the powerful and deeply invasive malware that nation-state hackers specially craft for tailored reconnais­sance or intimidation. But it's the malware most likely to show up on your phone, which makes it the type that's most important to look out for. Source
  2. The heavily obfuscated adware was found in 238 different apps on Google Play. Consumers and enterprise customers expect the apps they download from Google Play, Apple's App Store, and other officially sanctioned app repositories to be secure and have at least minimal respect for privacy. But security researchers at Lookout found 238 applications in Google Play that hid BeiTaAd, a well-obfuscated ad plugin that could display ads on the device's lock screen, trigger video and audio advertisements even while the phone is asleep, and display ads outside the app that interfered with the user experience in other applications. Kristina Balaam, security intelligence engineer at Lookout and author of the blog post on the research, says that the company's research into the apps began with a phone call. "We [Lookout] got a support call from an enterprise user who noticed strange pop-up ads on their devices," Balaam says. "The support person contacted the research team, we started digging through the apps, and realized that there were other samples." What they found was a collection of 238 apps from a single publisher, all of which contained adware that someone had gone to great lengths to hide. The publisher, CooTek, is known for legitimate Android apps and is listed on the NYSE. And the simple presence of adware in free apps isn't unprecedented: Many publishers use in-app advertising as a way to profit from free apps. The difference in this case, Balaam says, is that "as official stores start to lock down the ads that can be shown, the publishers have to become more creative in how they hide adware." In the case of the CooTek apps, someone used very sophisticated techniques to obfuscate the adware executable bundled with the app. The adware was renamed, given a different filetype extension, and given AES encryption. All of this might have been a small annoyance, but BeiTaAd is so aggressive that it effectively rendered the device unusable for enterprise purposes. The combination of CooTek apps and BeiTaAd adware was effective at spreading the ads to a wide audience. In a screen shot used in the research report, one of the apps — TouchPal Keyboard — shows more than 100,000,000 downloads. Together, the infected apps showed more than 440 million downloads, according to Lookout. The research report states that as of May 23, 2019, all affected apps had been either removed from Google Play or updated to versions that do not contain BeiTaAd. Still, Balaam says, "Whoever is responsible for this plug-in, they're aware that it doesn't comply with the Google terms of service." She doesn't point a finger at the company or any individual, but continues, "Someone knew that what they were doing was wrong and they tried not to get caught." Source
  3. Adware, PUPs, and unwanted extensions are being promoted through sites that pretend to be adult video sites. When a visitor tries to play a video, a fake video player popup will be displayed that states you must download and install an updated media player to see the video. This "media player", though, just installs unwanted programs onto your computer or redirects you to unwanted chrome extensions. These fake sites consist of autogenerated pages based on popular celebrity or adult star keywords so that they can get as many pages as possible into search engines. When a user clicks on these links and tries to play the video, they are shown a fake video player like the one below. Fake video player This video player will state that there was an error playing a video and that you need to download a media player to properly watch the video. The full text of this alert is shown below. If a user clicks on the message, they will either download an adware installer or be redirected to another site pushing unwanted chrome extensions. One of the extensions being promoted contains scripts that perform in-browser mining. These adware installers bundle free and legitimate programs in order to bundle their "offers" to those who install the software. For example, in one of the adware bundles I tested, it was pushing the free AIMP media player. Adware Installer Pushing the Free AIMP Program One of the offers show when testing the adware bundle is a "Search Offer" that installs a Chrome Extension on to the computer. Search Offer Another offer was for Avast. Avast Offer As these sites are created only to push unwanted software on a visitor, rather than actually showing a video, they should be avoided. Even more important, if you run into a site that tells you that you need to install a piece of software to properly use it, I would instead find a site that does not require you to install software before using it. As this tactic is all too often used to trick people installing malware onto their computer, it is important to recognize these types of social engineering attacks. Source
