Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Google Security Software The Internet

Think Twice Before Using Google To Download Software, Researchers Warn (arstechnica.com) 54

Posted by BeauHD from the heads-up dept.
Searching Google for downloads of popular software has always come with risks, but over the past few months, it has been downright dangerous, according to researchers and a pseudorandom collection of queries. Ars Technica reports: "Threat researchers are used to seeing a moderate flow of malvertising via Google Ads," volunteers at Spamhaus wrote on Thursday. "However, over the past few days, researchers have witnessed a massive spike affecting numerous famous brands, with multiple malware being utilized. This is not "the norm.'"

The surge is coming from numerous malware families, including AuroraStealer, IcedID, Meta Stealer, RedLine Stealer, Vidar, Formbook, and XLoader. In the past, these families typically relied on phishing and malicious spam that attached Microsoft Word documents with booby-trapped macros. Over the past month, Google Ads has become the go-to place for criminals to spread their malicious wares that are disguised as legitimate downloads by impersonating brands such as Adobe Reader, Gimp, Microsoft Teams, OBS, Slack, Tor, and Thunderbird.

On the same day that Spamhaus published its report, researchers from security firm Sentinel One documented an advanced Google malvertising campaign pushing multiple malicious loaders implemented in .NET. Sentinel One has dubbed these loaders MalVirt. At the moment, the MalVirt loaders are being used to distribute malware most commonly known as XLoader, available for both Windows and macOS. XLoader is a successor to malware also known as Formbook. Threat actors use XLoader to steal contacts' data and other sensitive information from infected devices. The MalVirt loaders use obfuscated virtualization to evade end-point protection and analysis. To disguise real C2 traffic and evade network detections, MalVirt beacons to decoy command and control servers hosted at providers including Azure, Tucows, Choopa, and Namecheap. "Until Google devises new defenses, the decoy domains and other obfuscation techniques remain an effective way to conceal the true control servers used in the rampant MalVirt and other malvertising campaigns," concludes Ars. "It's clear at the moment that malvertisers have gained the upper hand over Google's considerable might."
This discussion has been archived. No new comments can be posted.

Think Twice Before Using Google To Download Software, Researchers Warn More

Think Twice Before Using Google To Download Software, Researchers Warn

Comments Filter:

  • shocker! (Score:5, Informative)

    by Osgeld ( 1900440 ) on Friday February 03, 2023 @09:00PM (#63264011)

    the internet is full of shitbags, news at 11

    heres a fucking thought how about people develop defense's as well? average people moved off to "apps" and "stores" a decade or more ago, meaning grandma isn't downloading winzip and bombing her PC anymore... the rest of us should know god damned better when downloading a program and the website is "softdickinformerrrer.ru" on the top of googles shitty search

    its not like we havent endured a decade of clicking on a download link on a legit site and the shitbag page has 90 ad's with green "download now" buttons on it (looking at you ultra VNC get your shit together already, its not 2006 anymore)

    • the internet is full of shitbags, news at 11

      (sadly): s/internet/world/

      • Re: (Score:2)

        by hey! ( 33014 )

        Not necessarily *full*. That's a glass-half-empty characterization. But there's enough of them we can't have nice things.

        • Re: (Score:2)

          by mcgrew ( 92797 ) *

          "internet is full of shitbags" isn't on topic. Corporations are full of amoral, cocaine soaked greedy, selfich bastards with absolutely no empathy is.

    • It start to look like the torrent trackers are a wonderful safe place to be these days.

    • Re:shocker! (Score:4, Insightful)

      by thegarbz ( 1787294 ) on Saturday February 04, 2023 @05:04AM (#63264517)

      heres a fucking thought how about people develop defense's as well?

      How is it that in 2022 people *still* think that we can educate away scams? This literally hasn't worked for all of human history.

      average people moved off to "apps" and "stores" a decade or more ago, meaning grandma isn't downloading winzip and bombing her PC anymore...

      Average people have done nothing of the sort. The fact that they own phones doesn't mean they threw their computers in the trash. The app store is not even remotely ubiquitous in the PC world.

    • ...and Google are getting paid to promote them. So are Google incompetent or do they just not care?

    • Re: (Score:2)

      by mcgrew ( 92797 ) *

      the corporations are full of shitbags, news at 11

      FTFY. Oh, and an offtopic educational link for you grocers and foreigners and others who don't understand English:
      https://www.angryflower.com/24... [angryflower.com]
      I see enough of that shit on Farcebook. Note, I've been staying away from /. for the same reason, the normals have taken over the site.

