After reading this blog post from cert.org, I was reminded of a similar post by my colleague J.J. Guy about how much unwanted change can be introduced to your system by downloading freeware or shareware. I decided to expand on J.J.’s analysis with the same software that CERT used.
First, I downloaded KMPlayer from CNET: http://download.cnet.com/1772-20_4-0.html?query=kmplayer&platform=Windows%2CMac%2CiOS%2CAndroid%2CWebware%2CMobile&searchtype=downloads
Because it came from CNET, a well-known site, one would think the download would be harmless.
Continually clicking “OK,” I ended up installing something related to PC repair.
After compiling data, the “something related to PC repair” began doing analysis:
Finally, after I was done installing in a cleanly-snapshotted virtual machine, the downloaded program told me that I had all sorts of problems, including nine viruses. Remember, this was a totally clean VM.
Ok, so you’re probably thinking, “that’s interesting, but expected” since I willingly said “OK” to whatever the installer asked me to do. However, the reason I decided to write this blog was to demonstrate the shocking amount of activity that occurred on my system as I went through the download process.
Check out the image below:
Using Carbon Black, I was blown away by the sheer volume of processes, including command shells, task lists, network connections, and more. The visibility Carbon Black gave me into my system is pretty remarkable and demonstrates how much activity may be occurring on my systems behind the scenes without my knowledge.
The red arrow in the image above shows the single installer we purposely ran. From there, look at everything else that follows to the right. It’s a smorgasbord of potential malicious activity that could wreak havoc on my system. Visibility is critical. Without it, look to the right of the arrow and notice everything you could be missing.