  4. On Friday, an unknown hacker hijacked the Copyfish Chrome extension from its original authors and pushed an update that inserted ads in people's web pages. The hack took place because one of the Copyfish developers fell for a simple phishing trick and accessed a link in an email he thought he received from the Chrome team. In reality, the email came from the phisher and urged the Copyfish developer to update his extension, or it would be removed from the Chrome Web Store. Developer fell for simple phishing trick When the developer accessed the link, he was redirected to a copy of the Google account login page, where the Copyfish dev entered the credentials of the Copyfish developer account. The login page was hosted on chromedev.freshdesk.com, and surprisingly the extension's developer didn't think it was strange, even if Google has hosted its support desks on its own domains for more than a decade. Phishing page that fooled the Copyfish developers [Source: A9t9] On Saturday, a day later, the hacker had pushed a malicious update (v2.8.5) for the Chrome Copyfish extension, which a pretty powerful tool for extracting text from images and PDF files. Malicious update inserted ads in people's browsers The update added extra JavaScript code that loaded ads on all the pages a user viewed. Despite this intrusive behavior, it took Copyfish developers a full day to realize what had happened. Unfortunately, by that point, the hacker had transferred the extension to his own developer account, out of the reach of the original authors, who were desperately trying to reach a Google staffer to have the extension pulled down. On Monday, a post-mortem blog post published by the Copyfish team reached the Hacker News news aggregator service. This extra exposure helped the Copyfish team get in contact with Google employees but also contributed to stopping the hijacked extension's adware behavior after the owner of the Unpkg CDN service had taken down malicious JavaScript files used by the extension. At the time of writing, the extension is still under the hijacker's control. Users are advised to remove it from their browsers. The Copyfish team says its Firefox add-on is safe and under their control. Article source
  5. Ks Clean: Run and install: OK, OK or, er, OK? A malicious Android app that downloads itself from advertisements posted on forums strongly resists removal, security firm Zscaler warns. The dodgy Android utility poses as "Ks Clean", an Android cleaner app. Once installed, the app displays a fake system update message in which the only option presented to the user is to select the "OK" button, giving victims little immediate option other than to accept a supposed security update. As soon as the user presses "OK", the malware prompts the installation of another APK named "Update". The Update app asks for administrator privileges which, if granted, can't be revoked. The app uses the insidious mask of a "security update" to get a user to complete the installation. After that, there is nothing to stop malware from slinging pop-up ads at victims even when the user is using other apps. Users would be unable to easily uninstall the app using the traditional "Uninstall" option because it has admin rights. This is a "security update". It's for your own good and you must comply. Zscaler has identified over 300 instances of malicious APKs from this campaign affecting users in US and UK over the last two weeks, including an attack on a conspiracy forum called "GodLikeProductions". "On one such forum we found entitled 'GodLikeProductions', visitors complained about the automatically downloading app, but those messages were either removed or ignored by the forum's hosts, allowing the problem to perpetuate," Zcaler reports. Article source Other source: Self-Downloading Android Malware Target Users in the US, UK, and France
  6. Fake website : http://шһатѕарр.com/?colors Actual site it redirects to : http://blackwhats.site/ Archive.is link : http://archive.is/9gK5Y Screenshots when you visit the website in smartphone : http://imgur.com/a/UsKue User gets the message saying whatsapp is now available with different colors " I love the new colors for whatsapp http://шһатѕарр.com/?colors " When you click the fake whatsapp.com url in mobile, the user is made to share the link to multiple groups for human verification. once your done sharing you are made to install adware apps, after you have installed the adware the website says the whatsapp color is available only in whatsapp web and makes you install an extention. Fake whatsapp extention : https://chrome.google.com/webstore/detail/blackwhats/apkecfhccjhdmicfliebkdekbkoioiaj these fake sites and spam messages are always circulating in whatsapp. Source Fake WhatsApp.com URL gets users to install adware Next time someone links you to whatsapp.com, make sure you take a second look. There’s some adware currently circulating around the web by tricking users to visit a ‘шһатѕарр.com’ domain instead. Yes, those are different URLs – the fake URL uses characters from the Cyrillic alphabet. As spotted by redditor u/yuexist, the site promises to let you install WhatsApp in different colors – I mean, everyone likes color options, right? If you visit the link, you’re asked to share the site with your friends for ‘verification.’ Your friends then receive a message saying “I love the new colors for whatsapp’ along with the fake URL. Once you’ve ‘verified’ yourself, you’re then told that WhatsApp’s colors can only be accessed on a desktop, and are asked to install an extension from the real Chrome Web Store called BlackWhats (still, click at your own risk). All this should send about 27,531 red flags to anyone remotely tech savvy, but there are plenty of WhatsApp users who don’t spend their time on tech blogs and might fall for it – the fake URL is certainly convincing enough at first glance. The extension itself has over 16,000 users and a 4 star rating from 55 ratings, though there are only 3 text reviews – it’s hard to tell if these ratings are somehow fake. We’ve reached out to Google to alert them about the adware. And as always, make sure to double check URLs on any unexpected links you may receive. Update: Google has removed this extension from the Chrome Web Store. Good riddance. Article source
