The Ask Toolbar is known for pushing 3rd-party offers and several users accidently install the bundled software along with the toolbar. It has now been found by Red Canary, that the Ask Toolbar Updater was compromised unknowingly to deliver certain virus or trojan. According to their report, they detected a suspicious activity directly coupled with the Ask toolbar updater.
Ask toolbar updater compromised
Ask toolbar has been classified as a Potentially Unwanted Program by several security software vendors including Microsoft. It also comes integrated with Java installations where users are presented with an option of downloading and installing the Ask toolbar, which most of us fail to notice and end up installing it. This particular behavior makes it one of the most unwanted software around.
Red Canary, in their report, has mentioned that some attackers were trying to manipulate the legitimate Ask toolbar updater service and push in malware. While the attacker’s identity is still unknown, a deep-dive test and analysis done by their officials revealed that a dropper was caught getting installed while Ask toolbar update service was running which in turn would have invited malicious trojans. The anti-virus program failed to catch this suspicious code, as somehow the attackers got it signed by the Ask.com team itself, taking advantage of the wraps.
Later into the investigation, the officials reported the incident to Ask team which quickly responded with an action plan to pin down the issue and fix it by publishing a software update to alleviate the attack.
Keith McCammon, Red Canary CSO, commented on the incident stating that behavioral study of the victim browsers disclosed the alarming situation where it was trying to execute a .png file (which is not an executable file).
The first stage binary hashes produced nothing suspicious as these were signed just hours back by Ask.com itself – but subsequent payloads were telling a whole different story, putting the intended malware attack out in plain sight.
Under normal circumstances, an update goes through several layers of testing and QA sign-off mechanism before it is rolled out to production. Even so, the attacker supposedly blended the malware at the eleventh hour after the update was digitally signed by Ask.com.
In times like this, it reminds us that we cannot simply trust the “maybe tomorrow” approach while dealing with the services or third-party software that aren’t required. You should get rid of what’s not required on an urgent basis before your security can be compromised. More importantly, on a consumer platform where you’ve got to take precautions on your own, it is extremely important to be aware of what ‘extra bits’ you’re porting to your PC while installing any third-party software.