The Wikimedia Foundation last week warned that readers who are seeing ads on Wikipedia articles are likely using a Web browser that has been infected with malware. The warning points to an apparent resurgence in adware and spyware that is being delivered via cleverly disguised browser extensions designed to run across multiple Web browsers and operating systems.
In a posting on its blog, Wikimedia noted that although the nonprofit organization is funded by more than a million donors and does not run ads, some users were complaining of seeing ads on Wikipedia entries. “If you’re seeing advertisements for a for-profit industry (see screenshot below for an example) or anything but our fundraiser, then your web browser has likely been infected with malware,” reads a blog post co-written by Philippe Beaudette, director of community advocacy at the Wikimedia Foundation.
Examples of the information we may collect and analyze when you use our website include the IP address used to connect your computer to the Internet; login; e-mail address; password; computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform; the full Uniform Resource Locator (URL) clickstream to, through, and from the Site, including date and time; cookie; web pages you viewed or searched for; and the phone number you used to call us.
The author of that DeleteMalware post said he found a copy of the IWantThis browser extension bundled with freeware from software download sites (the author doesn’t mention which download site, but it’s worth mentioning again that sites like Download.com have recently begun bundling adware, toolbars and other potentially invasive software with otherwise “free” titles).
The Wikimedia blog post specifically mentions that this extension affects Google Chrome users, but the extension appears to be equally capable of installing across multiple browsers, including Mozilla Firefox and Internet Explorer. Last week, I wrote about LilyJade, a new computer worm that was spreading across Facebook accounts by abusing the free services offered by Crossrider, a platform that makes it simple to develop browser extensions that work seamlessly across browsers and operating systems.
In researching IWantThis, I spoke with Sergey Golovanov, a malware expert at Russian antivirus maker Kaspersky Lab, who pointed out that the IWantThis extension has been delivered via Crossrider since at least February of this year. This may or may not be linked to an affiliate program that rewards people with commissions for convincing people to install the software.This writeup from Symantec’s ThreatExpert malware scanning engine steps through some of the registry changes that the IWantThis extension executes on a host system.
It’s also worth noting that few — if any — antivirus firms are likely to alert users about malicious or invasive browser extensions. For example, none of the 43 antivirus and security applications used to conduct this scan of the IWantThis! extension at Virustotal.com flagged it as malicious, or even a potentially unwanted application.
Broken record alert: If you didn’t go looking for it, don’t install it!
Tags: adware, browser extension, Crossrider, DeleteMalware Blog, Google Chrome, internet explorer, IWantThis!, Kaspersky Lab, LilyJade, mozilla firefox, Phlippe Beaudette, Sergey Golovanov, spyware, threatexpert, virustotal, Wikimedia Foundation, Wikipedia