    • Re: (Score:2)

      by LesFerg ( 452838 )

      the internet is full of shitbags, news at 11

      How can you say that? One kind person just donated 1.5 million euros to me on the internet, and all I had to give him was my bank account and personal details.

  • Bad Headline (Score:5, Insightful)

    by Caro Cogitatus ( 7226002 ) on Friday February 03, 2023 @09:05PM (#63264015)
    Think Twice Before Using Google Advertisements To Download Software

    Which no one should be doing in the first place, unless you're also in the habit of clicking links in emails from random people.

    • Re: (Score:2)

      by Osgeld ( 1900440 )

      or my favorite, click ok on any random dialog box that appears on your screen

    • Even shorter: Think Twice Before Using Google

    • Think Twice Before Using Google Advertisements To Download Software

      Which no one should be doing in the first place, unless you're also in the habit of clicking links in emails from random people.

      Oddly enough, I received an email from our IT security today saying a user did just that. Now the machine needs reimaged.

    • Re: (Score:1)

      by Anonymous Coward

      Good luck teaching Average Joe that the first entries are not actual results. My boss will click on softwareinformer, bleepingcomputer and other similar useless links, ready to resell whatever is on that page. And he's been in IT for the past 40 years.

    • Some of them are insidious. Sourceforge, or what's left of it, is profoundly worse. A few old open source authors still host their content there, which I'd consider a mistake for any serious open source author. The "download this source code" pages are deliberately cluttered with adware behind "CLICK HERE!!!" buttons, and the actual software download is quite obscure.

    • Use VirusTotal [virustotal.com] to check ANY new software.

      VirusTotal is free. It checks uploaded files using software from many security vendors.

    • Re: (Score:2)

      by Reziac ( 43301 ) *

      Yeah, my first thought was... who does that?
      And second... when did I last see a Google ad?

      But this explains a new sort of spam I've been getting, that appears to come from a legit Microsoft Teams account. The links even check out but the sender is no one I've ever heard of, so presumed malicious even tho it wasn't obvious.

  • then use AstaLavista for the patch/crack.

  • It has always been dangerous finding software to download via google. It is nothing new.

  • This is why golang is so dangerorus (Score:1)

    by Anonymous Coward

    The tendency of golang authors to access dozens of bits scattered across dozens of git repos over at github is aggravated by their absolute refusal to use git tags so you can have some sane reference to the history of the repo. Some authors refer to git commits, but there's little hint of the actual version referenced in those. It's why nodejs got hacked so badly last year, see https://www.theverge.com/2022/... [theverge.com] .

    • Re:This is why golang is so dangerorus (Score:4, Interesting)

      by ctilsie242 ( 4841247 ) on Saturday February 04, 2023 @03:25AM (#63264437)

      I have been in jobs (thankfully not my present one) where developers just don't care. They are paid not to, and If they do security, their job will be outsourced to a party that actually will make deliverables that marketing promised to customers that it would be currently in the release version. Lawsuits? Lots of layers of company between the parties and the dev, while the dev not making their stuff for the morning standup will directly impact their job. So, they will cut corners, run stuff as admin, have scripts that kill SELinux and AppArmor, just to get the stuff out of their swim lanes.

      This is one reason why security is for the most part, and afterthought. "Security has no ROI" is not an uncommon phrase.

      • While it may be true up to some point that "Security has no ROI", what should be thought is that "No security equals a negative ROI".

    • Re: (Score:1)

      by Anonymous Coward

      I think the bigger threat to Go developers is the complete dearth of features that allow you to structure large codebases well coupled with nonsensical framework design like the absolutely batshit time formatting code that relies on the big fucking never do that if you want to be considered an even remotely competent developer of "magic strings".

  • Google ads on search arenâ(TM)t the only problem, theyâ(TM)re fucking everywhere, but Iâ(TM)ve noticed you can configure nextdns to disable most ad links with tracking like Google ads. It can be a bit of a pain when thereâ(TM)s a link with tracking you actually want to follow, but itâ(TM)s usually easy enough to find a different path to the destination. Combined with ad block extension, itâ(TM)s a bit harder to get suckered into malvertising, etc.

  • What is dangerous in that? (Score:4, Funny)

    by Uldis Segliņš ( 4468089 ) on Friday February 03, 2023 @11:15PM (#63264189)
    Who in their right mind clicks on Google ads? Any ads. Never do that. Same as never open Word documents from unknown senders or emails with weird subjects. Same as you do not lift anything up from the street and put in your mouth. Follow basic digital hygiene and most everyday threats will not affect you.

