Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cisco Finds Backdoor Installed On 12 Million PCs (securityweek.com)

Posted by msmash on from the malware-must-die dept.

Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.

67 comments

  1. lacking important information by Anonymous Coward · · Score: 1

    That's a substantial number of infected computers. Is this malware detected by antivirus systems? And how is it getting installed on those computers?

    1. Re:lacking important information by Anonymous Coward · · Score: 0

      No, this is a special kind of malware (advertising/potentially unwanted software) which is pretty much ignored by antivirus systems.

    2. Re:lacking important information by fuzzyfuzzyfungus · · Score: 1

      The downside of 'rule of law' is that a decent suit becomes effective camouflage for all sorts of predators that might otherwise be forced to operate in the shadows.

    3. Re:lacking important information by Mike+Frett · · Score: 1

      A number of infected Windows machines you mean.

    4. Re: lacking important information by Anonymous Coward · · Score: 0

      Loaded via backdoored cisco routers.
      This is just cisco cya bs.

    5. Re: lacking important information by Anonymous Coward · · Score: 0

      Isn't it kind of weird that "windows" can be "infected" and so gain a "back door"? Usually it's the door that contains the window, not the other way around.

  2. So why hasn't Tuto4PC been sued or legislated away by zoomshorts · · Score: 2, Insightful

    So why havent these douchebags been removed from existance?

  3. So how do we detect if we have it? by Anonymous Coward · · Score: 2, Insightful

    I hate articles that give no info on how to fix the issue.. only provide enough info to scare ya.

    1. Re:So how do we detect if we have it? by tonyyeb · · Score: 1

      The original Cisco article (http://blog.talosintel.com/2016/04/the-wizzards-of-adware.html) states that ClamAV has the signatures to recognise this threat.

    2. Re:So how do we detect if we have it? by fustakrakich · · Score: 1

      :-) That is the idea...

      Doesn't Cisco have some back doors in its routers that need looking after?

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:So how do we detect if we have it? by greenfruitsalad · · Score: 5, Insightful

      i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

    4. Re:So how do we detect if we have it? by INT_QRK · · Score: 1

      Well, the good news seems to be that its executables are ".exe" files. Gotta love dem Windows.

    5. Re:So how do we detect if we have it? by David_Hart · · Score: 2

      i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

      Because the terms PC and computers are synonymous with Windows, much like Kleenex is synonymous with tissues and Heinz with Ketchup. The vast majority of people associate PCs with Windows systems. It might irk you, but it isn't going to change.

    6. Re:So how do we detect if we have it? by Anonymous Coward · · Score: 0

      Are you implying that anyone, anywhere, is confused by this use of language?

      Or are you simply being a massive pedant for the sake of it?

    7. Re:So how do we detect if we have it? by Anonymous Coward · · Score: 0

      That's your problem in USA and UK, that you call things by their commercial names. It's stupid. Use the generic name.

    8. Re:So how do we detect if we have it? by Anonymous Coward · · Score: 0

      > Because the terms PC and computers are synonymous with Windows,

      Nope, that's not a proper "because", that's ignorance. PC is, has been, and will continue to mean Personal Computer no matter how hard a few ad campaigns from Windows and Apple have tried to confuse the masses. Gradual correction will get the train back on its tracks. As long as people like you don't show up, and take time out of your day to defend such ignorance.

    9. Re:So how do we detect if we have it? by twdorris · · Score: 1

      You mean like the generic name "PC". Oh, wait...

    10. Re: So how do we detect if we have it? by Anonymous Coward · · Score: 0

      But in these articles a PC running xyz os isnt a PC... it is xyz.

    11. Re:So how do we detect if we have it? by fox171171 · · Score: 2

      i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

      While I tend to agree with you, I am pretty sure it was APPLE advertising that established that "PC" meant "Windows".

    12. Re:So how do we detect if we have it? by wallsg · · Score: 1

      To the general public, "PC" means (at least in the computer sense) what used to be called IBM PC-compatible Personal Computer running Windows. Yes, while it's more accurate to say "Windows PC", people in general recognize PC as a Windows machine, and Mac as an Apple OS machine. Do you talk about a "Mac" or an "OS X PC?"

      Linux would be "you mean that thing on Big Bang Theory?"

    13. Re:So how do we detect if we have it? by Kazoo+the+Clown · · Score: 1

      Now I get it, the whole thing is a marketing scheme by Cisco to promote ClamAV-- the copyrights to which it acquired in 2013.

