Many forms of adware are little more than a nuisance, but on occasion, an interesting sample turns up which uses novel techniques which gain the interest of researchers.
One new form of adware, known as DealPly, fits the bill. This week, enSilo researchers Adi Zeligson and Rotem Kerner said in a blog post that the malware does contain some of the typical features of adware, but goes further by being able to avoid antivirus product detection.
DealPly generally lands on a machine through legitimate software installers bundled with adware. The sample obtained by enSilo, for example, was bundled with photo cropping software.
When executed, the adware will also quietly install itself into the Windows %AppData% directory. DealPly also adds itself to the Windows Task Scheduler to run every hour.
Every time the task launches, the adware will contact its command-and-control (C2) server and send an encrypted request over HTTP for instructions.
The malware is modular in nature and includes machine fingerprinting, as well as virtual machine (VM) detection techniques.
The newest DealPly variant on the scene also abuses both Microsoft and McAfee reputation services to further circumvent detection.
The services, Microsoft SmartScreen and McAfee WebAdvisor, are free systems which are used to verify the risk of files and URLs. If a malicious domain, for example, is detected and blacklisted, these solutions will be able to warn users and potentially prevent the deployment of malware payloads.
See also: New Mirai botnet lurks in the Tor network to stay under the radar
This, naturally, is a problem for malware developers, as their work will only have a small window before samples are blacklisted.
“We suspect that the reason why DealPly is leveraging reputation services is to check which of its variants and download sites are compromised and won’t be effective for future infections,” the researchers say.
DealPly will collect data and query these services through multiple servers and proxies such as the Tor network.
In the case of Microsoft SmartScreen, DealPly will ask its C2 for hashes and URLs to query using the SmartScreen reputation server. The adware will then send a JSON request to the SmartScreen API, together with a Base64 shell authorization header to check and see if the server will respond with:
- UNKN Unknown URL/File
- MLWR Malware related URL/File
- PHSH Phishing related URL/File
CNET: Feinstein’s new bill seeks to prevent another Cambridge Analytica
The data harvest is then forwarded to the malware’s C2 to ascertain if DealPly samples have been blacklisted.
“It is important to note that the SmartScreen API is undocumented,” enSilo notes. “This means the author has put a lot of effort in reverse-engineering the inner workings of the SmartScreen mechanismfeature.”
Newer versions of the McAfee WebAdvisor, too, are also being abused. DealPly will first check and see what version of the software is in use, and if abuse conditions are met, queries are sent to the reputation service.
The query contains a parameter called “op” that is calculated with values siphoned from a WebAdvisor registry key and are believed to be used for authentication purposes. The service will then answer the query with either “red,” “yellow,” or “default” values, depending on whether or not the reputation checker deems the query content to be malicious, risky, or acceptable.
TechRepublic: How to use a Yubikey on Linux with an encrypted drive
“By constantly querying reputation services they are able to automatically assess their AV detection rate and generate new samples when needed,” the researchers say. “This technique enables DealPly to always stay ahead of security solutions. This technique was initially observed when analyzing DealPly adware, yet we believe that it is only a matter of time before advanced malware operations will follow the trend.”
In related news this week, researchers from Proofpoint revealed a new form of malware, dubbed SystemBC, creates a SOCKS5 proxy server to bypass local firewalls, circumvent Internet content filters, and to connect to C2s while also disguising its IP address.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0