Cisco Finds Backdoor Installed On 12 Million PCs

Reader wiredmikey writes: Security researchers at Cisco have come across a piece of software that installed backdoors on 12 million computers around the world. Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other tools, such as a known scareware called System Healer, but also of harvesting personal information. The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The "features" have led Cisco Talos to classify the Tuto4PC software as a "full backdoor capable of a multitude of undesirable functions on the victim machine." Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco's systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.Tuto4PC has received flak from many over the years, including French regulators.

lacking important information

[Anonymous Coward]

That's a substantial number of infected computers. Is this malware detected by antivirus systems? And how is it getting installed on those computers?

Re:

[fuzzyfuzzyfungus]

The downside of 'rule of law' is that a decent suit becomes effective camouflage for all sorts of predators that might otherwise be forced to operate in the shadows.

Re:

[Mike Frett]

A number of infected Windows machines you mean.

So why hasn't Tuto4PC been sued or legislated away

[zoomshorts]

So why havent these douchebags been removed from existance?

So how do we detect if we have it?

[Anonymous Coward]

I hate articles that give no info on how to fix the issue.. only provide enough info to scare ya.

Re:

[tonyyeb]

The original Cisco article (http://blog.talosintel.com/2016/04/the-wizzards-of-adware.html) states that ClamAV has the signatures to recognise this threat.

Re:

[Kazoo the Clown]

Now I get it, the whole thing is a marketing scheme by Cisco to promote ClamAV-- the copyrights to which it acquired in 2013.

Re:

[fustakrakich]

:-) That is the idea...

Doesn't Cisco have some back doors in its routers [slashdot.org] that need looking after?

Re:So how do we detect if we have it?

[greenfruitsalad]

i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

Re:

[David_Hart]

i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

Because the terms PC and computers are synonymous with Windows, much like Kleenex is synonymous with tissues and Heinz with Ketchup. The vast majority of people associate PCs with Windows systems. It might irk you, but it isn't going to change.

Re:

[twdorris]

You mean like the generic name "PC". Oh, wait...

Re:

[fox171171]

i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

While I tend to agree with you, I am pretty sure it was APPLE advertising that established that "PC" meant "Windows".

Re:

[wallsg]

To the general public, "PC" means (at least in the computer sense) what used to be called IBM PC-compatible Personal Computer running Windows. Yes, while it's more accurate to say "Windows PC", people in general recognize PC as a Windows machine, and Mac as an Apple OS machine. Do you talk about a "Mac" or an "OS X PC?"

Linux would be "you mean that thing on Big Bang Theory?"

I think you already know the answer...

[gosand]

i hate the way it's always reported. i.e. when there's a worm affecting linux systems, the article always makes that clear. when there's a trojan affecting osx, it says so too. but when shit hits windows, it's suddenly computers or PCs. why don't journalists start calling things what they are? WINDOWS viruses, WINDOWS rootkits, WINDOWS backdoors, etc. It's not PCs that are infected, it's PCs running WINDOWS that are infected in 99.99% of cases.

I believe you answered your own question.

Re:

[FormOfActionBanana]

I didn't know you could get viruses in X Windows...

Re:

[Trogre]

Isn't it obvious?

It's because the media is full of Microsoft shills, and Microsoft do not want you, the hapless consumer, to know that there is an alternative.

They want you to think PC == Windows

Re:

[INT_QRK]

Well, the good news seems to be that its executables are ".exe" files. Gotta love dem Windows.

Missing from the summary

[OzPeter]

From TFA

According to Tuto4PC’s website, the company offers hundreds of tutorials that users can access for free by installing a piece of software that displays ads.

So it seems you had to explicitly install it.

Re:

[hydrofix]

It's probably a misnomer to call this a backdoor or virus. The users probably need click through some EULA where they give the company permission to do as they see best with the user's computer. Computers are powerful machines and a great deal of users are just too ignorant and should not be allowed the install code downloaded from the Internet on their computers.

Re:

[Eosi]

I believe that Backdoor is accurate, after reading the story and link to Cisco's Talos labs. This application created a way for the software dev to push ads and software to your PC, without your knowledge. AND to bypass local AV to do it.

Re:Missing from the summary

[Mashiki]

The blog post gives some information on this, including the "no EULA" bit as well. [talosintel.com]

Re:

[drinkypoo]

...it seems you had to explicitly install it.

Not necessarily. There's lots of ways software can get installed on a user's computer, and not all of them require user interaction, conscious or otherwise. The user could be attempting to install one thing, and get something else entirely, or just something else along for the ride. You've been around long enough to know how this works...

Re:

[TheCarp]

Yes, but the idea that explicitly installing software to display ads while you browse free tutorials means that you can be expected to have understood that you just installed a full remote control and data gathering package; seems a bit beyond the pale to me.

In no way does it make sense that "display ads" translates meaningfully into "allow full control and full access to my PC at any time it is on and connected"

Flak?

[mwvdlee]

Tuto4PC has received flak from many over the years

Seriously, aren't we overreacting a bit? Flak? Couldn't we just have sued and sent them to prison? Flak is a bit much, isn't it. Flak really, really hurts and I fact that many people are giving them flak is just horrible. It's the stuff censorred in straight-to-video horror movies. It's unhuman, the sheer amount of flak they had to take. Even waterboarding would be preferable to flak.

Re:

[Anonymous Coward]

Flak jackets and helmets have been around for a long time and can be picked up at any army surplus store. If they don't have any by now, they deserve all the flak they get.

Re:

[Nidi62]

Tuto4PC has received flak from many over the years

Seriously, aren't we overreacting a bit? Flak? Couldn't we just have sued and sent them to prison? Flak is a bit much, isn't it. Flak really, really hurts and I fact that many people are giving them flak is just horrible. It's the stuff censorred in straight-to-video horror movies. It's unhuman, the sheer amount of flak they had to take. Even waterboarding would be preferable to flak.

I don't know. Maybe we should take a page out of North Korea's book and use AA guns as a form of execution. Although, to be fair, it should only be used for the most heinous of crimes such as Nigerian Prince spamming or having the last name Kardashian.

time cisco came clean about its own backdoors

[sittingnut]

its great that cisco finds other people's backdoors, but cisco should come clean about backdoors it lets usa government incorporate into its own routers.

Re:

[omgwtfroflbbqwasd]

All you need to do is read Cisco's documentation to learn about their backdoors.

http://www.cisco.com/c/en/us/t... [cisco.com]

Flak

[tekrat]

I assume by "Flak"; the author of the summary has indicated that we are firing Explosive Anti-Aircraft shells at them. I expect nothing less.

Of course, were it my choice, I would have used a tactical nuke, but that's just me.

Kill it with fire.

[INT_QRK]

Kill it. Kill it with fire.

shady != shady ?

[redwhine]

In the article, Tuto4PC states "The Talos blogpost is inaccurate in describing Tuto4PC as a shady malware distribution enterprise." Or in other words, How dare you describe a shady malware distribution enterprise as a shady malware distribution enterprise!

12 million stupid people

[tgrigsby]

From the article:

According to Tuto4PC’s website, the company offers hundreds of tutorials that users can access for free by installing a piece of software that displays ads.

And 12 million people fell for that? What kind of tutorial do you need so badly that you'd willingly set up adware on your machine?

I'm shocked this has happened

[k6mfw]

https://www.youtube.com/watch?... [youtube.com]