Images Speak Louder Than Words

| | Comments (0)

We recently came across two Chinese hijacks (one weighing in at around 30MB, the other at 15MB) that can completely destroy your PC. The files that arrive seem to be a little bit random, but a good number of them have the potential to send your CPU usage through the roof and keep it there until your PC keels over. With a whole bunch of them installing at the same time, blue screens and repeated crashes are the order of the day. I briefly mentioned this thing here - well, consider this writeup a sample of the kind of things you can expect if unfortunate enough to be hit by this thing. It goes without saying that there's spyware, adware, malware, rootkits and pretty much everything else you can think of in this payload - in fact, feast your eyes on a sample of some of the files installed:

http://blog.spywareguide.com/upload/2007/05/bigpile1-thumb.jpg
Click to Enlarge

I'm sure you'll agree, that's one seriously big pile of stuff.

Normally, I'd walk you through an install step-by-step, but in this case there's not much point. When the install starts, your desktop pretty much freezes and the only way to see what's on there is reboot, hope it doesn't crash and start digging (with the CPU at 100% all the way, of course). Doesn't sound pleasant, and it most certainly isn't. With that in mind, here's a more-random-than-usual selection of screenshots from both hijacks...

http://blog.spywareguide.com/upload/2007/05/rising10-thumb.jpg
Click to Enlarge

This isn't going to be good, is it? Here's another random error from the pile:

errorreg.jpg

There were quite a lot of errors generated, as it turned out. When I wasn't looking at error screens, I was beaten down with prompts to install all kinds of things. The below installer prompt wants to install a Toolbar onto the computer:

http://blog.spywareguide.com/upload/2007/05/rising5-thumb.jpg
Click to Enlarge

...and for completeness, here's the inevitable shot of the Toolbar:

rising7.jpg

I'm guessing you want to see a shot of the Task Manager at this point, yes?

http://blog.spywareguide.com/upload/2007/05/rising8-thumb.jpg
Click to Enlarge

You can see the PC is already at 100% CPU usage, and half the things on there are already "not responding".

http://blog.spywareguide.com/upload/2007/05/rising12-thumb.jpg
Click to Enlarge

You can see a nice selection of browser windows open here, stuffed with rotating adverts (both Firefox and Internet Explorer).

rising17.jpg

Nope, I have absolutely no idea what I'm being asked either.

Most of the files don't produce any visuals - only a few pop adverts, the rest run silently and kill your machine. However, the other hijack installer (that eventually sucks down roughly 15MB or so of files) was calling a lot of the same stuff and popping the same adverts. For starters, that Toolbar appeared in both bundles. Well, we ran that one (thinking a game of compare and contrast would be fun) and sure enough....

http://blog.spywareguide.com/upload/2007/05/rising2-thumb.jpg
Click to Enlarge

More popups! More silent files that flood your Task Manager and kill off your PC!

http://blog.spywareguide.com/upload/2007/05/rising15-thumb.jpg
Click to Enlarge

The above is an installer prompt for a program we've covered before. Don't worry, you'll see what it is in the next screenshot...

http://blog.spywareguide.com/upload/2007/05/rising18both-thumb.jpg
Click to Enlarge

Here, you can see something called "Disk Free" - I'd like to tell you if it's any good or not, but...you know....blue screens etc. Note the bottom right hand corner - that's our old pal Coopen, the desktop-picture changing marvel (come on, you don't think I selected that picture myself, do you?)

While we're on the subject of old friends, remember the CNNIC? Sure you do. I didn't know they had some kind of Messenger program, though:

messenger.jpg

I found that image along with a bunch of files, though the Messenger itself didn't appear to want to work. Shame.

As I've already mentioned, this second install is a little lighter on the CPU than the first, so it was possible to follow (most) of the install in one go. Imagine my surprise, then, when the following made itself known....

http://blog.spywareguide.com/upload/2007/05/rising19kubao-thumb.jpg
Click to Enlarge

Kubao is some sort of IM / P2P Messaging system, and (as far as I can tell) works a little like Skype...

http://blog.spywareguide.com/upload/2007/05/rising21kubao-thumb.jpg
Click to Enlarge
http://blog.spywareguide.com/upload/2007/05/rising22kubao-thumb.jpg
Click to Enlarge


http://blog.spywareguide.com/upload/2007/05/rising23kubao-thumb.jpg

Click to Enlarge

You wouldn't believe how long it took me to create an account and log into the thing, but there's a screenshot of it in action anyway.

http://blog.spywareguide.com/upload/2007/05/rising24kubao-thumb.jpg
Click to Enlarge

...oh, and here's some weirdo Anime RPG game apparently populated with volleyball players or something.

As you may have noticed, neither of these hijacks are things you'd probably want to have on your computer. There seems to be a vague hint of moneymaking involved, but whoever put these things together wasn't thinking straight when they decided how many individual files to install onto the PC. There's an art to concocting a hijack that doesn't kill the PC, and these guys were presumably absent from Hijacker School that day. In terms of bandwidth used to perform these installs, the particularly brutal way your PC is taken over and the complete disregard as to whether or not the thing actually functions properly afterwards, I'd have to rate these as two of the worst computer beatdowns I've yet encountered.

The "brave new world" of Chinese Malware hijacks is truly upon us. I'm just not quite sure we're ready for it...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

Leave a comment

About this Entry

This page contains a single entry by Christopher Boyd published on May 3, 2007 11:02 AM.

Pictures From An Exhibition was the previous entry in this blog.

TV Hacking... is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.