Deceptive Downloads: “Clean” Installs Turn Nasty

Published: May 28, 2014

Authors: Geoff McDonald (Antivirus Researcher) and Ben Hope (Technical Writer) - Microsoft Malware Protection Center

Cybercriminals are perpetually trying different techniques to distribute malware and potentially unwanted software. One technique we are increasingly seeing at the Microsoft Malware Protection Center is the use of legitimate or "clean" software to deliver malicious payloads.

In fact, this deceptive download tactic was one of the main drivers for an increase in malware encounter rates in the last half of 2013. The latest Microsoft Security Intelligence Report indicates that the primary culprit was Win32/Sefnit – a Trojan family that affected worldwide malware encounter rates after its malicious files were bundled with clean software downloads.

Recently, we have seen a new twist on this deceptive tactic: previously clean applications that suddenly change their behavior and start installing malware or adware. This infection vector poses new security considerations because files that were previously determined as clean can change their behavior without warning and deliver malicious content or steal confidential information.

There are any number of reasons why clean software makes this switch to malicious behavior, but some of the more common include:

• The software’s control/update servers are hacked (for example, by a brute force attack against weak passwords, through the use of stolen credentials, by the actions of a rogue employee, or through other vulnerabilities).
• The software is purchased for the purpose of delivering malicious content.
• The software’s command and control server domains expire and are then registered by other parties.

The Filcout deception

This switch from clean to malicious behavior was first encountered in some third-party browser extensions early last year. In this case, certain popular extensions were purchased and ownership was transferred. The new extension owner would push out an update to change the functionality of the extension, thus forcing it to render advertisements or spy on the user’s browsing activities.

More recently we have seen other software exhibiting a similar behavior. The most notable case is the addition of a new layer of deception to Sefnit with the use of the previously clean application that we detect as Win32/Filcout.

Filcout is our detection for malicious software that claims to find the right program to run an unknown file type. Initially this program showed no signs of malicious behavior and gained a large installation base. At this stage, the application appeared innocuous from an enterprise security perspective.

However, in late March 2014, its behavior changed without warning. The software’s update mechanisms began responding with instructions to install Sefnit. Sefnit detections grew from 20,000 unique computer detections per day, to more than 900,000 within a two-week period as its malicious files were installed on millions of computers across the globe.

Microsoft Security Software detects and removes Sefnit, and once the connection to Filcout was identified we began detecting and removing the application. These detections were updated for all computers protected with our real-time security products and the stand-alone Malicious Software Removal tool (MSRT). To date the MSRT has removed Filcout from more than 9.4 million computers.

Mitigating the risk

As seen in the Filcout case, behavior changes from previously clean applications can have the potential to affect the security and confidentiality of enterprise systems. The potential risk also raises several considerations when assessing software for internal use – including the reputation of the publisher.

One of the best ways to help protect against this type of malware delivery is to take the stance that a breach might be unavoidable.

It is also advisable to record and store full packet captures according to a retention policy. Aggregated network captures should be stored for a longer duration. Together, this data is important in breach response to identify the infected computers and stolen data, and it may be used to detect future breaches by running new NIDS signatures against historical data.

Preventing the risk of a breach in the first place is still very important, and there are several recommendations that can help protect enterprise systems from attacks such as:

• For the major browsers, use the application-policy settings to implement an extension whitelist. This can prevent extensions from being installed into browsers unless they are on an approved list.
• Implement a software installation policy. This policy should include a process where employees must request approval before using software on the corporate network. The approval process should evaluate the request from a security and a legal perspective.
• Include employee computer security training in the employee onboarding program, and refresh it on a set timeframe.
• Monitor and enforce corporate policy compliance.
• Run up-to-date, real-time security software to help detect and remove malware and potentially unwanted software.