Published on April 13th, 2017 | by Joel Roy
Taking OpenCandy from a Baby
It’s always amazing to see what we uncover during an SS8 BreachDetect risk assessment. BreachDetect was recently deployed in a customer’s environment to analyze network traffic, detect previously unknown threats and pinpoint any compromised devices-of-interest.
What did SS8 BreachDetect Find?
SS8 BreachDetect discovered numerous internal devices with active participation in an OpenCandy Adware Network. As is the case with most PUPs (Potentially Unwanted Programs), OpenCandy comes bundled with popular freeware tools. These tools include CheatEngine, uTorrent, BitTorrent, FoxitReader, etc.. Once installed, it communicates with a Command and Control server to install additional unwanted software. It also collects and transmits various information about the user and their surfing habits to third parties without notification or consent. Depending on the communication medium and instructions from the C2 server, it may also change the user’s configurations like desktop background, inserting unwanted toolbars and plug-ins, “Default Browser”, “Default Search Engine”, etc. on the infected system.
How does this happen?
When a user installs an application that has bundled OpenCandy, an option selected by default appears to install software it recommends based on a scan of the user’s system. We are all guilty of blindly clicking “next”, without reading the small print to get to through an install process. Selecting a custom installation and unchecking all the option buttons is always recommended. Use of an active anti-virus to detect and block adware is also best practice.
This was a quick snapshot of the SS8 analysis, which highlighted some key discoveries, and the visibility that exists in a live environment.
Curious about your network vulnerability? Sign up today to get your own free Risk Assessment.