Ask.com Toolbar
Source: Red Canary

Security firm Red Canary claims to have stopped a malware campaign that experimented with using the Ask.com toolbar as a method of delivering malware to end users.

In an incident report published yesterday, the Red Canary team details a series of attacks it picked up at the end of October and start of November.

The company claims that its security products picked up abnormalities in the execution of previously benign processes.

Ask.com Toolbar spawning suspicious process

Red Canary malware analyst Joe Moles says the company's threat detection system detected strange events when the Ask.com Toolbar's update system (apnmcp.exe) spawned secondary processes. This raised an alarm with the company's employees, who were called in to investigate the event.

Even if the apnmcp.exe process had been signed by what appeared to be a legitimate certificate, and in theory, this shouldn't have raised any warnings, something strange had triggered the threat monitoring system to react.

Researchers quickly discovered that apnmcp.exe had spawned a second-stage process, launching a file named logo.png, which then opened a network connection and downloaded 2-3 binaries at a later stage.

Process timeline
Source: Red Canary

Crooks found a way to hijack the Ask.com Toolbar's update process

"Image files should be opened by other programs, but obviously should not execute on their own," Moles said. "Upon further inspection, it became immediately clear that we had a case of co-opted software update mechanism."

Somehow, someway, the attackers had found a way to manipulate the the Ask.com Toolbar's updater and force it to carry out commands at the attacker's behest.

The good thing is that Moles says they've detected this type of attack from on only ten computers.

"Our suspicion is that we caught this during the early stages of deployment or testing, as these processes took very few actions on the victim endpoints," Moles said. "This may have been intentional, or it may have been due to bad payloads or configurations."

The security firm contacted both infected victims and the Ask.com Toolbar team, who quickly put together a patch that removed the attack vector.