  7. Threats against Mac users grow Mac computers may still be "safer" than Windows PCs, as less focus is put on them, but the number of attacks is rapidly rising. In fact, according to the recent McAfee Threat Report, macOS malware grew by 744% in 2016, with some 460,000 instances detected. Of course, when it comes to comparing macOS infections with those of Windows PCs, Mac numbers are minimal. All malware detected last year rose up to some 600 million instances, with some 15 million being mobile malware. Thankfully, if you could put it there, most macOS malware was adware, which means it pretty much just annoys victims, rather than do a lot of damage, such is the situation with most Windows or Android malware. This doesn't mean there are no instances of truly malicious infections. In fact, there are plenty of those to go around, such as the Word macro instances where Mac users were targeted, or the Fruitfly malware used to attack computers in biomedical research institutions. Of course, in order to protect yourself and your device from malware, it's best to only install software from verified sources and to avoid suspicious emails and their attachments. The dangers of IoT The McAfee report puts the focus on another type of issue - the growing number of malware infections on Internet of Things devices which enables them to be used as part of botnets for various purposes, like DDoS attacks on websites. "IoT devices are being hijacked and used to carry out serious crimes in cyberspace. Attackers, after gaining control of IoT devices, can use them to attack business, consumers, or Internet infrastructure. The Mirai botnet is just the beginning," reads the report, setting down an ominous prediction. This situation, however, highlights the modern problems of the world where more and more devices come with an Internet connection and not enough security to make them safe against attacks. There have been numerous reports in recent months about all types of attacks against IoT devices, including smart toys for kids and smart toys for... adults. Source
  8. A new adware family named Crusader will rewrite tech support phone numbers returned in Google search results, display ads, and show popups pushing tech support scams. Current versions of Crusaders are installed on victims' computers via software bundles. Users usually download a free application, whose installer also adds Crusader. The adware takes the form of a Chrome extension, Firefox add-on, and Internet Explorer Browser Helper Object. Because it's delivered as a browser extension, Crusader is in the privileged position of listening and modifying the user's entire Internet traffic. All the malicious actions Crusader takes are detailed in a configuration file the adware downloads after it infects each user, and at every boot-up. The config file is retrieved following an HTTP request at: http://demo1.geniesoftsystem.com/Crusader/index.php/api/getdetails?data={%22id%22:%221%22,%22keyword%22:%22antivirus%22,%22count%22:%225%22,%22country%22:%22[country]%22} Based on Bleeping Computer's tests, the only country this server returns a configuration file is for India. The content of the configuration file also makes us believe Crusader is still in development because many options contained the words "demo" and appeared to be placeholder settings. Below, we'll go over Crusader's config file, one block at a time. The above block shows that Crusader has the ability to change the browser's homepage and default search engine settings to the crook's provided URL. Currently, both values are google.co.in, the official URL of Google India. "data": { "userid": "1", "default_search_url": "https:\/\/www.google.co.in", "default_homepage": "https:\/\/www.google.co.in", "default_setting_status": "true", "popup_status": "true", "popunder_status": "", "textdisplayads_status": "true", "searchmarketing_status": "true", "urlredirection_status": "true", "broadredirection_status": "true", "banner_status": "true", "banner_replacement_status": "true", "popupOverlay_status": "true", "catfishbanner_status": "true", "object_browser_status": "true", "search_text": "antivirus", "splitwindow_status": "true", "youtube": [ ], Other settings reveal that Crusader was conceived with intentions to show popup ads, popunder ads, insert banner ads on top of other websites, replace existing page banners, and redirect users to specific URLs. Each of these features can be turned on or off, based on the latest configuration file crooks upload to their C&C server. The config snippet below directs Crusader to display a pop-up containing the configured site when a user searches for a particular keyword. In this example, if a user searches for "quickbook support" it will open a popup that displays www.preranatechnologies.net, why if you search for "free movies" it displays www.esolvz.net. "keywordlist": { "popup_compaign_name1": "Quickbook Campaign", "popup_includekeyword1": "quickbook support", "popup_url1": "www.preranatechnologies.net", "popup_exclude_url1": "", "popup_browser1": "Internet_Explorer,Chrome,Firefox", "popup_exclude_macadd1": "", "popup_frequency_date1": "02\/01\/2023", "popup_filter_ip1": "0", "popup_compaign_name2": "demo", "popup_includekeyword2": "free movies", "popup_url2": "www.esolvz.net", "popup_exclude_url2": "", "popup_browser2": "Internet_Explorer,Chrome,Firefox", "popup_exclude_macadd2": "", "popup_frequency_date2": "02\/20\/2018", "popup_filter_ip2": "0" }, More campaigns could be added in this block, to show more popups, advertising other sites, all depending on the list of preconfigured keywords. The below config snippet directs Crusader to open a new unfocused window (popunder ad) for amazingdeals.online/daily_deals/, every type the user navigates to amazon.co.uk. "popunderlist": { "popunder_include_url1": "amazon.co.uk", "popunder_url1": "http:\/\/amazingdeals.online\/daily_deals\/", "popunder_exclude_url1": "", "popunder_compaign_name1": "demo", "popunder_browser1": "Internet_Explorer,Chrome,Firefox" }, The next block is currently empty, but we presume it's a feature to insert or replace ads in Google or Bing search results themselves or to convert text on a page into clickable advertisements. "TextDisplayaddslist": [ ], Now, this is the most interesting block, because the settings above tell the adware to snoop on search queries and replace the contact number for various security products. "searchMarketinglist": { "antivirus_keyword1": "dell support