The merciless onslaught of advertisements in some parts of the web have forced people to use applications like AdBlock to get a cleaner and less cluttered browsing experience. But using AdBlock is safe, right? Well, only if you are using the right one. A recent Malwarebytes post shows a malicious LSP Hijacker that tries to disguise itself as the legitimate application, AdBlock Plus. Talk about irony!
Disguised application contains rootkit elements
It turns out, the malware pretending to be AdBlock is actually pretty advanced. It detects virtual machines and does not deliver most of its payloads there, in order to avoid detection. On a real system however, it acts as an LSP Hijacker and installs rootkit elements which are difficult to get rid of. Some of the hidden services installed can even run in safe mode making removal a problematic procedure.
“A Layered Service Provider is a file (.dll) using the Winsock API to insert itself into the TCP/IP stack.”
Thus by hijacking the LSP, this malware is able to intercept all traffic passing between the internet and applications on the infected system. This way more ads can be inserted forcefully, that’s just what you wanted from your new ad “blocker”.
Although the application appears like AdBlock it does not block any ads or perform any of the functions associated with the legitimate application. This fake adblocker named “Bylekh” also attempts to avoid suspicion by using a fake installation date. The installation date added by the program (as seen in the Add or Remove Programs section in control panel) is much older than the actual date. This is done to avoid being immediately spotted when programs are sorted by install dates.
Programs like these blur the lines between PUP and malware, almost making the two categories equivalent. As adware continues to grow, users must know that no program can be easily trusted. As seen in this case, a program that promises to block ads may actually end up doing the very opposite.
Have a nice (malware-free) day!