IT professionals are well aware of the shadow IT risk. Considerable risk is introduced by employees installing unauthorized software onto their work computers and mobile devices. However, this has been clearly illustrated this week following the discovery of a new malware by the Talos team. To date more than 12 million individuals are believed to have installed the new Trojan downloader.

Seemingly Genuine Software Performs a Wide Range of Highly Suspect System Actions

Many users are frustrated by the speed of their PC and download tools that will help to resolve the problem, yet many of these are simply bloatware that perform no beneficial functions other than slowing down computers. These can be used to convince users to pay for additional software that speeds up their PCs, or worse. The software may perform various nefarious activities.

It would appear that the new malware is of this ilk. Furthermore, it is capable of being exploited to perform a wide range of malicious actions. The software performs a wide range of highly suspect functions and has potential to steal information, gain administration rights, and download malicious software without the user’s knowledge.

The new malware has been referred to as a “generic Trojan” which can check to see what AV software is installed, detect whether it has been installed in a sandbox, determine whether remote desktop software has been installed, and check for security tools and forensic software.

By detecting its environment, the malware is able to determine whether detection is likely and if so the malware will not run. If detection is unlikely a range of functions are performed including installing a backdoor. The backdoor could be used to install any number of different programs onto the host machine without the user’s knowledge.

So far more than 7,000 unique samples have been discovered by Talos. One common theme is the use of the word “Wizz” throughout the code, with the malware communicating with “WizzLabs.

Analysis of the malware revealed that one of the purposes of the software was to install adware called “OneSoftPerDay”. The company behind this adware is Tuto4PC, a French company that has got into trouble with authorities before for installing PUPs on users’ computers without their knowledge.

By allowing the malware to run, researchers discovered it installed System Healer – another Tito4PC creation – without any user authorization. Whether the malware will be used for nefarious activity other than trying to convince the users to download and pay for PUPs is unclear, but the potential certainly exists. With 12 million devices containing this software, at any point these machines could be hijacked and the software used for malicious purposes.

The Shadow IT Risk Should Not Be Underestimated

The shadow IT risk should not be underestimated by security professionals. Many seemingly legitimate software applications have the capability of performing malicious activities, and any program that does to such lengths to detect the environment in which it is run and avoid detection is a serious concern.

Organizations should take steps to reduce Shadow IT risk and prevent installation of unauthorized software on computers. Policies should be put in place to prohibit the installation of unauthorized software, and software solution should be employed to block installers from being downloaded. As an additional precaution, regular scans should be conducted on networked devices to check for shadow IT installations and actions taken against individuals who break the rules.