Types of Adware: Searchmeup

Here is a warning for all users of Microsoft Windows - if you haven't downloaded the recommended patches the company recently issued, you might want to do so immediately.  One system update was initially distributed to repair critical errors regarding cursor and icon formats.  PandaLabs revealed that is was done to address a type of adware that targeted security vulnerabilities in the Windows operating system. 

The Glendale, California-based firm revealed that Searchmeup takes advantages of common weaknesses in Windows to install itself without a user's consent.  The program downloads numerous files and has been reported to contain a number of additional exploits capable of installing malware onto infected machines.  Some of these exploits include Tofger-AT, a password thieving Trojan horse, Dialer-NO and Dialer-BB, two well known forms of spyware along with another adware application called Adware/TopConvert. 

Targeted Vulnerabilities

Searchmeup took advantage of two critical flaws in how formats of the cursor, animated cursor and icons were handled.  The first has been labeled as a vulnerability that enables the remote execution of malicious code; the second is a DOS (denial-of-service) flaw.  Attackers exploited these vulnerabilities by creating a malicious cursor or icon that gave them the ability to remotely execute code when a user visited a compromised website or opened an infectious email attachment.  Attackers able to successfully exploit this weakness could then seize absolute control of an entire system. 

The second issue was exploited in a similar manner, but instead caused the operating system to become unstable and eventually unresponsive.  This was contributed to a barrage of pop-up advertisements and the consumption of bandwidth and other system resources. 

How it Works

Searchmeup is mainly downloaded from visiting malicious web sites.  Once installed, it immediately changes a user's homepage to that of another search engine, often displaying offensive pop-up ads.  It's primary goal is to install spyware dialers on your machine and capture sensitive data. 

One of it's most dangerous functions involves downloading the Tofger-AT file.  This Trojan launches every time the Internet Explorer web browser is started.  It keeps track of every move you make online and has keystroke logging capability that logs passwords entered over secure HTTP connections often used in online banking.  The Trojan seeks out a number of bank URLs including the following: bankofamerica, citibank, hsbc, ebankinter and etrade.  When the targeted information is collected, Searchmeup transmits it to a remote server. 

This adware may generate errors in the SERVICES.EXE file, which displays a message that the machine will be restarted in one minute.  When the computer reboots, the system may function normally although this typically means that Trojan has been updated to a new version. 

Staying Protected

Although Microsoft as taken measures to better secure their operating system, Searchmeup remains a prevalent threat to anyone running Windows.  It is recommended that you frequently keep your computer current with the latest updates from the Microsoft website.  Furthermore, you can protect yourself from Searchmeup and other forms of malware by remaining cautious of the sites you visit on the web, never opening the attachment of an unsolicited email and installing reliable security software on your computer. 

Spyware has many ways of getting onto your computer, such as:

When you download programs - particularly freeware, or peer-to-peer sharing programs.

More covertly, spyware can install itself just by you visiting certain sites, by prompting you to download an application to see the site properly.

ActiveX controls. These pesky spyware makers will prompt you to install themselves while using your Internet browser