News: 0170262459

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Think Twice Before Using Google To Download Software, Researchers Warn (arstechnica.com)

(Friday February 03, 2023 @10:30PM (BeauHD) from the heads-up dept.)


Searching Google for downloads of popular software has always come with risks, but over the past few months, [1]it has been downright dangerous , according to researchers and a pseudorandom collection of queries. Ars Technica reports:

> "Threat researchers are used to seeing a moderate flow of malvertising via Google Ads," volunteers at Spamhaus [2]wrote on Thursday. "However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not "the norm.'"

>

> The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

>

> On the same day that Spamhaus published its report, researchers from security firm Sentinel One [3]documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts' data and other sensitive information from infected devices. The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap.

"Until Google devises new defenses, the decoy domains and other obfuscation techniques remain an effective way to conceal the true control servers used in the rampant MalVirt and other malvertising campaigns," concludes Ars. "It's clear at the moment that malvertisers have gained the upper hand over Google's considerable might."



[1] https://arstechnica.com/information-technology/2023/02/until-further-notice-think-twice-before-using-google-to-download-software/

[2] https://www.spamhaus.com/resource-center/a-surge-of-malvertising-across-google-ads-is-distributing-dangerous-malware/

[3] https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/



shocker! (Score:4, Informative)

by Osgeld ( 1900440 )

the internet is full of shitbags, news at 11

heres a fucking thought how about people develop defense's as well? average people moved off to "apps" and "stores" a decade or more ago, meaning grandma isn't downloading winzip and bombing her PC anymore... the rest of us should know god damned better when downloading a program and the website is "softdickinformerrrer.ru" on the top of googles shitty search

its not like we havent endured a decade of clicking on a download link on a legit site and the shitbag page has 90 ad's with green "download now" buttons on it (looking at you ultra VNC get your shit together already, its not 2006 anymore)

Re: (Score:2)

by fahrbot-bot ( 874524 )

> the internet is full of shitbags, news at 11

(sadly): s/internet/world/

Bad Headline (Score:3)

by Caro Cogitatus ( 7226002 )

Think Twice Before Using Google Advertisements To Download Software

Which no one should be doing in the first place, unless you're also in the habit of clicking links in emails from random people.

Re: (Score:2)

by Osgeld ( 1900440 )

or my favorite, click ok on any random dialog box that appears on your screen

Re: (Score:3)

by KiloByte ( 825081 )

Even shorter: Think Twice Before Using Google

Re: (Score:2)

by quonset ( 4839537 )

> Think Twice Before Using Google Advertisements To Download Software

> Which no one should be doing in the first place, unless you're also in the habit of clicking links in emails from random people.

Oddly enough, I received an email from our IT security today saying a user did just that. Now the machine needs reimaged.

Re: (Score:2)

by Antique Geekmeister ( 740220 )

Some of them are insidious. Sourceforge, or what's left of it, is profoundly worse. A few old open source authors still host their content there, which I'd consider a mistake for any serious open source author. The "download this source code" pages are deliberately cluttered with adware behind "CLICK HERE!!!" buttons, and the actual software download is quite obscure.

Use VirusTotal to check ANY new software. Free. (Score:2)

by Futurepower(R) ( 558542 )

Use [1]VirusTotal [virustotal.com] to check ANY new software.

VirusTotal is free. It checks uploaded files using software from many security vendors.

[1] https://www.virustotal.com/gui/home/upload

That's wny I search for shareware cd's (Score:2)

by future assassin ( 639396 )

then use AstaLavista for the patch/crack.

very old news (Score:2)

by renegade600 ( 204461 )

It has always been dangerous finding software to download via google. It is nothing new.

Always been this way (Score:1)

by Ambigwitty ( 10261124 )

Google ads on search arenâ(TM)t the only problem, theyâ(TM)re fucking everywhere, but Iâ(TM)ve noticed you can configure nextdns to disable most ad links with tracking like Google ads. It can be a bit of a pain when thereâ(TM)s a link with tracking you actually want to follow, but itâ(TM)s usually easy enough to find a different path to the destination. Combined with ad block extension, itâ(TM)s a bit harder to get suckered into malvertising, etc.

What is dangerous in that? (Score:3)

by Uldis Segliņš ( 4468089 )

Who in their right mind clicks on Google ads? Any ads. Never do that. Same as never open Word documents from unknown senders or emails with weird subjects. Same as you do not lift anything up from the street and put in your mouth. Follow basic digital hygiene and most everyday threats will not affect you.

Re: (Score:3)

by sound+vision ( 884283 )

The problem is that, to continue your analogy, Google has taken food off the street, placed it onto the buffet next to the food from the kitchen, but with a little paper tab that says "Not edible" instead of "Orange chicken."

No, you shouldn't eat it, but that doesn't excuse Google from selling it, which is exactly what they're doing. They get paid off this.

If you let restaurants sicken people for profit, it doesn't matter if the people there are idiots. You will end up paying for their hospital bills anyway

Use a Linux distro (Score:1)

by terrorubic ( 7709666 )

[1]Distro Watch [distrowatch.com]

[1] https://distrowatch.com/

Felix Catus is your taxonomic nomenclature,
An endothermic quadroped, carnivorous by nature.
Your visual, olfactory, and auditory senses
Contribute to your hunting skills and natural defenses.
I find myself intrigued by your sub-vocal oscillations,
A singular development of cat communications
That obviates your basic hedonistic predelection
For a rhythmic stroking of your fur to demonstrate affection.
A tail is quite essential for your acrobatic talents:
You would not be so agile if you lacked its counterbalance;
And when not being utilitized to aid in locomotion,
It often serves to illustrate the state of your emotion.
Oh Spot, the complex levels of behavior you display
Connote a fairly well-developed cognitive array.
And though you are not sentient, Spot, and do not comprehend,
I nonetheless consider you a true and valued friend.
-- Lt. Cmdr. Data, "An Ode to Spot"