June 27, 2015
Last week during discussions on the Mauritius Internet Users mail list about the Ask.com toolbar to behave like malware, S. Moonesamy mentioned he installed the toolbar and when removed it remained enabled as an add-on in the browser.
Is the Ask.com toolbar a malware?I mentioned I would test on my end after downloading an evaluation copy of Microsoft Windows 8.1 :-)
I downloaded and installed Windows 8.1 in a virtual machine to carry my tests. I recall the Ask.com toolbar used to be installed (suggested) during Java RE installations. I therefore, downloaded Java RE first & proceeded to install.
Java RE was installed, at no moment during the setup I was suggested to install Ask.com toolbar. I checked the Internet Exlplorer add-ons; no ask.com. Neither my homepage nor my default search provider were changed to ask.com.
I conclude Java RE version 8 does not come bundled with the Ask.com toolbar. The setup file was digitally signed by Oracle America Inc, on 30 April 2015.
Getting the Ask.com toolbarNext, I looked for the Ask.com toolbar from Ask Partner Network. I found the
AskToolbar.exeexecutable file. Microsoft Windows Defender scanned the file and did not find anything suspicious. The file was digitally signed by Ask.com, on 5 October 2014.
During setup the installer sets the homepage and default search provider to ask.com. If the boxes are unchecked the settings will be left unchanged and only the toolbar is installed.
After the installation, open Internet Explorer and you will be prompted to enable the Search App by Ask.
The toolbar appears in the browser and prompts if the search provider should be changed to ask.com or keep bing.com.
I clicked on the settings button on the toolbar and there is an option to uninstall the search app.
The application can be removed through the control panel as well. I checked the Internet Explorer add-ons and found two extensions by Ask. One is for the browser toolbar and the other is defined as browser helper object.
The following processes were running:
I disabled the add-ons and there is no toolbar in Internet Explorer.
I enabled them back and removed the Search App by Ask application from the control panel. A dialog box appears and provides a link that explains how to change the homepage.
I opened Internet Explorer, there was no toolbar. I checked the add-ons and there were no Ask extensions available. The processes as seen in the image above were no more running.
I assume that removing the app from the control panel stops all processes and removes all related extensions.
Is Ask.com toolbar malicious?I uploaded the
AskToolbar.exeon VirusTotal and scanned it. I found the following:
Ask.com toolbar installer is reported as containing a variant of ask toolbar which is usually categorized and PUA (Potentially Unwanted Application) or PUP (Potentially Unwanted Program). The detection ratio is 3⁄55 which I would say is very low.
One could also click on the behavioral information tab of the VirusTotal report and analyze the files that are read, opened, written to or downloaded by the toolbar installer. It gives an idea on the operations that the installer executes in order to setup the toolbar.
This report should not be interpreted as the actual behavior of the toolbar. The installer is one file and VirusTotal will scan and report what this particular file contains and how it behaves. The toolbar files can be accessed after the installation and I am yet to find anyone who carried a forensic analysis on those files.
In my opinion, the Ask.com toolbar as it is downloaded from the Ask Partner Network is not malicious, since it did not hijack my browser neither did it left ghost processes after installation. It did not load widgets that consume my bandwidth. However, Ask.com toolbar can be installed or the default search provider can be set to ask.com by other applications that could be malware.
Ask.com allows someone to register through the Ask Partner Network and have a custom branded toolbar. Several of its features can be exploited to add widgets that generate money through user hits. Such exploits also result in having a high load on the network traffic. Consequently, computers with a custom branded toolbar might suffer from slow internet connection. A series of tests can be done to identify them but that would be beyond the scope of this article. I will pen down here :-)
Update - 30 June 2015I notice the following paragraph from the Ask toolbar EULA:
Installer: Your installation of a Search Application may be facilitated by APN’s or an APN partner’s installer technology which: (i) downloads the files necessary to install the software; and (ii) scans your computer for specific files and registry settings to ensure compatibility with your operating system and other software installed on your computer. Once the installer technology has been initiated, the installer technology may present you with additional offers from APN partners in addition to the Search Application. More information on our installer technology is available here: http://apnstatic.ask.com/static/offercast/about/privacy.html.