Bogus Search Engine Leads to Exploits

Bogus Search Engine Leads to Exploits

Here at Malwarebytes, we take a pretty strong stance against Adware in general, and Potentially Unwanted Programs (PUPs) in particular.

We believe the majority of people do not want their computers to get slowed down, their browsing experience disturbed by annoying ads or their search results to return irrelevant answers.

Sadly, devious software makers are using all the tricks in the books to fool users into installing their programs. Even when you take all the precautions necessary and never download anything from an untrusted source, you could still end up with Adware.

The recent Lenovo/Superfish fiasco is a good example of that. Brand new computers were pre-installed with Adware that surreptitiously injected ads into the browser by introducing vulnerabilities, in an almost undetectable way.

Adware is not only annoying but can also weaken a computer’s security status. Today, we have another case to prove that point. Potentially Unwanted Programs often install a search assistant (or rather a browser and search hijacker) on people’s machines:

webfindfast2

The idea is simple: To redirect people’s searches to affiliates or other sponsors and earn pay-per-click commissions. This one is hosted at webfindfast.com:

searches

For the end-user, the search experience is simply terrible but yet not the end of their troubles. In this case, clicking on any link results in a redirection to an exploit kit landing page, quickly followed by malware.

Fiddlercap

As usual, after several convoluted redirects, the user ends up on the door step of the famous Angler exploit kit.

Malwarebytes Anti-Exploit users are protected from this attack:

MBAE

 Vulnerable computers are infected with a piece of malware detected as Trojan.Crypt.NKN by Malwarebytes Anti-Malware.

It will install a rogue Antivirus program known as Malware Defender 2015 and pull up a purchase page from an IP address located in Istanbul (176.53.125.20):

What started with a search engine and homepage hijacker ended up with malware. Surely the Adware maker which peddled this “value-added” piece of software never thought this could happen, right?

The good news is that Malwarebytes Anti-Malware also blocks this malicious domain so you don’t have to worry about getting ‘infected’ search results:

block

The lesson to learn from this is to once again stay away from bundled software and other programs that appear to be free but come with a catch.

Also, if you’re starting to see a different home page or search engine than you used to, you should make sure your browser has not been altered in some way.

ABOUT THE AUTHOR

Jérôme Segura

Principal Threat Researcher