number", "antivirus_contact1": "8622009987", "antivirus_exclude_macadd1": "", "antivirus_browser1": "Internet_Explorer,Chrome,Firefox", "antivirus_filter_ip1": "0", "antivirus_keyword2": "norton support number", "antivirus_contact2": "9143109610", "antivirus_exclude_macadd2": "", "antivirus_browser2": "Internet_Explorer,Chrome,Firefox", "antivirus_filter_ip2": "0" }, Currently, the adware will replace the phone number returned in search results for Dell and Norton whenever the user searches for "dell support number" or "norton support number." We presume more options could be added to target other antivirus vendors. This is both a self-defense mechanism and a marketing tool. If users detect something wrong with their browser and looks up the support number in Google, intsead of the legitimate number being displayed, Crusader will rewrite the text and display a different number. When a user calls this number they will be redirected to a tech support call center, where an operator disguising themselves as representative for those two companies might sell him services or products he doesn't need. This code block tells the Crusader adware to redirect all search queries for "hotel goa" to Hilton.com. In the future, expect links with affiliate IDs in this section, as the crook could earn a nice profit by driving traffic to certain websites. "redirectionlist": { "urlredirection_compaign_name1": "demo", "urlredirection_current_url1": "hotel goa", "urlredirection_target_url1": "www.hilton.com", "urlredirection_frequency_time1": "150 views", "urlredirection_exclude_macadd1": "", "urlredirection_frequency_date1": "2\/20\/2018", "urlredirection_filter_ip1": "0" }, Currently empty, we presume this is another URL redirection system that also hijacks search results. The term "broad," might imply this is a more generic en-masse URL redirection mechanism. "broadredirectionlist": [ ], This block tells Crusader to replace banner ads with the crook's own. Currently, this block loads a generic banner that links to Facebook. "bannerreplacement_list": { "replace_compaign_name1": "demo", "replace_url1": "https:\/\/www.facebook.com\/", "banner_name1": "BR00036", "sponsor_type1": "facebook", "replace_banner1": "http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/banners\/aerojetobj_1487159946_1487911841.jpg", "exclude_macadd1": "", "banner_replacement_frequency_date1": "2\/20\/2018", "banner_replacement_filter_ip1": "0" }, We haven't seen this feature in action, but we presume it's another keyword search hijacking feature. "splitwindow_list": { "Advertisement_compaign_name1": "demo", "Advertisement_URL1": "http:\/\/preranatechnologies.net\/", "Your_Keyword1": "vicidial", "Search_Engine1": "Google,Yahoo,Bing", "split_window_frequency_date1": "2\/20\/18", "split_window_filter_ip1": "0" }, The code below is used to show popup ads when users visit a certain website, in this case, wow.com. The banners show a fake antivirus alert and are obvious lures for tricking users in calling tech support scammers. "popupoverlaylist": { "overlay_compaign_name1": "demo", "overlay_include_url1": "http:\/\/www.wow.com\/", "banner_name1": "P0002", "overlay_banner1": "http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/banners\/file-system-warning (US1)_1487948400.gif", "overlay_frequency_date1": "2\/20\/2018", "overlay_compaign_name2": "demo", "overlay_include_url2": "www.cyboscan.com", "banner_name2": "P0004", "overlay_banner2": "http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/banners\/file-system-warning-(US2)_1487955020.gif", "overlay_frequency_date2": "2\/20\/2018", "overlay_compaign_name3": "demo", "overlay_include_url3": "www.facebook.com", "banner_name3": "P0005", "overlay_banner3": "http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/banners\/file-system-warning-(AU)_1489010023.gif", "overlay_frequency_date3": "2\/20\/2018" }, You can see an example of an injected ad below. These last two blocks in the configuration file are for injecting floating banners on top of other sites, at the bottom of the browser window. "catfishbannerlist": { "cat_compaign_name1": "demo", "cat_url1": "www.bing.com", "banner_name1": "C0002", "cat_frequency_time1": "150 views", "cat_banner1": "< body >< center >< a href=\"http:\/\/www.yahoo.com\" target=\"blank\">< img src=\"http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/download3.jpg\" border=\"0\" height=\"89\" width=\"727\"\/>< \/a>< \/center>", "catfish_frequency_date1": "2\/20\/2018", "cat_filter_ip1": "0" }, "bannerinjection": { "banner_compaign_name1": "demo", "banner_url1": "www.ask.com", "banner_header1": "< body>< center>< a href=\"\" target=\"blank\">< img src=\"http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/82e85b2a94b3d4371b42189b9d69eb05.jpg\" border=\"0\" height=\"89\" width=\"727\"\/>< \/a>< \/center>", "banner_footer1": "< body>< center>< a href=\"\" target=\"blank\">< img src=\"http:\/\/demo1.geniesoftsystem.com\/Crusader\/uploads\/ithaca-nightlife-night-life-astro-image-1001.jpg\" border=\"0\" height=\"89\" width=\"727\"\/>< \/a>< \/center>", "banner_name1": "B0002", "banner_excludemacadd1": "", "banner_frequency_date1": "2\/20\/2018", "banner_filter_ip1": "0" } The config file currently shows these banners on top of the Ask.com and Bing homepages, but they could be overlaid, in theory, on top of any website. At this point Crusader appears to be in a testing mode, but if it is currently live or becomes live, you can use this guide to remove Crusader from your system. Article source
