DealPly Adware Abusses AV Evasion Microsoft Smartscreen

SLA Monitoring Tools

Security scientists have found a new DealPly Variant using a new method to prevent detection by abussing Microsoft’s SmartScreen and McAfee’s WebAdvisor reputation services.

DealPly is an adware strain that typically installs browser extensions to display ads in the victims ‘ browser. According to the researchers at EnSilo, it has also included “module code, machine fingerprinting, VM detection techniques and a robust C&C infrastructure.”

“We suspect that the reason why DealPly is leveraging reputation services is to check which of its variants and download sites are compromised and won’t be effective for future infections,” says enSilo’s research team.

The analyzed adware sample was observed by collecting reputation information on domains that its operators received by searching the services and providing replies to its control and control servers (C2).

Abusing the SmartScreen

SmartScreen is a service designed to warn Microsoft Windows customers of potential malicious domains that were previously used when they were attacking malware and phishing or downloading potentially malicious apps.

If a Windows user attempts to access a malicious domain or app, a cautionary advisory will be shown.

DealPly will use the machines it manages to infect, and use them as a “distributed network of data collection machines,” to avoid Microsoft’s blacklisting, while searching their reputation services. SmartScreen module adware automates an empty request to the C2 server to request domain hacks and query URLs.

Deal Ply will use JSON-based API queries to query the SmartScreen reputation server, to which it will attach an “Authorisation header to harden unwanted changes” requests. SmartScreen’s response contains a string describing the nature of the tested URL, with DealPly searching the following strings in the reply:

  • UNKN – Unknown URL/File
  • MLWR- Malware related URL/File
  • PHSH – Phishing related URL/File

The collected information is sent to the DealPly C2 server that enables operators to closely monitor which domains or installers they have already been identified by the reputation service of Microsoft as malicious.

DealPly supports multiple versions of the SmartScreen API that allows you to search the service on multiple Windows versions.

“It is important to note that the SmartScreen API is undocumented. This means the author has put a lot of effort in reverse engineering the inner workings of the SmartScreen mechanism\feature,” says enSilo.

McAfee SiteAdvisor – DealPly

McAfee’s WebAdvisor Reputation Service is a free tool that tracks and reports the level of safety of websites using the data that their web crawler collects and checks for spam or malicious content.

“The variant starts by checking if WebAdvisor of a specific version is installed. If those conditions are met then the sample will try querying the WebAdvisor reputation service,” found enSilo.

DealPly will send the request through URL to the WebAdvisor service and extract the reputational value of the controlled domain from the response.

This information is sent to the C2 server, allowing the campaign operators to update their domain and installation databases with information on which domains and installers are found to be unsafe.

“With the data from these services, the life-span for the Adware’s installers and components can be prolonged as changes are required only once they are known to be blacklisted,” adds enSilo. “Such techniques are not relevant solely to Adware and may be adopted by malware authors as well.”

The approach of DealPly operators to implement this AV evasion technique allows them to take a step forward with anti-malware solutions and to actively update their Adware installers to lower their detection rate.

As enSilo adds, this detection avoidance method is most likely adopted by malware developers as it has already been used for evasion purposes by adware peddlers.

Further details on DealPly’s internal operations, its infection flow, machine finger-printing features and modular code, together with a list of compromise indicators (IOCs) including sample hashings, domains, and URLs, are available in the enSilo adware analysis report.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.