Security experts are warning PC users of scareware computer utilities published by the French firm Tuto4PC that secretly bundle adware and spyware. Cisco’s Talos security research team said several of the company’s utilities, including OneSoftPerDay and System Healer, contain Trojans that exhibit “malicious intent and behavior.” Talos estimates 12 million users have been enticed to download one of Tuto4PC’s software programs. Researchers say once PC users install one of its utilities, the software acts like malware and installs a Trojan called Wizz.
“Installed with administrator rights, (Wizz) is able to harvest personal information, and install and launch executables uploaded by the controlling party,” Talos researchers wrote Wednesday in a blog post. Tuto4PC company representatives did not reply to a Threatpost request to comment. Craig Williams, senior technical leader at Talos, said the Wizz software goes to extreme lengths not to be detected by security software or security analysts trying to examine how the software operates. Williams said that Talos’ initial analysis of Wizz raised concerns when it detected Wizz lying dormant when researchers used computer sandboxing techniques to analyze Wizz code. Other questionable Wizz behavior included the program’s attempt to detect antivirus software running on a system and other security forensic software tools. Most troubling was the software secretly installing software on PCs with no permission via EULAs, according to Talos. “We feel that there is an obvious case for this software to be classified as a backdoor. At minimum it is a potentially unwanted program (PuP). There is a very good argument that it meets and exceeds the definition of a backdoor,” the Talos team wrote. Tuto4PC, has a checkered past that includes running afoul with the Conseil d’Etat, lawmakers within the French government. On multiple occasions – 2012, 2013 and 2015 – Tuto4PC has faced French regulators that have blasted the company for unknowingly installing software on users PCs, Talos said. “This is a company that has been in the hot seat with French regulators for surreptitiously installing adware and spyware on PC users in the past,” said Warren Mercer, technical leader at Talos. “It appears it hasn’t learned anything from being called out by authorities and is doubling-down on trying to avoid its Trojans from being detected by the security community,” he said. “Tuto4PC and Wizz work together as middlemen pedaling adware, spyware and bloatware to millions of PCs without users’ consent,” Mercer said. Talos researchers said they were able to gain unique insights into the relationship between Tuto4PC and the Wizz component by eavesdropping on the communication between the command and control backend and the client software. That’s because, Talos said, Tuto4PC used crypto-variables copied from a Microsoft site’s (MSDN) encryption how-to for its SSL implementation. “The funny thing here is that whilst spending so much time on anti-sandbox, anti-analysis techniques, the authors did not appear to devote the same time and effort into encryption, simply copy and pasting from an MSDN blog,” wrote Talos. Researchers found 55 domains used for Tuto4PC’s adware/spyware campaign, each owned by Tuto4PC or a subsidiary. Talos said the domains were used to distribute the Wizz.exe binaries. “The domains had various ‘PC Clean’, ‘Free Game’ and ‘Offer’ style names all questionable to a degree as to how legitimate they are. These are clearly domains aimed at enticing the user as a form of bait to aid their download activity,” Talos said.