Tuesday, August 9, 2016

Vector of Attack - Unwanted Software

One of the atomic forms of defense in depth is threat vector analysis. Figure out how the bad man can get to us and move to cut that "path" off. According to: The Stack:

In a year-long study in conjunction with New York University, researchers at Google found that unwanted software unwittingly downloaded as part of a bundle to be a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings, over 60 million per week.

The study found that the pay-per-install (PPI) scheme, whereby a company succeeds in monetizing end user access by paying $0.10 to $1.50 every time their software in installed on a new device, to be the primary source of unwanted software proliferation. To get a payout from a commercial PPI organization, companies bundle regular software with unwanted software, which is then unwittingly downloaded by the user.

Types of unwanted software (UwS, pronounced ‘ooze’) fall into five categories: ad injectors, browser settings hijackers, system utilities, anti-virus, and major brands. While estimates of UwS installs are still emerging, studies suggest that ad injection affects 5% of browsers, and that deceptive extensions in the Chrome Web store affect over 50 million users. 59% of the bundles studied were flagged by at least one anti-virus engine as potentially unwanted.

The full report is at:
 http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/45487.pdf

According to the study:
Estimates  of  the  incident  rate  of unwanted software installs on desktop systems are just emerging: prior studies suggest that ad injection affects as many as 5% of browsers and that deceptive extensions escaping detection in the Chrome Web Store affect over 50 million users.

Note on Opera from the study:
Based on the affiliate codes embedded in the download URLs for Opera, it appears that Opera directly interacts with PPI operators to purchase installs rather than relying on intermediate affiliates.
Look for connections to net.geo.opera.com

No comments:

Post a Comment