Is Adware The Latest Malware Threat?

After a recent Wilders poster got nailed by a hidden Trojan imbeded in crapware spawned from the infamous betterinstaller CNet uses for their download wrapper, I did a bit of research on the major AV malware removal sections of their respective forums to see what people were getting nailed with. Appears NIS people are getting hammer with malicious .js scripts that NIS/NAV are only detecting and cannot remove after the adware, PUP, PUA, etc. is installed. Current statistics at VB100: http://www.virusbtn.com/resources/malwareDirectory/prevalence/index appear to confirm my suspicious in that adware is the second highest prevelance category.

It very much appears to me that the download reputation analysis employed by most of the "big name" AV manufacturers are not up to par in detecting malicious payloads imbeded in the prevelant adware installers. I will go so far as to say that a major vulnerabilty exists here that needs to be immediately addressesed by the major AV players. If that means more potential false positives on flagging installers without malware, so be it.

The average PC user does not employ the known mitigations against detecting this malware such as sandboxing, HIPS, and the like.

 

That was me who got nailed BTW. I have completely removed NIS2013 because of that disappointment. To make it even stranger, it looks like my USBs got infected as well. It was just a mess. There are some AVs that block those malicious URLs, others don't even recognize them.
And don't get fooled by Norton DNS, I was running it on my computer when I got infected. Others have also concluded that Traffic Light doesn't block it either. So it looks like not all web filters work and then not all AV's block the adware once it's installed.

 

Yeah, I see your still smarting from this experience.

My take on this is the major AVs don't want to fool with detailed analysis of the installers due to a possible false positive. Those false positives hurt them with the AV lab tests. Webroot which did block the installer in you situation has been severly penalized for FPs by the labs in areas like this.

Personally, I believe the sitiuation has been ignored by the major AVs way to long. One way to handle this if to give a warning that an installer is attempting to install adware, PUP, PUA, whatever and let the user decide if he wants to proceed. To do this however, they will have to "buck" some very big money names. CNet for example is owned by CBS.

Of course this blocking will result in signifigant cost increases to the major AVs since they will have to monitor and develop remediation techniques for adware, PUP, PUA, whatever at the installation point.

Additionally, the adware and installer outfits will argue that they do have "opt-out" provisions already in place duing the installation process. The problem is is many of these "opt-out" methods are so obscure and convoluted, it can only be infered that deception is the primary intent. And finally as was pointed out in your case, most have uninstallers to again prove that the software is "not really malicious." Again, most of those uninstallers are "buried" to ensure that they cannot easily be found.

In the meantime, all users have to realize anything they download is potentially dangerous and minimally scan the download at VirusTotal or the actual download URL with ZULU. I have lost track of how many infected JAVA updates for example in the past that have had malware attached to it.