Microsoft declares war on ad-injector ‘with rootkit capabilities’

  • Liam Tung (CSO Online)
  • 09 November, 2016 09:08

Time’s up for a pesky browser extension that’s infected 1.2 million Windows PCs with adware since September, according to Microsoft.

Microsoft is working to stamp out a rapidly spreading extension that injects ads into the Edge browser for Windows 10 and Internet Explorer when infected hosts search on certain websites. Instead of seeing the site as it should be, an advertising ‘service’ called Social2Search promotes supposedly discounted laptops in a pop-up window.

According to Microsoft, 40 percent of the 1.2 million machines infected with the ad-injector in the past two months are located in the US, Indonesia and India, but it’s tracked infections in all regions, including Australia.

The most common way Windows machines are getting infected is by users willingly installing software without being aware that it’s also installing other software without their consent.

Social2Search has been causing problems for Windows users for several months, mostly by inserting ads where they shouldn’t be. Security site Bleeping Computer flagged the Social2Search adware in May and detailed steps users could take to remove it.

However, in some cases the adware is near impossible to remove. According to Microsoft, which calls the ad-injector “Soctuseer”, some variants have rootkit capabilities, meaning it can hide its presence on a host machine and stifle efforts to remove it. Rootkits are usually associated with malware, however Scotuseer falls in a lesser menacing class of “unwanted software”.

Microsoft’s defines unwanted software is “any program that changes the browsing experience without using the browsers’ supported extensibility models.”

In other words, users should be able to customize their browser with browser extensions, but that software shouldn’t sneakily interrupt the experience in a bad way. As Microsoft highlighted earlier this year, VPNs or parental control software modify what a browser can access but they don't interfere with the browsing experience.

In this case, once Scotuseer is installed users can’t enable or disable it in browser settings, and it modifies content in the browser without the user’s permission.

Google toughened its stance on ad injectors last year after a study found that 5 percent of PCs visiting its sites were hijacked by ad injectors.

Soctuseer injects ads into the browser by installing a NetFilter driver and injecting a Dynamic-Link Librarydirectly in into the browser process. The adware also adds a number of shortcuts to the user’s Start Menu.

Dynamic-Link Library:

Microsoft has added a detection for Soctuseer in its Malicious Software Malware Removal Tool or MSRT for Windows, which will also reverse any changes made by the adware.

“No matter how it attempts to hide, though, most Soctuseer installations and system modifications will be uncovered and removed by the Microsoft Malicious Software Removal Tool (MSRT),” Microsoft’s malware researchers claimed.