Malicious actors have been found to be using the Ask search bar software to distribute malware of its users machines
Malicious actors have been found to be using the Ask search bar software to distribute malware of its users’ machines.
Security company Red Canary discovered suspicious activity with the Ask software, often bundled with free software such as Oracle’s Java installers, which was linked to a malicious actor involved in the Ask Partner Network.
Red Canary immediately informed Ask of the problem, which then worked to investigate the issue and publish a patch to combat the exploit in its software.
By exploring a number of binaries, processes with Ask’s extensions, Red Canary noted anonymous behaviour associated with a file named logo.png, which unlike normal image files appeared to be able to execute by itself.
Red Canary said that this all pointed towards signs that Ask had been ‘co-opted’, effectively having part of its operations hijacked to carry out a different task from its usual activity.
It noted that a network connection was initiated by the logo.png file which was used to pull down two to three binary files that were executed by the logo.png before the file was executed from the machines disk, effectively trying to cover its tracks.
However, it does not appear that the malicious use of Ask was used to deliver any major malware payloads to its victims.
“Our suspicion is that we caught this during the early stages of deployment or testing, as these processes took very few actions on the victim endpoints,” said Red Canary. “This may have been intentional, or it may have been due to bad payloads or configurations.”
However, the attack vector indicated the dangers of having r malicious actor infiltrate a large partner network of distributors.
Ask is arguably one of the most bundled software products around, and given it makes money by helping “developers acquire and monetise users”, it is commonly referred to as adware and seen more often than not as a potentially unwanted program rather than a useful free browser add-on.
Unfortunately, Ask’s association with the Java installer means it has the scope to spread to millions of computers and if part of its code can be exploited to deliver malware, then the impact it could have on PC users could be vast.
For businesses, there are security companies such as Darktrace are now using techniques like machine learning to detect anomalies in application behaviour to sniff out security threats that normal anti-virus software might miss.