Meet Kyle and Stan. No, I’m not talking about the potty-mouthed duo from South Park, but rather the latest Malvertising network from hell. It’s ingenius. It’s pernicious. And it threatens both Mac and Windows users.
Malvertising is a portmanteau of ‘malware’ and ‘advertising’. The way it works is simple. Firstly, legitimate online advertising channels are used in order to force browsers to download malicious software. Troublingly, victims don’t even need to be on a suspect website. These malicious adverts have even been served through such innocuous websites like Amazon.com, Apple.com and ads.yahoo.com.
Kyle and Stan takes advantage of social engineering in order to pump your computer full of unwanted and unpleasant malware. Curious as to how you can fight back? Read on.
How The Attack Works
The attack is contingent upon a number of things. The first is somehow convincing a traditional (and legitimate) advertising network – such as DoubleClick, by Google – to run an advert that contains malicious code. Whilst undetected by the ad network, this advert is then cascaded to other legitimate sites, which then executes in the browser and then redirects users to sites serving malicious software.
The malware also determines what operating system and browsers are being used by examining the user-agent string, which contains a wealth of information on the configuration of the computer. This contains everything from the screen resolution, to the plugins that are running on the browser.
Once the malware has determined the operating system of the user, it then makes a decision where to redirect the browser. Mac users are sent to sites that serve malware that is specific to OS X and is bundled as a DMG, whilst Windows users are sent to sites that serve Windows malware as executable files.
Your browser will then automatically download an the malware. This is reported to be a bundle of legitimate software – generally a media player – in addition to several malware packages and a configuration file that is specific to the user.
As the Cisco blog post which initially identified the malware remarked, the interesting thing about ‘Kyle and Stan’ is that it also attacks Mac users. These are users who have traditionally not had to deal with the security risks that are inherent in Microsoft Windows, and as a result may be more vulnerable to the social aspect of the attack.
The malware served by Kyle and Stan fundamentally differer in how they operate, and how they are removed for each platform targeted. Curious? Read on.
The Windows Malware
The Windows malware is a 32-bit Windows app written in C++. Upon execution it installs several pieces of malware, as well as NewPlayer. This comes disguised as a media player, which is the legitimate facet that disguises other, less-than-legitimate activity. Namely, it hijacks Internet Explorer, Google Chrome and Firefox and serves unwanted advertisements and popups, and hijacks search traffic.
The Windows malware served by Kyle and Stan obfuscates its activity with something called Dynamic Forking. This works by hijacking legitimate processes, and replaces them with other activity. This allows the malware to bypass Windows’ security features, and allows it to install new malicious software without arising suspicion. A more detailed explanation of how this works can be found on the Cisco blog post.
Dynamic Forking is incredibly challenging to mitigate against. It also shows the extreme level of sophistication of this particular malware. But what about removing it? Well, getting rid of NewPlayer is a well documented, well understood process. However, as previously mentioned, this installs (and can install) other arbitrary packages. As a result, you’re advised to have an updated and current antivirus installation. This is documented fully in our Malware Removal Guide.
The Mac Malware
But what about the Mac malware? When a Mac visits a site that is running a Kyle and Stan advert, a DMG is automatically downloaded. Inside is a copy of MPlayerX, a legitimate media player that was reviewed last year by my colleague, Dave LeClair.
This comes bundled with two less-than-legit pieces of malware. Both are browser hijackers: Conduit and VSearch. Conduit has a veneer of legitimacy – it’s created by an actual company with employees, offices and mailing addresses – and the user has the option to opt-out of installing this particular browser hijacker. There’s no such option for VSearch, however.
The behavior of VSearch is consistent with most browser hijackers. Search traffic is redirected through their own portals which have their own adverts splashed about, and popup advertisements are launched periodically. It’s annoying, and intrusive. And more importantly, it’s a threat to your privacy. VSearch also starts at runtime, as a launcher is added to launchctl once installed.
Removing it is relatively easy though. Just drop the following items in the trash:
/Library/Application Support/VSearch /Library/LaunchAgents/com.vsearch.agent.plist /Library/LaunchDaemons/com.vsearch.daemon.plist /Library/LaunchDaemons/com.vsearch.helper.plist /Library/LaunchDaemons/Jack.plist /Library/PrivilegedHelperTools/Jack /System/Library/Frameworks/VSearch.framework
What Can You Do?
Defeating Kyle and Stan is easy. You just need to be incredibly vigilant. Has your computer automatically downloaded an executable that you weren’t expecting? Does it look fishy? Have you been redirected to the download page of a piece of software you’re not familiar with? These are all reasons to be concerned.
I’d also encourage you to also have a modern, updated antivirus running on your system. This also goes for Mac users. I’m quite fond of Sophos OS X antivirus.
Have you been hit by Kyle and Stan? Let me know about it. Comments box is below.
Image Credit: Cisco