    14. Re:So how do we detect if we have it? by Anonymous Coward · · Score: 0

      Well, PC = Personal Computer. Not hard to understand. Doesn't matter what flavor. It's still a PC.

    15. Re: So how do we detect if we have it? by Anonymous Coward · · Score: 0

      I will say that confuses people.
      C'mon, we live in a world where people point at a monitor and call it a hard drive.

    16. Re:So how do we detect if we have it? by FormOfActionBanana · · Score: 1

      I didn't know you could get viruses in X Windows...

      --
      Take off every 'sig' !!
    17. Re:So how do we detect if we have it? by Anonymous Coward · · Score: 0

      That's a side effect of having 96% of the market. Is it REALLY that hard to understand that if somebody is running a "computer" or a "PC" then there is literally a 96% chance that person is running Windows?

      Suggesting that the other 4% merit mention is just as silly as suggesting that the Green Party deserves attention at election time because a poll says that 4% of people want to vote for them. 4% is an insignificant number compared to 96%, so it just doesn't rate.

    18. Re: So how do we detect if we have it? by Anonymous Coward · · Score: 0

      Exactly. The fact that a car means something else to a lisp programmer doesn't mean that clarification is warranted when speaking to humans.

    19. Re:So how do we detect if we have it? by Trogre · · Score: 1

      Isn't it obvious?

      It's because the media is full of Microsoft shills, and Microsoft do not want you, the hapless consumer, to know that there is an alternative.

      They want you to think PC == Windows

      --
      "Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
  4. Missing from the summary by OzPeter · · Score: 5, Informative

    From TFA

    According to Tuto4PC’s website, the company offers hundreds of tutorials that users can access for free by installing a piece of software that displays ads.

    So it seems you had to explicitly install it.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Missing from the summary by hydrofix · · Score: 1, Insightful

      It's probably a misnomer to call this a backdoor or virus. The users probably need click through some EULA where they give the company permission to do as they see best with the user's computer. Computers are powerful machines and a great deal of users are just too ignorant and should not be allowed the install code downloaded from the Internet on their computers.

    2. Re:Missing from the summary by Anonymous Coward · · Score: 0

      The link to TALOS is in the article. http://blog.talosintel.com/201... Go read it. Course forgot this is Slashdot, most do not read beyond the summary........

    3. Re:Missing from the summary by Eosi · · Score: 2

      I believe that Backdoor is accurate, after reading the story and link to Cisco's Talos labs. This application created a way for the software dev to push ads and software to your PC, without your knowledge. AND to bypass local AV to do it.

    4. Re:Missing from the summary by Mashiki · · Score: 4, Informative

      The blog post gives some information on this, including the "no EULA" bit as well.

      --
      Om, nomnomnom...
    5. Re:Missing from the summary by Anonymous Coward · · Score: 0

      You mean like Windows 10?

    6. Re:Missing from the summary by drinkypoo · · Score: 1

      ...it seems you had to explicitly install it.

      Not necessarily. There's lots of ways software can get installed on a user's computer, and not all of them require user interaction, conscious or otherwise. The user could be attempting to install one thing, and get something else entirely, or just something else along for the ride. You've been around long enough to know how this works...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Missing from the summary by TheCarp · · Score: 1

      Yes, but the idea that explicitly installing software to display ads while you browse free tutorials means that you can be expected to have understood that you just installed a full remote control and data gathering package; seems a bit beyond the pale to me.

      In no way does it make sense that "display ads" translates meaningfully into "allow full control and full access to my PC at any time it is on and connected"

      --
      "I opened my eyes, and everything went dark again"
    8. Re: Missing from the summary by Anonymous Coward · · Score: 0

      Dont worry they are working on that.

    9. Re:Missing from the summary by Anonymous Coward · · Score: 0

      Yes, you had to explicitly install it. However the tutorial was often bundled with the software that it covers.

      One of the main distributor of this crap was a french software downloading website (translate "to download dot com" in french) that proposed a bigger "recommended" link for the crapware bundle than for the software only.

      The company also eagerly sued bloggers ("sebsauvage") and forum owners at the time.

  5. Flak? by mwvdlee · · Score: 5, Funny

    Tuto4PC has received flak from many over the years

    Seriously, aren't we overreacting a bit? Flak? Couldn't we just have sued and sent them to prison? Flak is a bit much, isn't it. Flak really, really hurts and I fact that many people are giving them flak is just horrible. It's the stuff censorred in straight-to-video horror movies. It's unhuman, the sheer amount of flak they had to take. Even waterboarding would be preferable to flak.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    1. Re:Flak? by Anonymous Coward · · Score: 1

      Flak jackets and helmets have been around for a long time and can be picked up at any army surplus store. If they don't have any by now, they deserve all the flak they get.

