The software, which exhibits adware and spyware capabilities, was developed by a French online advertising company called Tuto4PC. This company was formerly known as Eorezo group and has been linked to an outfit called Wizzlabs. In English a “wiz” is slang for having a Nintendo, which, if Talos is correct, is appropriate for what its software does to your privacy.
Talos peaked under the bonnet of Tuto4PC’s OneSoftPerDay application which sounds a bit like an advert for an inverted Viagra and in many ways it is. Its investigation uncovered roughly 7,000 unique samples with names containing the string “Wizz,” including “Wizzupdater.exe,” “Wizzremote.exe” and “WizzInstaller.exe.” The string also showed up in some of the domains the samples had been communicating with.
When installed with administrator rights, the software could download and install other software, including the scareware System Healer. It also harvested personal information. To make matters worse the software is designed to detect the presence of sandboxes, antiviruses, security tools, forensic software and remote access doors.
These “features” have led Cisco Talos to classify the Tuto4PC software as a “full backdoor capable of a multitude of undesirable functions on the victim machine.”
Tuto4PC’s website claims to offer hundreds of tutorials that users can access for free by installing a piece of software that displays ads. It claims that its network is made up of more than 12 million PCs in 2014, which could explain why Cisco’s systems detected the backdoor on 12 million devices.
Infections have been found in the United States, Australia, Japan, Spain, the UK, France and New Zealand.
In response to Cisco’s blog post, Tuto4PC Group CEO Franck Rosset clarified that its antivirus bypass technology is not used for malicious purposes. It is just designed to make it easier for users to install its applications, which have been blocked by antiviruses.
Without using the word Roast-Beef-Eating ‘amburger munchers to describe Cisco, the company indignantly told SecurityWeek [shurely weak security.ed] :
“The Talos blogpost is inaccurate in describing Tuto4PC as a shady malware distribution enterprise. We are currently working with our lawyers in order to evaluate the action we can take against Talos’ inexact (negative) presentation of our business.”
It claimed that it was listed company on the French stock exchange and had been creating widgets, tutorials etc. for free download on download websites for years. The download of its programs is for free subject to agreement for accepting advertising from an adware attached in the download.
“Contrary to Talos’ wrongful allegations, our business has been approved by French regulators and we have never been indicted or sued for any malware distribution!!!!”
It used four exclamation marks as a token of its Gallic anger
“Due to some undue blocking by antiviruses that recently blocked Tuto4PC adware (some of them have also an adware business model), we are using a bypass technology so that people can easily download our programs (and adware). Although the bypass software is extremely efficient, it has no other purpose or use that helping the Tuto4PC adware download,” the company said.
There is no malware activity and Talos cannot prove or show any malware use of the program — with more than 10 million installed, if there was to be any malware activity, obviously there should be some user complaints, the company said.
“We are a French company — very easy to reach, we are not hiding in some rogue country — we do not understand why Talos has not contacted us prior to their post,” the outfit complained.
Ironically the company says that one of its subsidiarys Cloud 4PC is going to launch “AV Booster,” an antivirus booster that will help stop any real malware that use bypass techniques including the ones it has developed.