(Editor’s Note: this post originally appeared on carbonblack.com in June 2013. We are republishing here to further demonstrate Carbon Black’s toolset for readers who have asked to see Carbon Black in action.)
I always caution my family to be very careful downloading freeware applications from such collections as download.com and tucows.com. My justification is a hand-waving, fear-mongering response: “you never know what extra things are hidden inside.”
I want to give more of a detailed answer than that, but it has always taken too much time. Carbon Black changes that.
Many freeware and shareware authors make money from Pay-Per-Install schemes. It’s a murky, grey area between legitimate advertising and malicious behavior. Dell, HP and other PC OEMs make money from the extra applications they install, somewhat legitimizing the practice. Your home Internet service provider probably hijacks failed DNS lookups to increase ad impressions on their “helpful” pages. Freeware apps do similar things, sometimes hidden behind a subtle checkbox during the install process: “do you also want to include….”
The size of that checkbox can be deceiving. The installed applications usually dwarf the small freeware application you believe you’re installing.
The worst part is that freeware authors sometimes overstep the line from the installation of almost-legitimate advertising software, installing malware instead.
As reported by Information Week in 2011, a group of researchers presented their findings at USENIX 2011 on malware distributed via pay-per-install schemes. They found 12 of the 20 most common malware families rely on pay-per-install to compromise client machines.
Part of the challenge, even for computer security experts, is the difficulty of tracking what occurs under the hood when installing software. Tools such as process monitor or the “installation modification trackers” like WhatChanged suffer from too much output that’s too poorly organized.
Carbon Black makes these investigations simple.
As we were developing Carbon Black, I spent time using it to explore these kinds of malicious processes.
From CNET’s list of “Most Popular Downloads,” I downloaded and executed No. 8, the “Free YouTube Downloader” and Carbon Black detected a flurry of activity. Take a look at the screenshot below:
(This is the full process tree from Carbon Black that includes the YouTube Downloader.)
Carbon Black retains records of all execution. The image above is all processes created by installing the “Free YouTube Downloader.” The red circle to the left (indicated by #1) is my explorer.exe instance. The IE icon to the right (#2) was my instance of IE. “Free YouTube Downloader” is the process with the red TV icon one more level to the right (#3).
From there, you see the chaos. There are more than 60 new child processes, from a dozen different executables. Just by looking at the graphic you can see several MSI installers, a string of command shells and even a new Web browser that looks like Chrome, has a Chrome-like icon, but is not Chrome. (That string of cmd.exe’s looks like a bug in the DealPlay adware—the original command line: c:\windows\system32\cmd.exe /d /c timeout 3 & cmd /d /c cmd /d /c cmd /d /c cmd /d /c cmd /d /c del “c:\users\cbadmin\appdata\local\temp\dealpl~1.exe.” Somehow I doubt five nested cmd.exe’s are required to delete the installation file in temp.)
Within five minutes of installing “Free YouTube Downloader,” I received an email from the Carbon Black Alliance: six of the child processes are malware, according to four or more antivirus vendors:
Based on the reports, they appear to all be advertising-based malware that oversteps the line of acceptable behavior. More detail about each binary, including links to the reports, can be found below in Carbon Black’s watchlist email below.
Finally, it’s important to note that these unwanted payloads were downloaded dynamically, at the time of install. Freeware authors (or the pay-per-install vendor) can make decisions dynamically about what extra package to install when and where. For this blog post, I reproduced the installation steps to get more screenshots and detail, but got a completely different set of unwanted payloads than previously. This time, I only received one alert: for the main FreeYouTubeDownloader.exe installation package itself.
The dynamic installation logic means CNET authors probably don’t receive the unwanted packages when validating the application and providing their “Very Good” 3.5 star rating. The pay-per-install authors can simply review the source IP addresses of all incoming requests and ensure they never give the CNET editors malware.
So there you go, Mom. Next time you ask why you can’t download the free package of cute kitten screensavers from download.com, I’m sending you this blog post. You may get your kittens, but you’ll also get a lot more. I know you’ll probably do it anyway, but at least you’ll have Carbon Black installed so I’ll know what to go clean up.
———- Forwarded message ———-
From: Cb Watchlist Notification <email@example.com>
Date: Fri, Apr 19, 2013 at 9:28 AM
Subject: 6 new hit(s) found for your Carbon Black Watchlist: Alliance: VirusTotal Score > 3
6 new hit(s) found for Carbon Black Watchlist: Alliance: VirusTotal Score > 3
Don’t want to receive notifications for this watchlist? Unselect the checkbox next to the watchlist entry’s name.
Watchlist: Alliance: VirusTotal Score > 3
Module Watchlist: 6 new hit(s)