This article is more than 1 year old
Adware from French runs away and hides on 12M machines
Webscum copy skilled VXers to duck antivirus, sandboxes.
Cisco's Warren Mercer and Matthew Molyett are warning that software downloaded from sites run by French firm Tuto4PC likely included trojan backdoors. The Borg's security arm, Talos, thinks some 12 million machines have been infected.
The malware-bloated software quietly downloads trash dubbed Wizz, which can steal personal information and install and run executables.
Worse, the garbageware goes to lengths to avoid detection using blatant malware tricks to hide from researcher sandboxes and making it "extremely unlikely" that users would detect the malware, firmly seated under the title of trojan.
Consumers are aware of at least one of the threats; web searches for the Tuto4PC utility System Healer throws scores of hits related to removing malware.
"The interesting development came when specific binaries failed to execute in some of our sandbox environments which led us to perform a more thorough analysis," the pair say.
"As a result, we found the install base for this software to be approximately 12 million machines across the internet.
"Installed with administrator rights, the software is able to harvest personal information, and install and launch executables uploaded by the controlling party."
Mercer and Molyett say the software will only execute the encrypted payload "under very specific circumstances" before assessing the environment including the presence of antivirus in which the Wizz trojan will run. That is another smoking gun indication of malware.
Further bad behaviour "exemplifies" the "definition" of a backdoor in that its malicious activity is undisclosed and undocumented.
"The [software] author performs all of these functions in such a way that the average user is extremely unlikely to notice them which results in a stealth collection process," the pair say. "This leads one to conclude that the author has spent a lot of time exploring and implementing ways to avoid detection."
Cisco has blocked the software for all of its corporate customers. ®