    2. Re:Flak? by Nidi62 · · Score: 1

      Tuto4PC has received flak from many over the years

      Seriously, aren't we overreacting a bit? Flak? Couldn't we just have sued and sent them to prison? Flak is a bit much, isn't it. Flak really, really hurts and I fact that many people are giving them flak is just horrible. It's the stuff censorred in straight-to-video horror movies. It's unhuman, the sheer amount of flak they had to take. Even waterboarding would be preferable to flak.

      I don't know. Maybe we should take a page out of North Korea's book and use AA guns as a form of execution. Although, to be fair, it should only be used for the most heinous of crimes such as Nigerian Prince spamming or having the last name Kardashian.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:Flak? by Anonymous Coward · · Score: 0

      Flak jackets and helmets have been around for a long time and can be picked up at any army surplus store. If they don't have any by now, they deserve all the flak they get.

      And because they are French even used flak jackets should be somewhat useful because all the damage would be on the back.

  6. time cisco came clean about its own backdoors by sittingnut · · Score: 0

    its great that cisco finds other people's backdoors, but cisco should come clean about backdoors it lets usa government incorporate into its own routers.

    1. Re:time cisco came clean about its own backdoors by omgwtfroflbbqwasd · · Score: 1

      All you need to do is read Cisco's documentation to learn about their backdoors.

      http://www.cisco.com/c/en/us/t...

  7. Flak by tekrat · · Score: 3, Funny

    I assume by "Flak"; the author of the summary has indicated that we are firing Explosive Anti-Aircraft shells at them. I expect nothing less.

    Of course, were it my choice, I would have used a tactical nuke, but that's just me.

    --
    If telephones are outlawed, then only outlaws will have telephones.
    1. Re:Flak by Anonymous Coward · · Score: 0

      That's nice but most of us don't have access to tactical nukes.

    2. Re:Flak by Anonymous Coward · · Score: 0

      That's nice but most of us don't have access to tactical nukes.

      Speak for yourself.

  8. Kill it with fire. by INT_QRK · · Score: 1

    Kill it. Kill it with fire.

  9. It's all good and well to point fingers at others by Anonymous Coward · · Score: 0

    but what about your own reputation, Cisco, and the backdoors you put into your own hardware?

  10. Re:So why hasn't Tuto4PC been sued or legislated a by Anonymous Coward · · Score: 0

    Because that's as effective as legislating gravity away. Things don't change because they're made illegal as in a magic wave. It's something called real world and it doesn't work the way you want or the way it was sold to you.

    Now, more on-topic, given that Windows is deemed insecure, I have had some difficulty in answering my friends whether Linux is secure or not. Better, no doubt, but it is as secure as the underlying hardware will allow... "remote administration" things introduce a whole new level of system vulnerability (this is specially the case in "smart" phones, I gather).

    Anybody proving me wrong is very welcome...

  11. shady != shady ? by redwhine · · Score: 1

    In the article, Tuto4PC states "The Talos blogpost is inaccurate in describing Tuto4PC as a shady malware distribution enterprise." Or in other words, How dare you describe a shady malware distribution enterprise as a shady malware distribution enterprise!

  12. Re:MOD PARENT DOWN by Anonymous Coward · · Score: 0

    You must be new here...

  13. WTF? That's what hosts stops (ability to do that) by Anonymous Coward · · Score: 0

    See subject: It can't harm you when you can't touch it & hosts BLOCK malware sources updated daily! It's a big part of what my program does via 10 security community sources data (many daily updated)!

    It's alsos far more efficient in less moving parts for it than DNS locally installed OR Antivirus (which also slows you down vs. hosts speeding you up 2 ways) as well as less resources used & FAR LESS SECURITY ISSUES THAN BOTH as well!

    Plus, it's less complex than firewalls for the purpose too + blocks FAR MORE USED host/domain names used in malwares (vs. IP addresses most firewalls block instead) AND hosts don't have NEARLY as many "moving parts" in layered filtering drivers ABOVE the IP stack (hosts IS part of the IP stack) or other services & front-ends too.

    APK

    P.S.=> Hosts ARE everything I say they are, & many others here can prove it for me by SPEAKING that much for me vs. your bullshit... apk

  14. This stops malvertising & far more threats by Anonymous Coward · · Score: 0

    Blocking users from sources of malware in ads APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

    Less power/cpu/ram + IO use vs. DNS/routers/antivirus + less security issues/complexity. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lighten dns load). Gets data via 10 security sites.

