Meet Kyle And Stan, A New Malvertising Nightmare

Matthew Hughes 17-09-2014

Meet Kyle and Stan. No, I’m not talking about the potty-mouthed duo from South Park, but rather the latest Malvertising network from hell. It’s ingenius. It’s pernicious. And it threatens both Mac and Windows users.


Malvertising is a portmanteau of ‘malware’ and ‘advertising’. The way it works is simple. Firstly, legitimate online advertising channels are used in order to force browsers to download malicious software. Troublingly, victims don’t even need to be on a suspect website. These malicious adverts have even been served through such innocuous websites like, and

Kyle and Stan takes advantage of social engineering in order to pump your computer full of unwanted and unpleasant malware. Curious as to how you can fight back? Read on.

How The Attack Works

The attack is contingent upon a number of things. The first is somehow convincing a traditional (and legitimate) advertising network – such as DoubleClick, by Google – to run an advert that contains malicious code. Whilst undetected by the ad network, this advert is then cascaded to other legitimate sites, which then executes in the browser and then redirects users to sites serving malicious software.

The malware also determines what operating system and browsers are being used by examining the user-agent string, which contains a wealth of information on the configuration of the computer. This contains everything from the screen resolution, to the plugins that are running on the browser.



Once the malware has determined the operating system of the user, it then makes a decision where to redirect the browser.  Mac users are sent to sites that serve malware that is specific to OS X and is bundled as a DMG, whilst Windows users are sent to sites that serve Windows malware as executable files.

Your browser will then automatically download an the malware. This is reported to be a bundle of legitimate software – generally a media player – in addition to several malware packages and a configuration file that is specific to the user.

As the Cisco blog post which initially identified the malware remarked, the interesting thing about ‘Kyle and Stan’ is that it also attacks Mac users. These are users who have traditionally not had to deal with the security risks that are inherent in Microsoft Windows, and as a result may be more vulnerable to the social aspect of the attack.

The malware served by Kyle and Stan fundamentally differer in how they operate, and how they are removed for each platform targeted. Curious? Read on.


The Windows Malware

The Windows malware is a 32-bit Windows app written in C++. Upon execution it installs several pieces of malware, as well as NewPlayer. This comes disguised as a media player, which is the legitimate facet that disguises other, less-than-legitimate activity. Namely, it hijacks Internet Explorer, Google Chrome and Firefox and serves unwanted advertisements and popups, and hijacks search traffic.


The Windows malware served by Kyle and Stan obfuscates its activity with something called Dynamic Forking. This works by hijacking legitimate processes, and replaces them with other activity. This allows the malware to bypass Windows’ security features, and allows it to install new malicious software without arising suspicion.  A more detailed explanation of how this works can be found on the Cisco blog post.

Dynamic Forking is incredibly challenging to mitigate against. It also shows the extreme level of sophistication of this particular malware. But what about removing it? Well, getting rid of NewPlayer is a well documented, well understood process. However, as previously mentioned, this installs (and can install) other arbitrary packages. As a result, you’re advised to have an updated and current antivirus installation. This is documented fully in our Malware Removal Guide The Complete Malware Removal Guide Malware is everywhere these days, and eradicating malware from your system is a lengthy process, requiring guidance. If you think your computer is infected, this is the guide you need. Read More .


The Mac Malware

But what about the Mac malware? When a Mac visits a site that is running a Kyle and Stan advert, a DMG is automatically downloaded. Inside is a copy of MPlayerX, a legitimate media player that was reviewed last year by my colleague, Dave LeClair.

This comes bundled with two less-than-legit pieces of malware. Both are browser hijackers: Conduit and VSearch. Conduit has a veneer of legitimacy – it’s created by an actual company with employees, offices and mailing addresses – and the user has the option to opt-out of installing this particular browser hijacker. There’s no such option for VSearch, however.


The behavior of VSearch is consistent with most browser hijackers. Search traffic is redirected through their own portals which have their own adverts splashed about, and popup advertisements are launched periodically. It’s annoying, and intrusive. And more importantly, it’s a threat to your privacy. VSearch also starts at runtime, as a launcher is added to launchctl once installed.


Removing it is relatively easy though. Just drop the following items in the trash:

/Library/Application Support/VSearch

What Can You Do?

Defeating Kyle and Stan is easy. You just need to be incredibly vigilant. Has your computer automatically downloaded an executable that you weren’t expecting? Does it look fishy? Have you been redirected to the download page of a piece of software you’re not familiar with? These are all reasons to be concerned.

I’d also encourage you to also have a modern, updated antivirus running on your system. This also goes for Mac users. I’m quite fond of Sophos OS X antivirus.

Have you been hit by Kyle and Stan? Let me know about it. Comments box is below.

Image Credit: Cisco

Related topics: Anti-Malware, Malvertising.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Mark
    September 24, 2014 at 6:45 am

    Another reason to install an adblocker, if one were actually needed. The ad industry must be having kittens at the moment; they're far from most peoples favourite thing about the internet on a good day, if they start (again you might add) serving malware on a regular basis they're helping to kybosh their own business model, and if they're not taking sufficient care in screening ads, someone ought to be suing them too.

    That said, much as the delivery method is clever, I can't imagine many people really getting caught out on either platform, although Windows is unsurprisingly the harder bitten if infected. You might, if careless, click on an attachment to an email, but open a DMG and install software you have no recollection of asking for? Really?? Do people really ignore the years of advice not to do exactly that?

  2. Al Brenner
    September 19, 2014 at 11:28 am

    Bottom line is we have to take the profit out of it. Don't buy anything from any add that pops up unexpectedly. Take the time to wrote to the advertiser and tell them why you will never buy their products. Someone, not me, ha ha, should start making a list of these advertisers and make it available so other consumers will know and also boycott those advertisers.

  3. Yagan60
    September 19, 2014 at 7:57 am

    had this problem for several weeks. Hitman Pro found 'windows update kb70007' was a virus.

  4. Francisco P
    September 19, 2014 at 1:20 am

    Yet another reason why to love Linux :)

  5. thomas mitchell
    September 19, 2014 at 12:29 am

    I was wondering why I had so many pop ups with adblocker and a popup blocker on. I just removed kyle and stan and now no more ads. Thank you for this info.

  6. adblockerftw
    September 18, 2014 at 9:10 pm

    Well with Adblocker on I dont think I need worry that much.

  7. Charles Griswold
    September 18, 2014 at 11:33 am

    I never accept anything that just downloads automatically without me specifically requesting it. I also don't download any software that someone pushes at me. Hey, it's only a matter of time before someone starts distributing malware that targets Linux, and I'm not taking any chances.

  8. Phillip
    September 18, 2014 at 8:48 am

    I now wonder, would the browser extension User Agent Overrider screw with this malware in the initial phases?

    If unfamiliar, User Agent Overrider is an extension previously used to get sites like netflix to play in linux

  9. mush morton
    September 17, 2014 at 11:50 pm

    I'm prepared to advocate for the death penalty for the scum who create and distribute these insidious bits of software.

    • trm96
      September 18, 2014 at 4:54 pm

      It's all about making money. It may be a shady of making money but so what. The weak link here is not the people who make and distribute this kind of software but rather the users that actually run the software that is automatically downloaded to their computer.

    • Natahniel T
      September 18, 2014 at 5:28 pm

      These idiots should be thrown into a deep dark place somewhere, full of creepy crawly's