  9. Google takes down Chamois Google has just taken down a huge family of malicious Android apps it named Chamois. According to the company, these apps may have infected millions of devices. Chamois, named after a type of mountain goat, is just the latest attempt to take advantage of the massive Android range of devices in a large-scale ad fraud. In the past, Hummingbad infected about 10 million devices at its peak, earning the attackers behind it over $300,000 a month. "We detected Chamois during a routine ad traffic quality evaluation. We analyzed malicious apps based on Chamois and found that they employed several methods to avoid detection and tried to trick users into clicking ads by displaying deceptive graphics. This sometimes resulted in downloading of other apps that commit SMS fraud. So we blocked the Chamois app family using Verify Apps and also kicked out bad actors who were trying to game our ad system," reads a blog post signed by the company's Security Software Engineers Bernhard Grill, Megan Ruthven and Xin Zhao. Given Google's previous experience with ad fraud apps like this one helped quite a bit in taking swift action to protect Android users and advertisers alike. The intricacies of Chamois It seems the malicious apps didn't appear in the device's app list so users couldn't even see it to uninstall it, as it often happens with this type of tools. This is where Verify Apps comes into play, a tool Google developed to help users discover potentially harmful applications and delete them. According to Google, Chamois was one of the largest families of malicious apps seen on Android to date, being distributed through multiple channels. Chamois had a number of features that made it unusual. For instance, its code was executed in 4 distinct stages using different file formats. This multi-stage process made it more complicated to immediately identify apps in this family as harmful because the layers have to be peeled first to reach the malicious part. The Chamois family The Chamois family apps could also evade detection by using obfuscation and anti-analysis techniques, which were countered by Google's systems. Furthermore, apps also used a custom, encrypted file storage for its config files, as well as additional code that required deeper analysis to understand the dangers of the app. Google says it went through more than 100,000 lines of sophisticated code to better understand Chamois. The company did not reveal any of the infected app names, but we assume they've all been taken care of already. Source
  10. Smart adware spent two months on Google Play A new type of adware using precision targeting has been found in apps across Google Play. Dubbed "Skinner," this new adware was found in an app providing game related features. According to researchers from Check Point, the app was downloaded by over 10,000 users, hiding from Google's heavy scrutiny for two months. After its discovery, Google was informed, and the app vanished from the app store. It seems the adware can track the users' location and actions, executing malicious code without the user's permission. Adware isn't exactly a new type of threat against users, but Skinner comes with new tactics to evade detection and maximize profits by targeting users with "unprecedented prevision." What's Skinner? Researchers explain that the malware contains a malicious library. Once unpacked, Skinner hides the malicious components of the code to avoid detection. Once the malware detects a user activity, which includes opening an app, the malicious activity begins. The tool checks a number of conditions before launching, such as a connected debugger, or an emulator hardware in order to evade detection by researchers and security tools. The malware sends data about the phone and the user to its C&C server, including the location and running apps, requesting ads to display. "Skinner uses an advanced logic to display illegitimate ads to the user, without raising his suspicion, and raise the probability he will click on them. Instead of simply displaying any ad, the malware checks which type of app the user is using at a given moment and displays a suitable ad. This is a completely new behavior for a mobile adware," researchers explain the malware's unique behavior. The ads display for four app categories - navigation apps, caller apps, utility apps, and browser apps. Regularly, Adware relies on mass spread to generate large profits. Skinner, however, focuses on the users' habits and the apps it uses to increase the click chances, while also minimizing the risks of being caught. Source
  11. Ultra Adware Killer overview Ultra Adware Killer is a simple but powerful adware and malware remover for Windows, which has the ability to scan all the users in a system. This can save you lots of time logging in to other user accounts and performing the scan again. Ultra Adware Killer removes browser toolbars, ad-ons, plugins, unwanted search providers and hijacked home pages, potentially unwanted programs (PUP's), and also rogues, trojans, rootkits, ransomware and all other forms of malware. It also allows to optionally reset the browsers configuration, allowing them to run as smoothly as when they were installed. Click here for more info. Ultra Adware Killer was built to be fast, simple and effective. Usually you just need to pres the Scan button, wait until the scan ends, and then remove the items found. Normally the whole operation takes only a few minutes. For more information, please see our help content. Ultra Adware Killer is also part of our premium tool UVK - Ultra Virus killer. Homepage. http://www.carifred.com/ultra_adware_killer/ Download. http://www.carifred.com/ultra_adware_killer/UltraAdwareKiller.exe
