Malware analysis

Malware spotlight: Badware

Introduction: What is badware?

Malware, as the name indicates, is malicious software designed to cause damage to computer systems and networks. Badware is often used as a synonym of malware, but in reality, there are some subtle differences between the two terms. 

While malware is an umbrella term that covers a variety of malicious codes including viruses, Trojan horses, ransomware and backdoors, badware is not necessarily software created to destroy systems. In fact, it is often simply used to collect users’ information for a variety of purposes. 

In some cases, “users may treat badware infection as an annoyance to be dealt with rather than a threat to their (or their company’s) data and computing resources,” says StopBadware, Inc., an anti-malware organization created in 2006. This nonprofit makes an effort to cleanse websites that are tagged as spreading badware by maintaining a catalog of sites that have been reported to distribute badware and continues to warn consumers about “this kind of attack [that] takes advantage of a vulnerability or ‘hole’ in your web browser, a browser plug-in, or other software on your computer.”

Badware, of course, can be also used by cybercriminals to hack or socially engineer a target and eventually use that info to attack with other types of malware options.

What problems can badware bring?

Badware can be bad news for both webmaster and users. This is because it is software that is able to somehow bypass the intended use of a website or connection to arrive to a certain scope. For users, this means a number of issues. 

In the best-case scenario, badware is intrusive and designed mainly to track a user’s moves online to feed information to advertisers and marketing groups. The user will be unknowingly releasing information on his or her browsing or shopping habits through the use of research software or toolbars designed for the scope, or will be stuck with the installation of a secondary, unwanted program when installing a program of choice. 

In the worst-case scenario, malware/badware will lead to compromise of sensitive data (like passwords or financial info), serve as a means towards attacking other computers or trick users into buying items and services. A typical purchase scam is the banner that pops up, warning the user that the computer is running slow and needs to be defragged. This prompts the user to download a specific, often infected, piece of software.

Webmasters can be equally affected by badware turning their legitimate website into a repository of malicious software. This is obviously a blow to the reputation of the site and can result in great loss of viewers and clients.

Is badware a growing problem?

Specific data solely on badware is not currently available, but it’s worth noting that this malware threat was already getting attention a decade ago. In fact, StopBadware.org’s May 2008 Badware Websites Report produced the following findings:

Country Badware sites per million internet users

China 689

Russia 307

United States 212

Germany 135

France 128

Republic of Korea 115

Great Britain 60

Source: StopBadware.org

Types of badware 

The three most common types of badware behavior are:

• Malicious scripts: Used to redirect website visitors to a different site or to load actual badware from another source
• .htaccess redirects: A hidden server file used in Apache web servers that can be compromised by malicious attackers to redirect users to badware websites 
• Hidden iframes: A section of a web page that loads malicious content from another page or site, without the visitor's knowledge

Cybercriminals can also infect computers with badware using drive-by downloads, which is a common method of spreading malware that occurs when a website automatically (and often silently) installs malicious code (usually an exploit kit) onto the victim’s PC — without the user being aware. No clicking is necessary with this kind of attack, which can take advantage of a vulnerability in a web browser, a browser plug-in or other software on a computer to infiltrate the system and take control of it.

How to prevent badware

First of all, it is important to keep a watchful eye and try to identify badware. For example:

• You see a warning from the antivirus software when visiting the site that displays a browser warning, such as "Reported attack site" or "This site may harm your computer"
• The site redirects to an unknown domain when you navigate to it in your browser
• You notice that permissions or files have been altered, or new users have been added

Webmasters, in particular, need to be aware and check if any search engines redirect users heading to their sites to different URLs or if the same happens while navigating within the site. 

Badware can be difficult to avoid, as it can be slipped in a system via vulnerabilities or by exploiting users’ behaviors. There are a number of things, however, that can help you counteract this threat:

• Keep website software updated with the latest security fixes. This can patch loopholes that can let badware into the computer where a hacker can steal passwords and/or modify the contents that a user has uploaded.
• Use caution when deciding which third-party scripts and plugins to install. This can reduce your computer’s exposure to badware from attackers that often look for vulnerable software to exploit a website so they can modify your site’s contents.
• Remove or disable unnecessary applications that you are no longer using. This can leave another avenue for an attacker to get in the computer from a web server exploit.
• Tighten security on any used content management system (CMS) such as WordPress, Joomla! or Drupal which can be abused by hackers to deliver badware to visitors’ computers or redirect them to bad websites. Malicious web browser toolbars have also led users to different pages than the ones they expect.
• Review files, folders and web server permissions.
• Enforce strong password policies (obvious)!
• Take advantage of tools already available on your computer. Among some effective malware removal and security solutions is the SmartScreen filter built into Internet Explorer and Windows, which helps users identify reported malware websites. Also, website scanning services such as Google’s Webmaster Tools can help zero in on specific badware on a site and find more information about it.
• Another obvious countermeasure, especially for a webmaster, is ensuring safety while uploading material or otherwise updating their website. In fact, a common way of infecting a site is through a PC, laptop or any other mobile device that has been already infected and is then used to edit pages. It is also important to ensure that any communication with the website is done through secure network connections, especially when performing updates on the go.

Conclusion

It is truly mind-boggling to think of how many people have been affected by badware. Keep in mind that badware and malware are in general a concern for both businesses and individuals alike. Therefore, it is important to be vigilant by becoming aware of this internet-transported threat. 

That said, do consider applying appropriate technical countermeasures and taking advantage of online resources including Google tools, Microsoft add-ons and projects like StopBadware. Network providers and web users alike can also play a key role by being proactive in reporting badware (contact@stopbadware.org).

Become a certified reverse engineer!

Get live, hands-on malware analysis training from anywhere, and become a Certified Reverse Engineering Analyst.

Start Learning

 

Sources

1. Beware of Badware, WP Security Pros
2. The State of Badware, stopbadware.org
3. Badware stats, stopbadware.org
4. What is badware?, stopbadware.org
5. What is badware and why should I worry about it?, The Guardian
6. Why Badware is Bad, The Content Works
7. My site has badware, stopbadware.org
8. Prevent badware, stopbadware.org
9. Badware alerts for your sites, Google Webmaster Central Blog
10. StopBadware addresses sites plagued by malware, The University of Tulsa
11. StopBadware.org’s May 2008 Badware Websites Report, stopbadware.org
12. Guest Post - StopBadware Q&A, Facebook
13. ESET partners up with StopBadware for Safer Cyberspace, ESET
14. Make it stop! How to cleanse your PC of unwanted adware (and ‘badware’), WeLiveSecurity
15. Malware, Malwarebytes
16. Group Says Google a Top Source of Badware, CSO
17. What to do when your site is hacked…, Hosting Marketers News
18. Gary McGraw: Eliminating badware addresses malware problem, SearchSecurity.com