    • Re:What is dangerous in that? (Score:5, Insightful)

      by sound+vision ( 884283 ) on Saturday February 04, 2023 @12:17AM (#63264265) Journal

      The problem is that, to continue your analogy, Google has taken food off the street, placed it onto the buffet next to the food from the kitchen, but with a little paper tab that says "Not edible" instead of "Orange chicken."

      No, you shouldn't eat it, but that doesn't excuse Google from selling it, which is exactly what they're doing. They get paid off this.

      If you let restaurants sicken people for profit, it doesn't matter if the people there are idiots. You will end up paying for their hospital bills anyway.

      • Re: (Score:1)

        by Anonymous Coward

        Every time google chooses to deny running an ad, the EU fines them for anticompetitive practices.

        They have no choice but to follow the law and allow the scammers to advertise names of software right next to the software developers advertisements for their own software in an "equal and fair playfield" manor.

        Unfortunately there are also bills in the US working their way through the legal system to attempt the same thing, which will be the final nail in the coffin for Internet safety.

        It's the exact outcome the

    • Re:What is dangerous in that? (Score:4, Insightful)

      by thegarbz ( 1787294 ) on Saturday February 04, 2023 @05:05AM (#63264519)

      Who in their right mind clicks on Google ads? Any ads.

      Anyone who misses the increasingly smaller and smaller indication that the result has been an ad placement.

      Honestly I'm surprised that "Ad" isn't in text with a #FEFEFE foreground colour at this point.

    • Re: (Score:1)

      by Osgeld ( 1900440 )

      why? to get flooded with 95,000 "options" that have a "store" that are 90% of the time obsolete and still won't do what basic function you want?

      example I just looked up Inkscape ubuntu repo,tells me every other package available but fucking inkscape

      https://packages.ubuntu.com/se... [ubuntu.com]

      now I am downloading a package from a site, is it legit, is it bogus, will bad red, orange or yellow man track me?

      Use linux? Why?

      • "example I just looked up Inkscape ubuntu repo,tells me every other package available but fucking inkscape" First hit in your search is the main Inkscape package?

      • Re: (Score:2)

        by dargaud ( 518470 )
        What kind of lousy troll are you ? Results are obvious and not many:
        $ aptitude search inkscape
        i A inkscape - vector-based drawing program
        p inkscape:i386 - vector-based drawing program
        p inkscape-open-symbols - Open source SVG symbol sets that can be used as Inkscape symbols
        p inkscape-speleo - Inkscape plugin to help draw surveys
        p inkscape-survex-export - Inkscape plugin to digitise printed surveys
        p inkscape-textext - Re-editable LaTeX graphics for Inkscape
        p inkscape-textext-doc - Re-edit
  • Google has never done mass layoffs of engineers before so they might not actually have known all of the repercussions of laying off the engineers they did.

    It's probably going to be an interesting six months with Google having very uncharacteristic failures with missing teams just not doing things that other people assume are happening.

    • Don't be silly. This has been a problem for years, it's just that now it's hit a few high profile targets and become a real headline piece.

  • Is this news to anyone using an ad blocker? (Score:5, Insightful)

    by ukoda ( 537183 ) on Saturday February 04, 2023 @05:21AM (#63264549) Homepage
    There is many good reasons to use a browser that supports good ad blockers and always run it with a trustworthy ad blocker. Of those reasons malvertising is top of the list.

    Those sites that bitch that ad blockers cost them money need to stop using bulk ads and only run static images ads that they have check and serve directly.

  • Don't download from randome places. (Score:3)

    by bjwest ( 14070 ) on Saturday February 04, 2023 @06:38AM (#63264613)
    If you're looking for a particular software, use Google to find the website for that software, don't just download it from the first link offered. This type of crap has been going on for decades now, and if you're still being scammed like this, then perhaps you need to say off the internet or find your family IT person to handle your system.
  • Despite Google 's KYC check on advertisers, there's still problems? Jeez, it's almost like KYC is just a scam for them to collect more data on their real customers instead of a useful security tool...
  • This happened to my wife and I over 20 years ago. Iâ(TM)ve had ad blockers ever since. I donâ(TM)t care if sites say âoeyouâ(TM)re blocking our revenueâ. If they can promise their ads are safe then sure Iâ(TM)ll do that but they canâ(TM)t so I donâ(TM)t.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close