Chinese Website Serves Up Alexa Toolbar

| | Comments (0)

Here's an interesting one from the database - a colleague of mine came across this a few weeks ago and now here we are, about to plunge into the depths of some more Chinese-related Malware. This time round, there's a little twist thrown in for good measure - East meets West, if you will.

We begin our journey with a Trojan called Symfly - from this file, another payload (sna.exe) was installed and during this process, something called Install7.exe was eventually brought kicking and screaming into the world. Already, we're dealing with a file three notches down a daisy-chain, which will likely give you an idea of the complexity behind this particular hijack. From close examination of the inner workings of the files involved, we can eventually determine that a site called Renwu is at the heart of the action - to the casual observer, you'd think there was nothing to see. However, the login prompt is a sure sign there's something going on. After the Install7 file has executed, a file called Demnsvr.exe is dumped into your Windows directory. Sometimes the install fails at this point - if it works, you'll know for sure because (along with some .dll files, a service and a BHO for Internet Explorer) it deposits a log file on your desktop which is kind of a giveaway:

install7exe2.jpg

At this point, an "updater" section on the Renwu site creates Adcheat and Historyclear on the infected PC. I couldn't decide if history clear was protecting my privacy or offering me a bite to eat, and Adcheat (seemingly) wants to make a call to Australia:

install7exe15.jpg

..however, this is actually a server in China, and has apparently been flagged for matters relating to Spam in the past. Of course, it comes as no shock to discover the Renwu site is tied to this server; less so, the other domains listed on it. Bill Gates is a Registrar for this website? Wow! Even better, check out this guy - Mr Drgd Drgdrgr!

With a background like that, no wonder those spam databases have issues with this box!

Eventually, we come to the next oddity of this install.....the Alexa Toolbar, installed without consent via FTP:

http://blog.spywareguide.com/upload/2007/03/install7exe5-thumb.jpg
Click Image to Enlarge

Note the popup asking you to install a Chinese Language Pack.

What happened to the installer prompt / EULA, I hear you cry? Well, a box appears all-too-briefly in the middle of the screen - not exactly brimming with content, but then considering it's only on your screen for about half a second I can't say I'm too surprised. It took me long enough getting that screenshot. At time of writing, the Alexa Toolbar is no longer installing, but as you can see here, the file is still on the server and could easily be re-activated (it's been up and down a few time so far already). It's worth noting that when this file is installed, the desktop has a tendency to become unusable and only a reboot will cure it.

I've mentioned in the past that attempting to tackle Adware and Spyware from China is a whole new world of exploration, because of the difficulties involved in ascertaining the who, what, when, where and why of a case. Here again, we have the same difficulty. Seemingly random websites are called out to - why? Who runs them? Are they legit? Who do you contact? Could they be innocent parties, hosting backdoored files? Or are they just sites the Malware creator likes to visit in his spare time? Here's a sample selection of some of the sites called out to when the initial infection file runs and begins the process of calling down the individual files. Note - none of the below sites actually carry any of the payloads...

http://blog.spywareguide.com/upload/2007/03/install7exe6-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2007/03/install7exe7-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2007/03/install7exe9-thumb.jpg
Click Image to Enlarge

....at this point, we need to tie it all together. Let's examine the Alexa Toolbar for a moment. It's Wikipedia time:

"The Alexa Toolbar, an application produced by Alexa Internet, is a Browser Helper Object for Internet Explorer on Microsoft Windows that is used by Alexa to measure website statistics."

...in other words, the Alexa figures for website rankings are based on the statistics generated by users who surf with the Alexa Toolbar installed.

Remember the Adcheat file I mentioned earlier? Well, after Adcheat has phoned home and HistoryClear.exe has wiped your cookie cache, the Alexa Toolbar is installed and a call is made to this site (note the two domains listed on the page). From there, a call is made to the below site (note the Alexa sub-domain Renwu.info is touting):

http://blog.spywareguide.com/upload/2007/03/hotrockrenwu-thumb.jpg
Click to Enlarge

This is apparently a redirect to a site called Hotrock.cn.

The question is, is this an incredibly over-elaborate attempt to artificially inflate the Alexa ranking of one (or more) of the sites listed above? If so, they're not having much luck with it. All three sites - Renwu, Hotrock and Aqclub are outside the top 100,000. An interesting tactic would have been to try and generate income via sponsored Amazon links - this is something we're still currently investigating, though it would make sense with regards installing the Alexa Toolbar in the first place. What is interesting is this graph comparing the traffic to the previously mentioned websites:

http://blog.spywareguide.com/upload/2007/03/3sites-thumb.jpg
Click to Enlarge

From about halfway through January (when these files first started showing up) up to the present day, both Hotrock and Aqclub have amazingly similar traffic patterns, right down to the way it rises and falls at certain points on the graph. Remember, both of these sites are mentioned on the Renwu page that's called once the Alexa Toolbar is force-installed.

Coincidence?

It'd have to be a pretty large one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on March 7, 2007 12:00 PM.

Wordpress Vulnerability - Time to Upgrade! was the previous entry in this blog.

Kailash Ambwani Talks on Greynets and Perils of Web 2.0 is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.