- China Internet Network Information Center: On Your PC Whether You Want Them or Not
Today, we'll see that even the simplest of hijacks can result in one seriously broken PC, and install what are apparently files related to a "non-profit" group taking orders from the Chinese Government's "Ministry of Information Industry" in the process. After observing a file in the database flagged by one of our researchers, I decided to take it for a test drive and see what happened. In theory, it should have been a straightforward search hijack. In practice, if this had been my "real" PC instead of a test box, I'd now be calling in the world's biggest platoon of priests and holy water.
Let's begin, shall we?
The product we'll be looking at is this thing. Starting off the action with the oldest file in the Database:
....it didn't take long before my PC started acting strangely. And by "strangely", I do of course mean, hijacked with a whole bunch of random bits and pieces of awfulness:
The above is what had been dumped into my System32 Folder. Not a lot to go on at this point, and things are about to get worse. Before my computer-based Apocalypse takes place though, let's have a look inside one of the files and see what's lurking:
...hmm. Randomly named file handed the task of calling down lots of executables? Usually not a good sign - especially as some of the files mentioned weren't actually showing up on the PC at this point. Hidden downloaders? Looks that way, doesn't it. However, before we can pursue this line of enquiry, all the tech forensics go out of the window when....
...Internet Explorer pops open, complete with new Toolbar related addition! Is this a good time to see if anything has been deposited into the Program Files directory? You bet:
....hooray! Randomly named folders and files mixed in with the Toolbar folder and something called CNNIC. Remember this, because we'll be coming back to it. For now, we'll quickly examine the Add-ons in Internet Explorer and see how many new additions there have been. The short answer is "lots":
As I'm sure you'll agree, there's a fair amount of Browser Helper Objects in there! At this point, I decided to give the Toolbar a go and see if it worked or not. After entering a search for "Paperghost", this is what I got:
The results returned are given via the Baidu Search Engine. However, check out the bottom right hand corner - when the Toolbar was activated, a "fake warning" appeared telling me my PC had been infected and I needed to run a scan. Coincidence? Possibly. Either way, before I could click the warning and see which wonderful rogue product was about to greet me, the whole system collapsed and died in a horrible, horrible mess.
From this point onwards, the test PC would not function unless run in Safe Mode, and even then, only for a limited amount of time before rebooting itself. After a couple of attempts, I finally managed to get into the desktop and saw some new icons had appeared in Internet Explorer:
The yellow money-bag thing is for the Sofa Toolbar - however, the toolbar would no longer work, and it was impossible to reinstall it. Remember CNNIC? Well, clicking the blue icon on the left takes you to....
...the China Internet Network Information Center!
China Internet Network Information Center: founded as a non-profit organization on June 3, 1997, is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China.
.....uh, okay, Government related webpages appearing in a hijack....new one on me. But wait, there's more:
Software produced by CNNIC
* Official version of Chinese url software, which is Malware. It installs in the user's system secretly and compulsorily, and will be automatically re-installed after you uninstall or delete it.
I had to do a little more digging than usual to find out more information on this one, because I couldn't actually get the thing to work, but one Antispyware team alleges the CNNIC software is used to hijack search results, and "also hijacks 404 pages to a controlling web server in China". In addition, you can see complaints regarding CNNIC software here and here.
Closing down Internet Explorer, I jumped over to the System32 Folder to see if anything new had been added. The answer was a resounding "yes":
No wonder the PC kept keeling over, because the System32 Folder had been completely overrun by a huge amount of files (the full list of things dumped into that folder would probably have required 3 or 4 full screenshots stitched together to give you an accurate idea of what was going on in there). A few more reboots, and eventually the fake popup from earlier on returned:
I was able to grab one final screenshot before the PC went into a sort of Permadeath, and we were finally able to see what rogue application had been installed:
....BraveSentry! After that, the test box was officially DOA. The total time taken to install all of these components was roughly ten minutes - from a seemingly harmless executable that promised maybe a Toolbar or something at best, and a few runs of your favourite Antispyware scanner at worst. If you value your PC, your sanity and your rapidly dwindling supplies of Internet Holy Water, steer well clear of this one...
Research and Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery, Research: Chris Mannon, FSL Senior Threat Researcher