Recently, one of our researchers found a prime example of to what lengths advertisement pushers are willing to go, just to get their sponsored messages across.

After running an adware installer our researchers found in my Virtual Machine (VM), I noticed that it used the icon for a well-known legitimate application called Adblock Plus.

This is the entry in the list of installed programs you can expect from the real Adblock Plus.

AdBlockPlus

And below is the one that the adware installer created:

warning4

Note the deliberate misdating. This is done to avoid showing up as the last installed when the users sorts the entries by date.

It also installed a service with a random looking name, which is quite common nowadays for adware. In these cases the service will be used as a process running in the background that fetches and delivers the advertisements.

When I asked the researcher how the installer was being offered, checking if it might be a fake download like we saw for AdwCleaner, he was surprised to learn how “little damage” I experienced from the install.

After hearing his story I decided to test the installer in a real environment rather than on a VM.

It didn’t disappoint me! This PUP uses a LSP hijacker and even some rootkit elements that needed an extra scan to remove the lot.

To achieve this rootkit behavior the services installed by the file in question watch over each other and hide all but one.

We tested the Bylekh adblocker against the testing site offered by the  legitimate  Simple Adblock to find out if it actually worked. After all, it could have been a modified version of the “real thing”.  Almost needless to say that it failed miserably.

adblocktest
These are examples of the Rootkit entries that will be deleted by the second scan:

Rootkit

This adware infection is a good example of what we predicted to happen end of last year, when we were asked to share our expectations for 2015. PUPs will more and more start behaving like real malware. To sum this one up:

  • It checks if it is running in a virtual environment and behaves relatively nice when it finds it does.
  • It uses rootkit techniques to hide some of its services
  • It hijacks the victims LSP stack
  • It mimics a legitimate program to avoid being removed
  • At least one of the services also runs if you boot into Safe Mode

And it does all that to get some advertisements across. That may seem like a waste of talent and resources, but they wouldn’t be doing it if it didn’t pay off.

Malwarebytes Anti-Malware Premium users are protected against this threat. It will be flagged as PUP.Optional.Adblocker.A

Save yourself the hassle and get protected.

If you came here because you are infected, you can find a removal guide for this adware on our forums.

Thanks to Ade for his help and a chance to test my new system on a real nasty. And to JPTaggart for additional testing.