    Works vs. caps & HTTP PUSH ads w/ firewalls.

    * Ads rob bandwidth/speed paid for, security (openbid adnetworks abuse), privacy in tracking + anonymity.

    Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogtrackers) natively. Hosts != blockable by ClarityRay (like. souled-out to admen inferior wasteful redundant slower usermode browser addons)

    APK

    P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & yes it is safe" http://forum.hosts-file.net/vi... )

  15. 12m out of how many??? by Anonymous Coward · · Score: 0

    you could find almost anything installed on 12m computers around the world! why is this one notable other than it's a slow news day

  16. 12 million stupid people by tgrigsby · · Score: 1

    From the article:

    According to Tuto4PC’s website, the company offers hundreds of tutorials that users can access for free by installing a piece of software that displays ads.

    And 12 million people fell for that? What kind of tutorial do you need so badly that you'd willingly set up adware on your machine?

    --
    *** *** You're just jealous 'cause the voices talk to me... ***
  17. Mr Pot meet Mr Kettle by Anonymous Coward · · Score: 0

    whilst they quietly ignore all the backdoors the NSA have put in their own hardware\software.

  18. Re: WTF? That's what hosts stops (ability to do th by Anonymous Coward · · Score: 0

    What about the Winblows updates hosted on the same akaime servers as viruses?

  19. I think you already know the answer... by gosand · · Score: 1

    i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

    I believe you answered your own question.

    --

    My beliefs do not require that you agree with them.

  20. It's "AKAMAI" & I don't have issues w/ it... a by Anonymous Coward · · Score: 0

    See subject: My program has enable/disable hosts via rightclick on a tooltray icon popup menu & hosts = easy to edit YOURSELF! IF you find hosts "gets in your way"? Disable it & re-enable it OR manually edit hosts using my program's rightclick popup menus on lists of data it shows you as results (Find/Delete items) or using notepad.exe (or any text editor).

    * Depends on sources you use for hosts (there are more than my program has - I picked a best mix to get folks going as easy as it gets via an easy to use single part Win32/64 portable GUI executable with built in false positives list ABOVE & BEYOND my sources filters too - to stop false positives etc.

    Lastly - My sources for hosts file data's producers in the security community DO take suggestions for removals of items to block in THEIR lists (my program has a 'site checkers' toolset in it to run sites you find questionably blocked by to be sure they're NOT bad - uses many security sites databases for it)

    APK

  21. Another Windows backdoor? by Anonymous Coward · · Score: 0

    Who would have thunk!

  22. I'm shocked this has happened by k6mfw · · Score: 1

    https://www.youtube.com/watch?...

    --
    mfwright@batnet.com
  23. MOD PARENT UP you imbecile by Anonymous Coward · · Score: 0

    As usual, I'm right! Hosts stop this malvertiser working blocking its C&C domains of wizzuniquify.com, wizztraksys.com, auhazard.com .

    Proof's RIGHT here http://blog.talosintel.com/201... from the security research itself on it...

    APK

    P.S.=> You know something? You moron AC trolls are REALLY "reaching" now, aren't you?? Telling utter lies really "takes the cake"... what a pitiful pack of idiots! apk

    1. Re: MOD PARENT UP you imbecile by Anonymous Coward · · Score: 0

      APK you are filthy fucking scum. You are no different than this offending company.
      You are a low life spammer. Nobody believes a god damn thing you say.

      You filthy scum spammer, I hope someone finds an exploit in your code and hacks the fuck outta you. You piece of shit.

  24. Other /.'ers disagree - blowing U away (lol) by Anonymous Coward · · Score: 0

    I support APK's stand on the hosts file by Trax3001BBS

    his hosts program is actually pretty good by xenotransplant

    his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

    I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon

    I like your host file system by Karmashock

    I find your hosts file admirable by vel-ex-tech

    APK is kinda right. I've given up on JS based adblocking and gone to blackholing in /etc/hosts, just like it was back in the 90s. The computational load has gotten intolerable for any ad-blocking using JS. I've tried his hosts file generating software. It works by bmo

    APK is totally right on this count. Adblock Plus on Firefox mobile is a dog on older, or lower end, phones. A hostfile based adblocker makes for a much better experience by chihowa

    APK

    P.S.=> Would you like more? Ask - the beatings WILL continue (on you, lol)... apk