As some of you may have already seen, we released Malwarebytes Anti-Malware for Mac last week. Prior to the release of the new product, I was of the mindset that Macs were not vulnerable to malware. So what changed my mind?
Doug Swanson, my former CTO at Malwarebytes (and current board member!) e-mailed me about a cool product called AdwareMedic he had found over the weekend. Doug’s grandmother’s computer, a Macbook Pro, had fallen victim to a search hijacker that was redirecting any links she clicked to advertising content. He ran AdwareMedic and all was well in the world. Doug insisted I take a look at the software, and his story certainly left me intrigued.
Sounds like something a real estate agent would shout at you while selling you a house, right? Well, sort of.
Just like a grocer may perform a location survey to determine the best place for their store, i.e. the corner versus in a back alley, as an entrepreneur starting a business it is absolutely critical to choose your location. And I don’t mean your office location, I mean your niche. I hate calling it a niche, because it implies something small. Uber certainly didn’t find anything small when it chose to redefine how calling a taxi works!
We faced this hurdle at Malwarebytes early on. When we built the product almost eight years ago, antivirus companies had already saturated the market. There was no room for another antivirus, not that we wanted to be one anyway. From the very beginning, we decided to position ourselves as another layer of protection, one that focuses on the most aggressive and unknown threats and we left the rest to antivirus. It was one of the best decisions we had ever made.
At the time, we had no idea the position (location!) was so important. The revelation came to me recently while reading The Granularity of Growth where the author’s research found that “a company’s choice of where to compete is almost four times more important than outperforming within its market.” Had we positioned ourselves as another antivirus, who knows what Malwarebytes would be today.
I like to have background noise as I answer work e-mails. Typically, I leave Netflix streaming and every so often I glance at the television. While watching The Office, I noticed something very interesting.
Malwarebytes on The Office
If you look at the bottom right corner of the screen, on the monitor, you’ll see Malwarebytes Anti-Malware installed on the computer of a customer that Michael, Dwight, and Jim go to see. Turns out this isn’t the first time we’ve “appeared” on the show. We’ve also shown up on Darryl Philbin’s computer — look at the top left of the screen.
Malwarebytes Anti-Malware is so good, even Dunder Mifflin uses it!
Post other sightings of Malwarebytes in odd places and I’ll talk with the team and do a giveaway to the best one!
Forgive my absence, I’ve been chained to a headset on several press calls per day for the last few weeks. Now that the press tour is basically over, I’m able to happily announce the launch of an exciting new product, Malwarebytes Enterprise Edition. This thing is awesome. Seriously.
So much work has gone into this product and I’m excited to finally announce it.
I’m working on some really cool changes to the blog and content that I will hopefully post every week, so stay tuned!
It’s been a while since my last post. Unfortunately, I’ve been really busy and the only thing I have to show for it is the launch of our Malwarebytes gear store. So far it’s only t-shirts, but more to come. I definitely got some weird looks at Defcon while wearing the “eater of bytes” shirt.
Some really cool and exciting news coming from Malwarebytes soon. Don’t forget to subscribe to our newsletter.
More content coming soon. In the meantime, check out the related posts.
A friend of mine asked me to take a look as to why Google and Bing were inaccessible using Firefox. I dove in and realized that they were also unreachable using Internet Explorer, Chrome, and even command line ping. It became apparent that the hosts file had been hijacked. In fact, these entries were the only ones present:
I swiftly removed them from the hosts file and both websites loaded fine. But what had put them there? With a working browser, a quick search revealed that those addresses were not legitimate and something had clearly hijacked the machine.
Knowing my friend to be an avid Malwarebytes Anti-Malware user, I checked the quarantine and found several objects. The main files appeared to be dplayx.dll and dplaysvr.exe and had several registry entries allowing them to start with the computer. I sent the files to Adam Kujawa, a Malware Intelligence Analyst working with me at Malwarebytes. Adam confirmed that this malware was responsible for the hosts file redirection.
However, a further analysis revealed a more cynical side. Adam continued by saying that “all binaries analyzed were heavily packed with custom obfuscation methods and employed anti-debugging tricks which made them a pain to get through” and that “the use of the filenames dplayx.dll and dplaysvr.exe is important because the names belong to legitimate applications and are integral parts of Direct X.”
While not new, the use of these particular filenames shows that malware authors are still trying to hide their executables behind legitimate names.
I apologize for the lapse in posts in the last couple of weeks. Last week I was at RSA and the weekend before that I was jumping into a freezing lake. Seriously.
Marcin Soaking From Polar Plunge
In the weeks leading up to my February 25th Polar Plunge, many Malwarebytes employees eagerly donated to the cause. The pitch? Watch your CEO jump into a freezing lake. Together, we raised over $700 for Special Olympics. I want to personally thank each and every one of them!
Also, isn’t that Malwarebytes shirt awesome?
I was chatting with a few friends who knew what I did and loved using our product. Somehow the topic of selling Malwarebytes Anti-Malware in brick and mortar stores came up. I told them that this was already being done for a year and they were shocked. I guess this isn’t that well known.
Malwarebytes Anti-Malware Retail Box
I actually went out and bought those boxes from Fry’s Electronics the first week they were selling them. OK, to be fair, I sold out one of the stores.
It’s not often that I search for the term Malwarebytes on Google. I know how to get to my own company’s website by typing it into the address bar. However, when a friend or family member asks me how to get to our website, I almost always instruct them to search.
Unfortunately, there exists a market where bad people benefit by preying on our users. They create websites which advertise that they distribute Malwarebytes and instead, download a product of their own onto our user’s machine. They advertise on Google and turn up in search results. I’d equate this to a cereal company packaging their generic, less delicious brand into a Cheerios box and putting it on shelves.
Search result exploiting the Malwarebytes brand
If you see a page like this, it is fraudulent and you should go directly to www.malwarebytes.org instead.
It makes me sick, and I refuse to let it go on. Today, I instructed our legal team to pursue all of these cheaters in hopes that we can wipe them from the face of the Internet.
But that’s not all. How far is too far? Should advertisers on Google be allowed to use company names as keywords? If I search for Cheerios, should the first advertisement be for the generic brand? It’s allowed, a common practice, and in my opinion completely unethical.
I got a message from my friend Paul today asking for help with an infection. He was using the latest version of Firefox at the time and was positive he did not click on any odd links or downloaded anything malicious. Naturally, I advised him to run Malwarebytes Anti-Malware and had him send me the log. One specific entry popped out at me.
Memory Processes Infected:
c:UsersPaulAppDataLocalojx.exe (Trojan.ExeShell.Gen) -> 3508 -> No action taken.
I picked up the phone and called Bruce Harrison, our VP of Research, and asked for an explanation. The result had shocked me. I was told that this was an executable hijack that is used with FakeAlert, a Trojan we see almost daily in our research center.
What exactly does that mean? Well, when the infection is able to penetrate your computer, it hijacks all executables to run the malicious file instead of their intended targets. For example, you try to open Skype and the malicious file starts instead.
It does this in two ways. First, it modifies each shortcut itself to point to the malware. Secondly, it modifies the .exe shell in the registry so that once again instead of starting the correct executable, it starts the malicious file.
Luckily, Malwarebytes Anti-Malware was able to patch Paul up — but we both wanted to know how this had happened. Bruce advised us to check the installed Java version. It was in fact outdated by several versions. I advised Paul to update to the latest version and he now has a healthy computer!