- Jan 8, 2011
- 22,361
Technical Details - Ask Partner Network Compromise: Operational Lessons on Software Supply Chain Risk
"Ask.com Toolbar spawning suspicious process
Red Canary malware analyst Joe Moles says the company's threat detection system detected strange events when the Ask.com Toolbar's update system (apnmcp.exe) spawned secondary processes. This raised an alarm with the company's employees, who were called in to investigate the event.
Even if the apnmcp.exe process had been signed by what appeared to be a legitimate certificate, and in theory, this shouldn't have raised any warnings, something strange had triggered the threat monitoring system to react.
Researchers quickly discovered that apnmcp.exe had spawned a second-stage process, launching a file named logo.png, which then opened a network connection and downloaded 2-3 binaries at a later stage.
[...]
Crooks found a way to hijack the Ask.com Toolbar's update process
"Image files should be opened by other programs, but obviously should not execute on their own," Moles said. "Upon further inspection, it became immediately clear that we had a case of co-opted software update mechanism."
Somehow, someway, the attackers had found a way to manipulate the the Ask.com Toolbar's updater and force it to carry out commands at the attacker's behest.
The good thing is that Moles says they've detected this type of attack from on only ten computers."
Continue Reading - Ask.com Toolbar Updater Abused to Download Malware
"Ask.com Toolbar spawning suspicious process
Red Canary malware analyst Joe Moles says the company's threat detection system detected strange events when the Ask.com Toolbar's update system (apnmcp.exe) spawned secondary processes. This raised an alarm with the company's employees, who were called in to investigate the event.
Even if the apnmcp.exe process had been signed by what appeared to be a legitimate certificate, and in theory, this shouldn't have raised any warnings, something strange had triggered the threat monitoring system to react.
Researchers quickly discovered that apnmcp.exe had spawned a second-stage process, launching a file named logo.png, which then opened a network connection and downloaded 2-3 binaries at a later stage.
[...]
Crooks found a way to hijack the Ask.com Toolbar's update process
"Image files should be opened by other programs, but obviously should not execute on their own," Moles said. "Upon further inspection, it became immediately clear that we had a case of co-opted software update mechanism."
Somehow, someway, the attackers had found a way to manipulate the the Ask.com Toolbar's updater and force it to carry out commands at the attacker's behest.
The good thing is that Moles says they've detected this type of attack from on only ten computers."
Continue Reading - Ask.com Toolbar Updater Abused to Download Malware
