The great ask.com debate

28 Jun    infection, porn for geeks

Warning: This article in no way was meant as a form of flame, I just wanted to clarify what seems to be going on in the Mauritian blogosphere, I usually do not do that as I have better things to do. Also, if someone is telling you that this article is crap, please ensure that the person saying so, does know how to code properly and can read a stack trace or debug a live application.

Quick solution to remove it (if you want): Install MalwareBytes and do a Scan.

Lately among the Mauritians, there seems to be a wild confusion going on about ask.com’s toolbar and other related apps. Most probably fuelled by logan’s article showing a higher than expected network traffic from Mauritius to ask.com.Β  Following which Ish decided to write an article claiming that ask.com’s toolbar isn’t malicious, though the article.

http://logan.hackers.mu/2015/06/top-websites-visited-by-Mauritius-and-the-compromised-cyberisland
http://logan.hackers.mu/2015/06/top-websites-visited-by-Mauritius-and-the-compromised-cyberisland

So it seems a lot of people are absolutely confused about which is which?

From logan’s article one can deduce that there is a higher traffic to ask.com than normal, well, I guess you will all agree with me (except if i have hurt your ego in the past with my sheer arrogance or told you in the face that you are stupid), that the average Mauritian computer users are not really interested in ask.com or toolbar, most of them do not have a clue what this is!

 

To those who wants stats on this, I would advise you to get a log of requests going to ask.com, trace it back to the users of these machines, and just check out with an nmap what these users are running, you may even want to go to people’s machine and have a look inside, a lot of people also do complain that their “google” doesn’t sound like “google”.

 

 

Now we shouldn’t forget the number of people online also who are definitely not happy about having ask.com’s toolbar on their machine, and the number of articles that have been written claiming that ask.com’s toolbar’s activity is similar to a malware. Even on wikipedia there is an entry about ask.com’s dubious application.

e.g:

https://en.wikipedia.org/wiki/Ask.com
https://en.wikipedia.org/wiki/Ask.com

There’s an entry even on howtogeek

http://www.howtogeek.com/138516/the-shameful-saga-of-uninstalling-the-terrible-ask-toolbar/
http://www.howtogeek.com/138516/the-shameful-saga-of-uninstalling-the-terrible-ask-toolbar/

 

 

Even Microsoft decided that the previous versions of ask.com’s toolbar was malware! See this pcworld article,

pcworld

 

 

Now, let’s stop at the search article and post it here, instead let’s get down and dirty with some facts,Β  when we see the analysis done by Ish, which is not so bad considering he did do the effort of checking the current binary on virustotal, but it seems there’s a big item that is missing,

He analysed the wrong file!

 

When we are talking about the Alexa’s webstats, those thousands of Mauritians who are already “infected” by this unwanted application, they have already been infected by the previous versions of ask.com’s toolbar! So analysing a latest release that have been whitelisted to claim that it is fine is simply trying to turn a blind eye to the problem! Because the big elephant in the room is still, “Those thousands of Mauritians doing requests to ask.com most probably never wanted ask.com on their machine

Just use some common sense here, Do you truly want ask.com’s toolbar in your browser?

Again, there might be legit cases where someone would want ask.com’s toolbar on their machine, but the fact is that most people don’t care and don’t know! They just complain their internet is acting weird!

The fishy details?

Well ish posted a virustotal link, notice that in virus total itself, the behavioural information state that there is a read performed in autoexec.bat and it can do calls to DeviceIOcontrol.
This means:
—The autoexec.bat file usually contains contents you want to start up when your system starts up.

—Microsoft’s DeviceIOControl is defined as “Sends a control code directly to a specified device driver, causing the corresponding device to perform the corresponding operation”.

I haven’t mentioned the various files that this toolbar drops in your system also.

Method of proceeding

This ask.com’s toolbar used/in some cases still does add itself as a default option in some installations and install itself usually without your consent (atleast you are given the option to not install it, but the general users will not see it, as most people tend to do next next next :p).

So what do we know yet?

— For a certainty this toolbar is (the previous version and the new ones) reads information that a toolbar generally shouldn’t be reading.

— For certainty we know most Mauritians did not install this because they wanted it! (By logical inference)

— For certainty, we know that it routes users searches to ask.com, those non suspecting users are unknowingly sending their search terms to ask.com without having been asked clearly that its going to do that (notice clearly is something when it comes to the casual computer user, clearly means a very clear explanation when it comes to a simple non frequent computer user.).

