3 Replies Latest reply on Sep 1, 2014 6:20 AM by Peter M

    How to stop Malware using ironSource InstallCore engine

    c14us

      Do anyone have good information on how to breake the Israelic Ironsorce Installcore code? It is being utilized in a growing number of malware at my endpoint.

       

      Anyone have any reverse enginering information, to expose weakness in this awfull installer?

       

      Regards

      Claus

        • 1. Re: How to stop Malware using ironSource InstallCore engine
          Peter M

          What is the name of the malware?  Ironsource Installcore is a perfectly genuine entity but the name of the malware might be more useful.

          • 2. Re: How to stop Malware using ironSource InstallCore engine
            c14us

            The latest I've seen is one disguesed in a flash setup file, generating a purbrowser variant.

             

            Regards

            Claus

             

             

            Malware scan of adobe_flash_setup.exe ac2591cef1e13e400538fe3e3cda073606cba835 - herdProtect

             

            C:\PROGRAM FILES (X86)\CLEARTHINK\BIN\CLEARTHINK.PURBROWSE64.EXE

            Threat Name:3892
            Threat Type:open_with_terminate,open_with_mo
            Action Taken:Blocked

             

             

             

             

            Target Distinguished Name                                                                                            CN=INFORMATION TECHNOLOGY SYSTEMS, OU=IT, O=INFORMATION TECHNOLOGY SYSTEMS, L=PODGORICA, S=MONTENEGRO, C=ME                                           
                                                            Target File Name                                                                                            ADOBE_FLASH_SETUP.EXE                                           
                                                            Target Fingerprint                                            0e73676e390c2219cb207da8caa0213f                                           
                                                            Target Organization Name                                                                                            INFORMATION TECHNOLOGY SYSTEMS                                           
                                                            Target Path                                                                                            C:\USERS\DKLKB\APPDATA\LOCAL\MICROSOFT\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\8CCJYVX0\ADOBE_FLASH_SETUP.EXE
            • 3. Re: How to stop Malware using ironSource InstallCore engine
              Peter M

              Not sure in that case especially as you are using Enterprise as things are handled differently from the Consumer side, where I help out.  Support may have ideas on blocking it.   Meanwhile hopefully someone with corporate experience will spot this.

               

              I was hoping there was a specific known malware name and I could point you to a removal guide, sorry to waste your time.

               

              There is one removal guide for Clearthink Adware:  How to remove ClearThink Ads (Virus Removal Guide)

               

              Meanwhile be very careful what you download and where from, watch out for optional extras attached to the download that you don't need.