  12. GridinSoft Trojan Killer GridinSoft Trojan Killer - advanced program to clean your computer of all malicious threats! If you - a permanent internet user, you should take steps to protect your personal information against cyber-criminals. Trojan Killer can help you in this matter! The program quickly identify (recognize) and immediately remove dangerous malicious Trojans - spyware and adware, malware blocking and restricting the activities of tools, keyloggers, etc. before irreversible painful events will come in the form of stolen accounts, passwords, credit card numbers, personal, corporate and other information. Trojan Killer is designed specifically to disable / remove Malware without the user having to manually edit system files or reestr.Programma also removes the additional system modifications that are ignored by some standard antivirus scanners. Trojan Killer scans ALL the files loaded at boot time, Adware, Spyware, Remote Access Trojans, Internet Worms and other malware. Trojan Killer works in a security system for providing security in computer systems. The program will help you get rid of annoying adware, malware and other rough tools. It is very important to restore control over your computer, and do not let anyone use your data. Additional tools:Reset Home Internet Explorer / Start / Search Page Settings Some Malware programs make changes to the main page of Internet Explorer, Start and Search Page settings, in order to redirect the web browser to different websites. This utility will reset the Home / Start / Search pages to standard Defaults. You can then manually reset your Home Page to your website of choice (or leave it "blank", the default). Restore the HOSTS fileWindows HOSTS file is a text file which stores website addresses. The file can be used to speed up access to websites you visit often - by equating the website name to its address DNS, web browser can find the website more quickly as it does not have to query a DNS-name Server. Some Malware programs add entries to this file, to either deny access to websites (usually security-related Web sites or antivirus company), or re-direct access to websites of their choosing. Reset Windows Update, politicianSome Malware programs attempt to prevent Windows Update, from running, and inhibit access to resetting Windows Update, by blanking out the Windows Update options on the Configure Update. Website: http://www.gridinsoft.com OS: Windows XP / Vista / 7 / 8 Language: Ml Medicine: Patch / Keymaker Size: 46,00 Mb.
  13. By Casey Johnston - Jan 28 2014, 7:00am AUSEST Updates turned some Chrome add-ons maliciousnot all browsers allow that. Customers complain about activity tracking in CRXMouse on Chrome, a particularly invasive add-on. In a recent revelation by OMG Chrome and the developer of the Chrome extension Add to Feedly, it came to light that Chrome extensions are capable of changing service or ownership under a users nose without much notification. In the case of Add to Feedly, a buyout meant thousands of users were suddenly subjected to injected adware and redirected links. Chromes regulations for existing extensions are set to change in June 2014. The changes should prevent extensions from being anything but simple and single-purpose in nature, with a single visible UI surface in Chrome and a single browser action or page action button, like the extensions made by Pinterest or OneTab. This has always been the policy, per a post to the Chromium blog back in December. But going forward, it will be enforced for all new extensions immediately and for all existing extensions retroactively beginning in June. Given how Chromes system of updates, design restrictions, and ownership seemed to have gotten ahead of itself, we decided to take a look at the policies of other browsers to see if their extensions could be subjected to a similar fate. While Chrome isnt the only browser where an Add To Feedly tale could be spun, it seems to be the most likely place for such an outcome. Firefox Mozillas Firefox differs from Chrome in that it has an involved review system for all extensions that go from developers to the front-end store. Reviewers will reject an extension if it violates any of the rules in Firefoxs extension development documents. One of these rules is no surprisesan add-on cant do anything it doesnt disclose to users, and existing add-ons cant change their functionality without notifying the user and getting their permission. Firefox puts add-ons with unexpected features, like advertising that supports the add-on financially, into a separate category. Users have to explicitly opt-in to these features, says Jonathan Nightingale, vice president of Firefox. This means that in these cases, users will see a screen offering them the additional features, says Nightingale. One example is FastestFox, which pops a tab at first install asking the user to enable ad injection from Superfish. It's how developers implement these opt-in screens that could provide for a possible loophole; the addition of advertising might be obscurable by language, and data tracking could be, too (it's permitted under Firefoxs rules, but it must be disclosed in a privacy policy). Still, the review policy and need for opt-in for these more pernicious features both help prevent users from having new functionality sprung on them. Safari Safari has extensive design documents for its extensions but no central clearinghouse for them like other browsers. Apple keeps a gallery of a chosen few extensions that must meet certain regulations, but these represent a small fraction of the extensions available. Data tracking of an extensions users is possible, per the design docs, as is ad manipulation. Unlike Chrome, but like Firefox, the download and installation of Safari extension updates must be manually approved by the user. There are no regulations for disclosing functionality changes or changes of ownership, however. Internet Explorer Microsofts browser absolves itself of responsibility for add-ons on a support page where it states, "While add-ons can make your browsing experience better by giving you access to great Web content, some add-ons can pose security, privacy, or performance risks. Make sure any add-ons you install are from a trusted source." Add on at your own risk. Like Apple, Microsoft maintains an exclusive gallery of vetted add-ons. The company encourages extension makers to get user consent for unexpected add-on functionality, but it doesnt require it or block extensions that dont do it. Markup-based extensions can only be installed from within the browser, and therefore these must have the users explicit consent according