Security Experts:

Cisco Finds Backdoor Installed on 12 Million PCs

UPDATED. Cisco’s Talos security intelligence and research group has come across a piece of software that installed backdoors on 12 million computers around the world.

The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. The firm, previously known as Eorezo Group and apparently linked to another company called Wizzlabs, has been targeted by French authorities over its questionable practices regarding the installation of unwanted software and harvesting of users’ personal details.

Cisco started analyzing Tuto4PC’s OneSoftPerDay application after its systems detected an increase in “Generic Trojans” (i.e. threats not associate with any known family). An investigation uncovered roughly 7,000 unique samples with names containing the string “Wizz,” including “Wizzupdater.exe,” “Wizzremote.exe” and “WizzInstaller.exe.” The string also showed up in some of the domains the samples had been communicating with.

Researchers determined that the application, installed with administrator rights, was capable not only of downloading and installing other software, such as a known scareware called System Healer, but also of harvesting personal information. Furthermore, experts found that the software is designed to detect the presence of sandboxes, antiviruses, security tools, forensic software and remote access doors.

These “features” have led Cisco Talos to classify the Tuto4PC software as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”

According to Tuto4PC’s website, the company offers hundreds of tutorials that users can access for free by installing a piece of software that displays ads. However, based on Cisco’s research, it appears the company is doing more than just displaying ads.

Tuto4PC said its network consisted of nearly 12 million PCs in 2014, which could explain why Cisco’s systems detected the backdoor on 12 million devices. An analysis of a sample set revealed infections in the United States, Australia, Japan, Spain, the UK, France and New Zealand.

“Based on the overall research, we feel that there is an obvious case for this software to be classified as a backdoor. At minimum it is a potentially unwanted program (PUP). There is a very good argument that it meets and exceeds the definition of a backdoor,” Cisco Talos researchers said in a blog post.

“The creation of a legitimate business, multiple subsidiaries, domains, software and being a publicly listed company do not stop this adware juggernaut from slowing down their attempts to push their backdoors out to the public,” they added.

In response to Cisco’s blog post, Tuto4PC Group CEO Franck Rosset clarified that its antivirus bypass technology is not used for malicious purposes — he says it’s designed to make it easier for users to install its applications, which have been blocked by antiviruses. The company has provided the following statement to SecurityWeek

The Talos blogpost is inaccurate in describing Tuto4PC as a shady malware distribution enterprise. We are currently working with our lawyers in order to evaluate the action we can take against Talos’ inexact (negative) presentation of our business.

 

We are a listed company on the French stock exchange. Since 2004, our business model is to create widgets, tutorials etc. for free download on download websites. The download of our programs is for free subject to agreement for accepting advertising from an adware attached in the download.

 

Contrary to Talos’ wrongful allegations, our business has been approved by French regulators and we have never been indicted or sued for any malware distribution!!!!

 

We have a technology subsidiary (Cloud 4PC) with some developments in cybersecurity. Due to some undue blocking by antiviruses that recently blocked Tuto4PC adware (some of them have also an adware business model), we are using a bypass technology so that people can easily download our programs (and adware). Although the bypass software is extremely efficient, it has no other purpose or use that helping the Tuto4PC adware download.

 

There is no malware activity and Talos cannot prove or show any malware use of the program — with more than 10 million installed, if there was to be any malware activity, obviously there should be some user complaints.

 

As you can see, we are a French company — very easy to reach, we are not hiding in some rogue country — we do not understand why Talos has not contacted us prior to their post.

 

In any case, our subsidiary Cloud 4PC is going to launch soon “AV Booster,” an antivirus booster that will help stop any real malware that use bypass techniques like the ones we developed."

*Updated with statement from Tuto4PC

Related: Lenovo Accused of Shipping PCs With Adware That Breaks HTTPS Browsing

Related: Android Tablets with Pre-Installed Trojan Sold on Amazon

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.