{"id":6338,"date":"2017-01-23T15:50:26","date_gmt":"2017-01-23T23:50:26","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-176\/"},"modified":"2017-01-23T15:50:26","modified_gmt":"2017-01-23T23:50:26","slug":"news-176","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-176\/","title":{"rendered":"MSRT November 2016: Unwanted software has nowhere to hide in this month\u2019s release"},"content":{"rendered":"

We came across a browser modifier<\/a><\/span> that sports rootkit<\/a><\/span> capabilities. Not only does the threat, detected as BrowserModifier:Win32\/Soctuseer<\/a><\/span>, cross the line that separates legitimate software from unwanted<\/a><\/span>, it also takes staying under the radar to the next level.<\/p>\n

Rootkit capabilities, which make it difficult to detect and remove applications, are usually associated with malware<\/a><\/span>. Yet Soctuseer<\/a><\/span> uses rootkit capabilities to conceal its presence on a computer, ultimately making it difficult for affected users to control their device and browsing experience.<\/p>\n

Apart from hiding its presence, Soctuseer<\/a><\/span> installs itself without using your browser\u2019s supported extensibility model for installation. And, once installed and running, it takes away the control you should have about how it operates. You can’t enable or disable it from your browser settings. The result is that you can be served webpage content that is modified without your consent.<\/p>\n

No matter how it attempts to hide, though, most Soctuseer<\/a><\/span> installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool<\/a><\/span> (MSRT). We\u2019re adding detections for BrowserModifier:Win32\/Soctuseer<\/a> in this month\u2019s MSRT release, helping to lessen interference to your browsing experience.<\/p>\n

 <\/p>\n

More than a million machines infected<\/span><\/h2>\n

Just like most browser modifiers, Soctuseer<\/a><\/span> is distributed by software bundlers<\/a><\/span>. We have seen Soctuseer brought along by other unwanted software that we detect as SoftwareBundler:Win32\/InstallMonster<\/a><\/span> and SoftwareBundler:Win32\/Techrelinst<\/a><\/span>.<\/p>\n

Since September 2016, we have seen over 1.2 million infected machines, 40% of which are in the US, Indonesia, and India.<\/p>\n

\"Map<\/a><\/p>\n

Figure 1: Map showing location of observed <\/em>Soctuseer<\/em><\/a><\/span> infections. The United States, Indonesia and India account for 40% of infections.<\/em><\/p>\n

\u00a0<\/em><\/p>\n

Ads for discounted products tailored to your search activities<\/span><\/h2>\n

Soctuseer<\/a><\/span>\u2019s main objective is to display advertisements while you browse the internet. It pops up ads based on searches you make on specific websites. For example, if you were searching for \u201claptop\u201d on your favorite online retailer, Soctuseer<\/a><\/span> pops up ads for other sites offering laptops, supposedly at discounted rates. The ads have the attribute name \u201cSocial2Search\u201d.<\/p>\n

\"Screenshot<\/a><\/p>\n

Figure 2: Social2Search ads for \u201cred shoes\u201d on Microsoft Edge<\/em><\/p>\n

\"Screenshot<\/a><\/p>\n

Figure 3: Social2Search ads for a \u201claptop\u201d on Internet Explorer<\/em><\/p>\n

 <\/p>\n

Soctuseer<\/a><\/span> uses the following methods to display ads:<\/p>\n