to Microsoft. Other than this infrastructure, nothing prevents IE add-ons from doing things like injecting ads or redirecting a browsing experience (remember, this was the former home of the invasive toolbar add-on). IE10 does have an add-on management window, but some add-ons, like the ad-injecting Buzzdcock, have to be removed as if they are full-fledged applications. Uninstalling a particularly invasive IE add-on. Opera The latest versions of Opera are able to use Chromium extensions, but unlike Chrome ones, they get a review process thats similar to Firefoxs. Most importantly in Opera, there are restrictions on the types of scripts an extension can run and how they handle ads. Andreas Bovens, head of developer relations at Opera Software, told Ars in an e-mail that Opera doesnt allow extensions that include ads or tracking in content scripts, so extensions that, for example, inject ads inside webpages the user visits are not allowed. Extensions can, however, have ads in their options pages or in the pop-up that is triggered by their button in the browsers interface. Every extension gets a review, and the review team takes special care to suss out the nature of any obfuscated JavaScript code. If some of the code is obfuscated, reviewers ask the developers for the unobfuscated code to look at as well as a link to the obfuscation tool. That way we can check that the input and output indeed match, Bovens says. When an extensions ownership is transferred or the extension is updated, its subject to the same rigorous review process as an extension thats being submitted for the first time, according to Bovens. An extension that goes from having no ads to injecting ads, as some Chrome extensions do, simply would not pass [Operas] review process, Bovens says. Retiring to the not-so-Wild West? While Chrome extensions may have a better ideology than those of some other browsers, the breadth and depth of functionality that Chrome extensions can have without any kind of review process means that Chrome users trust can get taken for granted. Its similar to the Google Play app store, in that way: pretty much anything can make it to the market, but enough user complaints can get it taken down, as in the case of Add to Feedly and Tweet This Page. Based on policy and practice, users who heavily rely on extensions or have been made wary of them by developers recent transgressions may be safer on browsers like Firefox and Opera, where regulations are a bit stricter and there are people to police them. But there can be downsides to a vetting process, too, mainly in terms of rate-limiting iteration and improvements, so its a matter of weighing options. Former home? This is the current home for an awful lot of crapware add-ons, like Conduit's search hijacker, or the Ask.com toolbar that still hasn't died a thousand deaths, even though it should. http://arstechnica.com/business/2014/01/seeking-higher-ground-after-chrome-extension-adwaremalware-problems
  14. Google has removed two Chrome extensions from its store due to the way they were serving ads to users. The extensions in question, Add to Feedly and Tweet This Page, both started life as useful additions to Google's web browser, but were soon serving users pop-ups and other intrusive ads. The reason for the sudden change in behavior? In Add to Feedly's case, at least, it was purchased from its developer and quickly began serving ads to its 30,000 users. In a blog post, Add to Feedly developer Amit Agarwal describes how he got an email presenting "a four-figure offer for something that had taken an hour to create." As you'd expect, the developer decided to cash in, but a month on realized the new owners of the extension silently updated it to serve ads. "These aren't regular banner ads," says Agarwal, "these are invisible ads that work [in] the background and replace links." The issue was picked up by OMG Chrome and Ars Technica, both of which suspect the issues aren't limited to Add to Feedly and Tweet This Page. The suggestion is that advertisers regularly buy popular extensions and transform them into adware. This appears to be backed up by the developer of the popular Honey extension, who claimed last weekend he too was approached by advertisers about selling the add-on. Shortly after the articles were published, Google took action against the rogue extensions, citing a December change to its policies that outlaws complex changes to websites by extensions, according to The Wall Street Journal. Although the changes aren't due to be enforced until June, Google has clearly taken a harder stance on such flagrant abuse. Agarwal, for his part, admits "it was probably a bad idea" to sell Add to Feedly, and apologizes to users affected by the adware. Source
  15. By Ron Amadeo - Jan 18 2014, 10:10am AUSEST Once in control, they can silently push new ad-filled "updates" to those users. One of the coolest things about Chrome is the silent, automatic updates that always ensure that users are always running the latest version. While Chrome itself is updated automatically by Google, that update process also includes Chrome's extensions, which are updated by the extension owners. This means that it's up to the user to decide if the owner of an extension is trustworthy or not, since you are basically giving them permission to push new code out to your browser whenever they feel like it. To make matters worse, ownership of a Chrome extension can be transferred to another party, and users are never informed when an ownership change happens. Malware and adware vendors have caught wind of this and have started showing up at the doors of extension authors, looking to buy their extensions. Once the deal is done and the ownership of the extension is transferred, the new owners can issue an ad-filled update over Chrome's update service, which sends the adware out to every user of that extension. We ought to clarify here that Google isn't explicitly responsible for such