Utorrent Bundle Installer Virus

[Agalia Valcin]

WindowsDefender has quarantined two threats on my PC recently: one is an infected executable on a network share (which was put there deliberately and which someone needs), the other is a simple "potentially unwanted app" from a bundle installer I downloaded for FileZilla.

In Defender's Protection History, when I click on "Restore" or "Remove" for one threat, I get a UAC prompt, then nothing happens when I confirm. After accepting once, I don't get other UAC prompts, but further commands don't do anything either.

First open Command Prompt as Administrator. Then run cd "%ProgramFiles%\Windows Defender". Now run MpCmdRun.exe -restore -listall and you will get a list of quarantined files. Now choose the file you want to restore and run MpCmdRun.exe -restore -name "Filename" where "Filename" is the file's name you want to restore.

I had the same issue: it was due to the fact that the file that Windows Defender quarantined was originally in a folder that I had later renamed. This caused restore to fail silently, since Defender didn't know where to restore the file (what a great program). There is no way to specific another folder where to restore the file in the UI: one has to use the CLI.

As a side note, if one tries to restore the deleted file via CLI without specifying the path (e.g., with "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Restore -name "filename") and if the original folder was later renamed, one gets the error message:

It is widely known that with regard to cybersecurity, a user is often identified as the weakest link. This means that they become typical entry vectors for attacks and common social-engineering targets for hackers. Enterprises can also suffer from these individual weak links. Employees are sometimes unaware of online threats, or are unfamiliar with cybersecurity best practices, and attackers know exactly how to take advantage of this gap in security.

We saw users trying to download cracked versions of non-malicious applications that had limited free versions and paid full versions, specifically, TeamViewer (a remote connectivity and engagement solutions app), VueScan Pro (an app for scanner drivers), Movavi Video Editor (an all-in-one video maker), and Autopano Pro for macOS (an app for automated picture stitching).

One example that we dive into here involves a user who tried to download an unauthorized version of TeamViewer (an app that has actually been used as camouflage for trojan spyware before). The user downloaded a malicious file disguised as a crack installer for the application.

Afterward, the file aae15d524bc2.exe was dropped and executed via Command Prompt. It then spawned a file, C:\Users\username\Documents\etiKyTN_F_nmvAb2DF0BYeIk.exe, which sequentially initiated the BITS admin download. BITS admin is a command-line tool that can help monitor progress and create, download, and upload jobs. The tool also allows a user to obtain arbitrary files from the internet, a feature that attackers can abuse.

We also observed that information in the browser's credential store was taken by the attacker. Specifically, the stored data in C:\Users\username\AppData\Local\Microsoft\Edge\User Data\Default\Login was copied. Credentials stored in browsers are often critical personal data that could be leveraged by attackers to gain access into personal, business, or financial accounts. Attackers can even compile and sell this information in underground markets.

As previously mentioned, these cases come about because users search for free applications and trust that someone is going to put the cracked or stolen full version online as a gesture of good will. But as we can see, attackers simply take advantage of those who download these files.

Following the execution of setup_x86_x64_install.exe, it created and executed a new file named setup_installer.exe that dropped several files and queried several domains. Most of these domains are malicious, as evidenced in Figure 5.

This malicious payload also exhibits backdoor behavior. We can see that the attackers are listening on these channels: 127.0.0.1:53711 and 127.0.0.1:53713. This lets the attacker keep a foothold in the computer; through this, they can possibly move laterally across the network and, if it is an enterprise device, compromise a critical company asset.

The other fake installers also had similar behavior that exploits users that attempt to download either an unauthorized application cracker/activator or an illegal full version. These infections then create persistence for later access.

Of course, we also know that software piracy is prevalent in many regions. From the data in Figure 6, we can surmise that it is still a major threat to security. Users have to be more aware of the threats these illegal installers can hold and implement stricter security practices for installing and executing applications from the internet onto their personal and work devices.

We were able to analyze some of the malicious files bundled into the installers. Their capabilities are varied, from cryptocurrency mining to stealing credentials from social media applications. We enumerate them in this table:

As aforementioned, fake installers are not new, but they are still a widely used delivery system for malware. Attackers are uploading more and more of these files for a simple reason: They work. Users download and execute these installers, and this lets attackers maintain persistence in personal devices and gives them a way into company networks as well.

We are running Photoshop and Illustrator in an enterprise environment and we don't want creative cloud on this environment. Unfortunately, every time you deploy Photoshop or Illustrator on a server, this "creative cloud" malware/virus auto-installs itself (this is what makes it a malware/virus).

I have blocked creative cloud in the firewall, and have become pretty adept at finding all the pieces of this malware/virus and removing it, but is there a way to ensure it never installs in the first place?

Thanks. I'm getting absolutely sick and tired of this, I'm looking to a way to have it reported as a virus and added to my anti-virus malware/virus definitions.

Well, its not a virus. If you are in the enterprise you know that software often has complex frameworks and multiple pieces. Leave the installation alone. Photoshop and Illustrator are PARTS of Creative Cloud and if you start deleting things you will be back here complaining about your software not working.

No, it installs itself whenever you install a different piece software (Photoshop or Illustrator). That's what makes it a virus. If I install Chrome, and another program I didn't not give permission to run auto-installs itself without permission and sets it up to start up when you computer starts and runs in the background, all without permission, that's called a VIRUS.

It can. We have a license for every seat. We just want to remove the "creative cloud" malware/virus.

I even talked to support to get a version of the installers that don't include the malware/virus, which they provided, but the installers still secretly installed creative cloud, the difference is they simply don't tell you it's being installed but it shows up on the machine after the install process anyways. This is how viruses and other malicious malware operate. Adobe needs to be punished for this, and users need a way to eliminate this malware/virus from their machines and prevent it from installing.

I'm a sysdmin, I do this for a living, I probably know a lot more about software than you.

It's very simple, if it's the same program, how come I can remove it and Photoshop and Illustrator still run?

It's not the "same program" is a malware/virus that Adobe bundled with their software because they don't respect their customers and think it's OK to push malware/viruses on their customer's computers.

Well that fact that you think malicious software that installs itself without a user's permission is not a virus or malware shows you don't know much about software or IT to start with. The fact that you claim CC is "part of photoshop" when photoshop runs just fine if you manually remove the CC virus provides further evidence that you don't know much about software.

Alternatively, you do know plenty about software [ abuse removed by moderator ]

Ultimately, I didn't come here to debate with virus / malware apologists [ abuse removed by moderator ]. I wanted a solution to this problem. If all you can provide is excuses, I think there's nothing else for me here.

Any program that installs itself without permission while piggy-backed onto another program is a virus. If you are trying to hide a cherry-picked definition of a virus, it's still malware. Either way, it's malicious software that installs itself without permission. It needs to be reported to malwarebytes and AV as a virus so it's removed automatically and blocked, until Adobe learns to ask the user's permission before installing software.

Also, why you would ever try to defend software installing itself without a user's permission is beyond me. I guess Adobe is relying on [ abuse removed by moderator ]to protect them from the backlash from their anti-user, anti-consumer behavior, but the true is they need to be punished for it so they learn their lesson.

Fortunately, most other developers are not malicious like Adobe is, and most don't try the same stunts, but I bet if what Adobe does with CC became common practice, you'd see AV programs and other security-oriented software stepping up to shut down such a toxic and dangerous (from a security perspective) trend.

"Adobe Community Professional" is a funny title given your response being on a forum for professionals using the same type of gaslighting technique teenage boys attempt to employ when I play the occasional online game. Take your toxicity to DMs with me if you want to do this. You're embarrassing yourself.

3a8082e126