Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« StatCounter Say No... | Main | Microsoft Announces New Vulnerability Affecting Cursors and Icons »

  • NetBrowserPro: The Porn Browser

There's a long line of browsers that have completely failed to enhance end-users security and peace of mind on the web. Yapbrowser, which redirected you to illegal porn with the click of a button; The "Safety Browser", which was anything but safe and arrived in the form of an Instant Messaging hijack; Browsezilla, which allegedly increased the hitcount for various adult websites; and now, fresh out of the blocks, NetBrowserPro.

For some reason, the majority of these browsers want to convince you of their focus on security. Look at Yapbrowsers resurrection, where they laid claim to a 100% "guarantee" that no malicious code would enter your system while using the browser. Or Safety Browser, which had popups enabled by default and hijacked your IE Start Page.

NetBrowserPro (whose website actually shares the same IP address as Browsezilla - 216.255.178.220) follows this noble tradition, with the bold claim that:

"NetBrowserPro is the internet browser which aimed to the one thing - help you to watch porn.
Secure, confidential, quick and free.

Secure? Sure it is! About half of all "free porn sites" tries to install trojan or adware program to your computer in some way. According to the researches Internet Explorer was vulnerable to intrusions during 284 days of the last year!. You could always use other browser, like, for instance, Firefox, but it was vulnerable as well, however, during less than 56 days. Some people use antiviruses, but in practice antiviruses databases are being updated less frequently than the virus-makers release new viruses. However, all vulnerabilities are quite similar and do have similar methods of penetration. These methods use browsers' built-in features. In common life you do need such features to visit simple online shops, banks and other sites, but you don't need these features when you surf porn. NetBrowserPro uses only features, which are necessary to surf porn, it switch everything except this off. So there is absolutely no gap for the virus."

Well, there's probably no "gap for the virus" because according to Rootkit Revealer it comes with its very own rootkit!

http://blog.spywareguide.com/upload/2007/03/netbpro1-thumb.jpg
Click to Enlarge

How does this all begin? With a download of something called "121.exe" from the NetBrowserPro website, assuming you liked the sound of the product enough to download it in the first place:

http://blog.spywareguide.com/upload/2007/03/netbpro2-thumb.jpg
Click to Enlarge

Once downloaded, if the user runs the file they'll be faced with the following box containing the kind of EULA that I refer to as a "free for all" - because they effectively want you to agree to them updating pretty much whatever they want, whenever they want without having to notify you. Again, note the reference to "security":

http://blog.spywareguide.com/upload/2007/03/netbpro3-thumb.jpg
Click to Enlarge

It seems "security" is equated with the removal of choice and forcing you to accept their definition of what security might entail - take it or leave it, effectively. But how do we know they've made the right choices with regards their "browser security"? Of course, the answer is we don't.

Once you click through, a site called Codecaddon.com ("Codec Add-on") is contacted, and you are shown a EULA for something called MovieCommander:

http://blog.spywareguide.com/upload/2007/03/netbpro4-thumb.jpg
Click to Enlarge

Wondering what it is? Well, the Codecaddon.com website is a big clue. Look at the graphics and site layout below:

http://blog.spywareguide.com/upload/2007/03/netbpro9-thumb.jpg
Click to Enlarge

....and compare and contrast with the second site listed on this writeup from Sunbelt Software. As you can see, the site is a carbon copy of TVCodec.com. These are known as "fake codecs", and installing them is a very bad idea. Interestingly, many of the sites on the same IP address as both NetBrowserPro and Browsezilla are porn galleries that prompt you to install fake codecs to view their content.

Once everything is installed, the browser will autostart on your desktop. Before we get to the browser itself, look at the logo:

netbpro6.jpg

...seem familiar? It should, because it's almost identical to the Netscape Navigator logo. Indeed, the font used for the N appears to be identical to the Netscape one. We've seen "alternative" browsers use logos that are similar to more familiar browsers before (the Safety Browser did a poor imitation of the Internet Explorer logo, for example). The reason for this similarity can be anything from a lack of creativity on the part of the graphic designer to (in more malign cases) a desire to fool the user that it's somehow related to the more mainstream brand.

Of course, it could just be one huge coincidence.

At this point, we can finally take a look at the browser:

http://blog.spywareguide.com/upload/2007/03/netbpro5-thumb.jpg
Click to Enlarge

Note the (limited) options at the top include the ability to turn images on and off, add links and "boss", which presumably is a panic button for when you're in the workplace. I'm not entirely sure who would be using this in any sort of workplace, but at any rate, that's about all you can do with this thing. With regards your saved bookmarks, the NetBrowserPro website states:

"Moreover, all bookmarks are being kept on the remote server, which excludes the opportunity of viewing them, even with the full access to the computer."

We have absolutely no information about their "remote server", its security, what they do with the stored information or anything else. Does this sound "secure" to you? However, worse is to come. NetBrowserPro lets you click into apparently random galleries of porn that are hosted elsewhere. Sadly, many of the links clicked take the user to the kind of redirect sites that contain nothing but hundreds of images of all sorts of random pornography. Anyone that's been caught in a porn trap will know the kind of pages I'm describing. Well, though most of these redirects serve up "regular" porn, one or two took me to sites that contained what I can only describe as a couple of "dubious looking" models. While they may well be of legal age, the fact that an initial reaction to these images was "how old?" is never a particularly good indicator of the overall content of those sites, or indeed what they link to. As the sites served up by the browser seem to be randomly selected each time you fire it up, there's no real way to know what you're going to get, and that's a surefire way to have your product dropped off a cliff in a hurry. Can the people behind NetBrowserPro absolutely guarantee that none of the redirects won't take you to something you'd rather not see? That all of the people serving up the content they link to are 100% legitimate? I don't see how that's physically possible and because of this random element of chance, of having to put blind faith in a product that apparently uses rootkit / fake codec technology....I'd advise end-users not to install and run this program.

Sadly, yet another browser joins Yap, Safety and BrowseZilla in the naughty corner...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher


  • TrackBack

TrackBack URL for this entry:
http://blog.spywareguide.com/mt/mt-tb.cgi/160

Listed below are links to weblogs that reference NetBrowserPro: The Porn Browser:

» auto insurance texas from auto insurance texas
importantly MIPS:lusts communists [Read More]

» web designer from http://webdesignercenter.net
visit this web designer site. [Read More]

» barclays life insurance from barclays life insurance
anesthetizes Neanderthal,swimmers theorists. [Read More]

» Tramadol side effects. from Tramadol.
Tramadol fda. Tramadol. Tramadol ultam. [Read More]


  • Comments

Check the IP address - 216.255.178.220 is InterCage (aka Atrivo) yet again. 216.255.176.0 - 216.255.191.255 is a good candidate to block from your network entirely.


Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.