When is a Backdoor a Backdoor?

Thursday, April 28, 2016 @ 03:04 PM gHale


A piece of software installed backdoors on 12 million computers around the world, researchers said.

The software, which has adware and spyware capabilities, was ended up developed by a French online advertising company named Tuto4PC, said researchers at Cisco’s Talos security intelligence and research group.

RELATED STORIES
Millions of Devices Face Ransomware
Another Ransomware Recovery Mode
Tools to Unlock Ransomware
New Ransomware Shows Expertise

French authorities are aware of the firm, previously known as Eorezo Group and linked to another company called Wizzlabs.

Cisco started analyzing Tuto4PC’s OneSoftPerDay application after its systems detected an increase in “Generic Trojans” (i.e. threats not associate with any known family). An investigation uncovered 7,000 unique samples with names containing the string “Wizz,” including “Wizzupdater.exe,” “Wizzremote.exe” and “WizzInstaller.exe.” The string also showed up in some of the domains the samples had been communicating with.

Researchers found the application, installed with administrator rights, was capable not only of downloading and installing other software, but also of harvesting personal information. Researchers found the software is capable of detecting the presence of sandboxes, antiviruses, security tools, forensic software and remote access doors.

That revelation led Cisco Talos to classify the Tuto4PC software as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”

According to Tuto4PC’s website, the company offers hundreds of tutorials that users can access for free by installing a piece of software that displays ads. However, based on Cisco’s research, it appears the company is doing more than just displaying ads.

Tuto4PC said its network consisted of 12 million PCs in 2014, which could explain why Cisco’s systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.

“Based on the overall research, we feel that there is an obvious case for this software to be classified as a backdoor. At minimum it is a potentially unwanted program (PUP). There is a very good argument that it meets and exceeds the definition of a backdoor,” Cisco Talos researchers said in a blog post.

Tuto4PC Group Chief Executive, Franck Rosset, disagreed with Talos’s assessment.

“We are a listed company on the French stock exchange. Since 2004, our business model is to create widgets, tutorials etc. for free download on download websites. The download of our programs is for free subject to agreement for accepting advertising from an adware attached in the download,” Rosset said in a published report. “Contrary to Talos’ wrongful allegations, our business has been approved by French regulators and we have never been indicted or sued for any malware distribution!!!!”