Sunday, September 28, 2014

Skype lookalike site and Astromenda malware

When installing programs from the Internet, make doubly sure you are on the right page.

I am not a big fan of Skype.  The concept is neat - the idea of a video telephone.  But the problem with video telephones is what the Bell System (no relation) discovered back in the 1960's - people really didn't want a video phone, as it turns out.   Even today, with the technology available on the web and almost everyone with a computer (or smart phone or pad) having the hardware to connect online, very few people actually use video phone.   Kids today rather text than even talk!

But a friend of mine uses the service and I thought, "what the heck, I'll re-install Skype and call him!"

Yes, re-install.  I had removed it from my computer as it slows down most computers, and thus is a PITA to have loaded.   And the problem with Skype is that unless the other person is on their computer all the time, well, you aren't going to reach them.   You have to call or e-mail ahead of time to arrange a Skype call, and this takes all the spontaneity out of it.  So I gave up on using it.

I Googled "install Skype" or something of that nature and clicked on the first hit which appeared to be a Skype install page.

It wasn't.

I should have noticed a problem when it diverted me to instead of

How did this happen?  It is a mystery to me.  I have adblock plus on the computer, so Google advertised hits (which are often links to virus sites) are blocked.   When I tried again, later on, the real came up as the first hit.

(Conspiracy theorists would note that Skype was bought by Microsoft, a deadly and mortal enemy of Google in the O/S marketplace.   It would help Google if fewer people installed Skype and instead installed a Google alternative.  So, could this redirect to a rogue site be an accident, a happy accident, or by design?  Not hard to write code that redirects every 10th search to a malware site!).

Anyway, I started to become suspicious when the "installer" dialog started asking me if I wanted to install a lot of junkware (anti-virus programs, weatherbug, registry scanner, etc.) and I finally closed it out.

Too late.  On both Explorer and Firefox, the default search engine was set to "astromenda" and the home pages to astromenda.  In order to fix this, I had go into the tools section and reset both browsers.

Removing the programs proved more difficult.  The uninstall feature of windows didn't seem to work completely.  A malwarebytes scan showed a lot of registry entries, some stray files, and the like.  A search of the hard drive turned up an empty astromenda directory.   And on my desktop, a link to an astromenda game.  This thing really embeds itself!

What is all this nonsense?  Garbargeware.   They put ads on the pages you display and get paid for it.  And they re-direct your searches to other sites.

I've seen similar redirects on other folk's computers - along with junkware like weatherbug.   I can assume that they clicked on a similar link and fell into the rabbit hole.

Of course, people say, "Well, you should be more careful!" - which is classic blame-the-victim mentality.   But I was careful.  I run Microsoft Security Essentials, Malwarebytes, and Spybot.   None of them warned me (nor did Firefox) that I was being redirected to a rogue site.   And the search from Google somehow redirected me to this bogus site.   How?  Beats me.   I thought I could detect these things.  It is getting harder and harder to do!