Security News Ask.com Toolbar Network Compromised Twice in Two Months

Solarquest

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The Ask Partner Network (APN) was compromised for the second time in two months, as crooks found a way to deliver malware to computers running the Ask.com Toolbar.

The first attack took place at the end of October and start of November 2016, and was detected by security researchers from Red Canary. The second took place in December, just after APN cleaned its network, and was picked up by Carbon Black security products.

Both incidents were similar, as attackers found a way to breach the APN network and hijack the Ask.com Toolbar update process, pointing users to a malicious file, which resulted in the installation of malware on affected computers.

Crooks hijacked Ask.com Toolbar update process
For the first attack, crooks altered the Ask.com Toolbar update process to download and install a malicious update package which then used a PNG file to spawn a malicious process.

This somewhat non-standard behavior was picked up by Red Canary, who detected the attack and sounded the alarm but not before crooks compromised around ten victims.

APN intervened, cleaned their network and revoked the digital certificate (issued in their name), which crooks used to sign the malicious update package. APN then issued a new digital certificate to sign future updates.

The second attack installed RAT on victim's PC

...
 
  • Like
Reactions: Ana_Filiz, Marko :), LASER_oneXM and 6 others
_CyberGhosT_

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I am not surprised, I see them in the same light I saw Yahoo in back in the day,
something to avoid.
Since their inception I have had any variant of "Ask. com" blocked in my firewall
and Noscript as well as AdGuard.
I know "ask" fans will now tell me how wrong I am, but I was right about Yahoo, and
I know I am right for avoiding Ask ;)
Cool share Solar !
 
  • Like
Reactions: Marko :), LASER_oneXM, Deleted Member 3a5v73x and 2 others
5

509322

This statement right here:

"Both incidents were similar, as attackers found a way to breach the APN network and hijack the Ask.com Toolbar update process, pointing users to a malicious file, which resulted in the installation of malware on affected computers." (It deserves to be colored pink.)

will do nothing but add fuel to the already blazing, irrational fears of already paranoid users. In short, they will go absolutely insane-bonkerz - and irrationally extend what they read to anything and everything.

Paranoids will say "Windows Updates are next !!" Theoretically possible - yes, likelihood that it will actually happen - tiny.

Anyhow, AppGuard stops the Ask Toolbar update attack. So will a properly configured HIPS, anti-executable, and software restriction policy (SRP) such as AppLocker. Emsisoft's behavior blocker will handle it too. None of them will prevent the attack, but each one will intercede and generate an alert or simply stop it outright.

At this point, the malicious IPs\URLs have already been added to AV\IS web-filtering. Blocking the redirect to the malicious IPs\URLs prevents the attack.

Be aware that the sky is not falling... don't play into the hands of fear-mongering... learn to protect yourself.
 
Last edited by a moderator:
  • Like
Reactions: Marko :), Ink, LASER_oneXM and 5 others
5

509322

Umbra said:
@Lockdown i agree, this is not widespread infection, but just a compromised network , as it happened with Linux Mint servers; hackers uploaded a rootkit-ed version of Mint and people downloaded and installed it.
Click to expand...

Anyone that has Ask Toolbar installed on their system... well... :D

But paranoid users will point to this particular case and say "See,... look what can happen so we have 15-layer security config !" LOL... :rolleyes:
 
  • Like
Reactions: Marko :), LASER_oneXM, _CyberGhosT_ and 5 others
Atlas147

Atlas147

Level 30
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 28, 2014
1,990
Lockdown said:
Anyone that has Ask Toolbar installed on their system... well... :D

But paranoid users will point to this particular case and say "See,... look what can happen so we have 15-layer security config !" LOL... :rolleyes:
Click to expand...

Have to agree, anyone with Ask Toolbar already installed on their system probably would have no idea how to defend their computer against an attack like this :p
 
  • Like
Reactions: Marko :), LASER_oneXM, _CyberGhosT_ and 4 others
5

509322

Hanmin147 said:
Have to agree, anyone with Ask Toolbar already installed on their system probably would have no idea how to defend their computer against an attack like this :p
Click to expand...

I would think most AVs would block the download\install of the Ask Toolbar by now.

The point I am making is that it is important for someone to be able to read an article - and any connected articles - to make an informed decision instead of cherry-picking key items and making those picks out to be something that they are not. I understand not everyone can do it, but most can read an article and ask questions about what they don't understand on the security forums.

These security article authors have a vested interest in making anything and everything out to be as deadly as WW I trench warfare phosgene gas...
 
  • Like
Reactions: _CyberGhosT_, spaceoctopus, Deleted Member 3a5v73x and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Wow
    • Like
Security News Cloudflare blocks largest recorded DDoS attack peaking at 3.8Tbps
Replies
0
Views
1,637
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Wow
    • +Reputation
Security News Crooks Bypassed Google’s Email Verification to Create Workspace Accounts, Access 3rd-Party Services
Replies
0
Views
2,455
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Wow
Security News Casio confirms customer data stolen in a ransomware attack
Replies
0
Views
1,482
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top