The SmartBrowser Bait and Switch

|

There's been plenty of issues for Zango to consider these past few weeks - in particular, their unexpected appearance on Myspace is a good example. Well, we have a rather intersting case here - a website enticing an end-user to install something they think they need, only to pull the rug out from under them and reveal that (in actual fact), is was this program over here that they needed all along!

http://blog.spywareguide.com/upload/2006/07/zngosbrowser1-thumb.jpg
Click to Enlarge

As you can see, the site above is a typical free movies / webcam website. This site displays numerous videos for you to watch, with the words "live now" next to a play button. Pressing the button does not launch a video (as one would reasonably assume!), but actually opens up a download prompt:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser2-thumb.jpg
Click to Enlarge

The name of the executable continues the baiting strategy - "open for instant access". At this stage, the end-user still reasonably believes running this software is essential to viewing the videos on the frontpage. You can see the icon on the desktop and a EULA (feel free to try our Beta EULA Analyzer) presented below:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser3-thumb.jpg
Click to Enlarge

However, when you install it, IE opens automatically and you see this:

http://blog.spywareguide.com/upload/2006/07/zngosbrowser4-thumb.jpg
Click to Enlarge

...a page of Zango videos, where you have to install various pieces of Adware from Zango in order to acquire the License to watch the video. However, these are not the "videos" mentioned on the frontpage - in fact, they don't seem to exist. And as far as "watching the videos on the frontpage" goes, installing Smart Browser serves no purpose whatsoever. Research from our database reflects:

The SmartBrowser is controlled by smart-browser.com. In our studies it changes the default home page. It opens pop-up pornographic advertising. Examples included extremelybabes.com and extremelyamateurs.com, and redirects attempted access of other pornographic sites to these sites instead. (Caution: these sites may attempt to load premium-rate dialers.)

EULA Analysis demonstrates some notable and alarming security risks:

- "YOU AGREE THAT UPON ENTERING ANY SITES UNDER THE CATEGORY THAT FEETS OUR PUBLISHERS CATEGORIES ,AN ADVERISEMENT MATCHING THAT CATEGORY WOULD POP UP, AND"

- "YOU AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO OUR SERVER FOR ANY UPDATES OR ADDINS. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO SEND EMAILS (PUBLISHMENT & FILES) TO YOUR FRIENDS (USING YOUR LOCAL USER DATABASE) AND TO OUR LISTS .AND YOU ASSURE US THAT YOU WON'T CONSIDER THAT A VIOLATIONS OF YOUR PRIVACY OR ANY OTHER RIGHT. AND"

- "YOU KNOW AND AGREE THAT YOUR COMPUTER WILL BE USED TO CONNECT TO CHATS IRC, YAHOO ,MSN ,ETC IN ORDER TO PUBLISH OUR PRODUCTS."


What we have here is a clear example of Bait and Switch - luring you in with one offer, only to be denied the desired item, but presented with a "substitute" at the last moment. The difference here, is that the webmaster also gets to install Smart Browser onto the PC in the process - I suppose you could call it a two for the price of one deal or a "bonus". Even if the end-user doesn't choose to download any Zango videos, they'll still be receiving pop-ups (and possibly premium rate dialers) via Smart Browser.

As I am (increasingly) fond of saying - if it looks to good to be true....it probably is.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research and Discovery: Chris Mannon, FSL Senior Threat Researcher
EULA Analysis: Wayne Porter, Senior Director of Greynets Research

About this Entry

This page contains a single entry by Christopher Boyd published on July 21, 2006 7:29 AM.

BBC Coverage of Myspace Problems was the previous entry in this blog.

Webcam Bots Invade Myspace is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.