— It has the ability to talk to devices, why does a toolbar even need this???

Conclusion?
It so far has not been doing a Virus like activity on people’s Machine, but it definitely do a lot of UNWANTED activities on users’ machine. But it has been acting a lot like a spyware (all versions) and a malware (most previous versions).

It has been carefully crafted to act in that shady grey area, and after its recent classification as malware by microsoft, it did change its ways to become a bit cleaner. There are enough information online!

My views about this?
Personally, I wouldn’t want this to be on my machine, If you are into computer security and you tell me that ask.com toolbar [old and new] is a good thing to have on your machine, Then I understand from this that you understand the implications behind, and what ask.com’s toolbar is actually doing in the background.

Who am I?

Am Selven, an ordinary guy with some common sense who did work with a few security companies in the past.
I’ve been studying viruses since around 1999, because its a fun thing to do!

Note that I don’t have comments on for now, because I don’t really care about your opinions, am just posting facts, with links you can verify, if you don’t believe this post, I don’t really care, it is after all your machine, you are free to do whatever you want with it, I don’t want to mingle with pertinently stupid questions when you have all the informations here to go and look it up.

Final note: In no way am saying Ish’s analysis is wrong, I just mean, he analysed the wrong file when Alexia clearly shows this network traffic to ask.com has been going on for some years now. Am also telling users to please always verify informations whenever they read something online.

So after all this written down, I ask you directly (and i don’t want to know the answer, keep it in your head),

Do you really want to have an ask.com toolbar installed, reading files and talking to devices on your machines without your consent?

Its up to you, though, if you do that, either you have a very good reason behind, or you really don’t care about privacy or security.

Update: I might enable comments later on, someone mentioned that this could be fun πŸ˜€
Update2: Yasir, thx for typo correction
update 3: Some people seems to want confirmation that Microsoft did indeed block the previous versions. As to why the page was removed, πŸ™‚ is a great question i’d like to know also. But hey, this not for this debate, this is something else.

askdotcomshot

askdotcom2askdotcom3askdotcom4askdotcom5askdotcom6further read: http://blogs.technet.com/b/mmpc/archive/2014/12/11/a-timeline-of-consent-and-control.aspx

9 Comments

  1. Very good article ! The malware analysis part is very good ! The balance between technical and non-technical content is very good πŸ™‚

  2. why gamble ur security for nothing totally agree nt worth the install beside whts wrng with google anyway

  3. well said! only malware could come on one’s PC or attached to apps; not related at all to ask.com; being installed. as if it can do anything to prove their existence. unlike google or yahoo, that has earned their keep.

  4. Many times when I download something from the Internet, say a useful verified piece of software that I do not have to pay for, I am aware that on top of what I am expecting I may also be getting other things bundled along and all of which I still do not have to pay for. The bundled pieces of often crappy software/malware/whatever-ware they are called have most definitely paid to be hosted along with the installation of that freeware (thus keeping it free for me). The good part is that I, as the user am provided with the choice to either install those bundles along or not – by default they are always checked true – so I uncheck what I do not want and never asked for. Simple awareness during some installation processes will save you from having tons of unnecessary programs or malwares installed and running in background on your PC and which could explain why your PC is running slow too.

    Regarding this mentionned program, safe to bet that those thousands of requests come from unsuspecting or clueless users. The toolbar being safe or not I don’t know, but the mere fact that it needs to ever make calls to deviceIOcontrol like you said makes it somewhat mischievous indeed. Why should a web browser space cluttering toolbar ever need to have that much power? hehe crazy, or some evil future plan maybe.

  5. I love your article man (knowing very well that you “don’t really care about my opinions” πŸ˜€ )

  6. Interesting. That’s one good way to steal Page rank. I am wondering whether ask.com sear engine still has popularity though.

  7. Like I said, nothing against his analysis / opinion on this, but just that he is comparing a conforming binary to explain an issue that happened because of a non conforming version binary (note by conforming here, I mean, one that conforms to norms of proper policy to run on a user’s machine).

    I merely also just said that his saying ask.com toolbar is ok, will contribute to many people who read his blog and is infected with the older version to just assume that they are ok with it. You do understand that his blog is read by a lot and a slight mis communication can cause misinterpretation in the mind of people.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.