unwanted adware, but vendors are exploiting Google's extension system to create a subpar—and possibly dangerous—browsing experience. Ars has contacted Google for comment, but we haven't heard back yet. We'll update this article if we do. A first-hand account of this, which was first spotted by OMGChrome, was given by Amit Agarwal, developer of the "Add to Feedly" extension. One morning, Agarwal got an e-mail offering "4 figures" for the sale of his Chrome extension. The extension was only about an hour's worth of work, so Agarwal agreed to the deal, the money was sent over PayPal, and he transferred ownership of the extension to another Google account. A month later, the new extension owners released their first (and so far only) update, which injected adware on all webpages and started redirecting links. Chrome's extension auto-update mechanism silently pushed out the update to all 30,000 Add to Feedly users, and the ad revenue likely started rolling in. While Agarwal had no idea what the buyer's intention was when the deal was made, he later learned that he ended up selling his users to the wolves. The buyer was not after the Chrome extension, they were just looking for an easy attack vector in the extension's user base. This isn't a one-time event, either. About a month ago, I had a very simple Chrome extension called "Tweet This Page" suddenly transform into an ad-injecting machine and start hijacking Google searches. A quick search for the Chrome Web Store reveals several other extensions that reviewers say suddenly made a U-turn from useful extension to ad-injector. There is even an extension that purports to stop other extensions from injecting ads. Injected ads are allowed in Chrome extensions, but Google's policy states that which app the ads are coming from must be clearly disclosed to the user, and they cannot interfere with any native ads or the functionality of the website. When malicious apps don't follow Google's disclosure policy, diagnosing something like this is extremely difficult. When Tweet This Page started spewing ads and malware into my browser, the only initial sign was that ads on the Internet had suddenly become much more intrusive, and many auto-played sound. The extension only started injecting ads a few days after it was installed in an attempt to make it more difficult to detect. After a while, Google search became useless, because every link would redirect to some other webpage. My initial thought was to take an inventory of every program I had installed recently—I never suspected an update would bring in malware. I ran a ton of malware/virus scanners, and they all found nothing. I was only clued into the fact that Chrome was the culprit because the same thing started happening on my Chromebook—if I didn't notice that, the next step would have probably been a full wipe of my computer. The difficult part of this for users is that normal removal techniques will not work. Virus scanners are unlikely to flag ad-injecting JavaScript as malicious. Extensions are synced to your Google account, which means that even wiping out a computer and reinstalling the OS will not remove the malware—signing-in to Chrome will just download it again. The only way to be rid of the malware is to find the extension in chrome://extensions and remove it—and to make sure the removal gets propagated to your account and down to all your other devices. Even when you have it narrowed down to Chrome, since nothing detects a malicious Chrome extension, the best course of action is to meticulously check the latest reviews of every extension and hope that someone else has figured out where the ads are coming from. What can users do to protect themselves? It's very hard to keep yourself in the loop with Chrome extension updates. Extensions usually don't have changelogs, and there is currently no way to disable extension auto-updating. One way to stay a least slightly informed of what is going on is to install an extension that will notify you when your other extensions get updated. Other than that, the only other option is to stop using extensions entirely, which is a little extreme. Just keep an eye on the simpler extensions from smaller extension makers—those are the ones at most risk of being gobbled up by a malicious entity. Chrome will require your approval if an extension adds new permissions, but the magic permission that allows ad-injecting is called "access your data on all web pages," which many legitimate extensions already use. A malicious extension buyer could even look for an extension that already uses this permission so that their update will arouse the least suspicion among current users. The reality, though, is that while it's extremely easy for a novice user to install an extension, it's nearly impossible for them to diagnose and remove an extension that has turned sour, and Chrome Sync will make sure that extension hangs around on all their devices for a long time. The author of Add to Feedly stated that his extension had around 30,000 users before it was sold and packed full of ads. Today, despite the flood of unhappy user reviews, the Chrome Web Store shows 31,548 users. Auto-updating from a trusted source is one thing, but when that user trust can be bought and sold—and extension ownership can change hands without the users being informed—something needs to be done. http://arstechnica.com/security/2014/01/malware-vendors-buy-chrome-extensions-to-send-adware-filled-updates/?
  16. Jorge Cárdenas

    SourceForge installers

    Please put direct links without sourceforge installers, or at least warn about unwanted optional software. My antivirus software don't allow to run or even download sourceforge installers, and I will not allow to do so. Some software developers offer direct download without sourceforge installers. I don't know if ares is one of them, because i can't find any direct link. Thanx for the excellent work in this wonderful site.
  • Create New...