Adware / Spyware Issues: April 2007 Archives

This was sadly inevitable, but you can see what to avoid here, courtesy of Sophos. The file itself seems to be a commonplace Banking Trojan popular in Brazil - a variant of which was used in the Orkut Worm attack last year. I expect we'll see many more variations on this in the weeks to come - indeed, there are already fake "donation websites" popping up online so be careful what you click on...

Here's a nice find - a file that searches for a Virtual PC by means of a Registry check. If the Virtual Machine is detected, the install comes to a halt. If you're on a real computer, however, you'll find numerous files downloaded and installed onto your PC. Along with the usual Trojans, there's something called CPush:

vmdetect4.jpg

This is a Browser Helper Object related to Sogou, also from China:

http://blog.spywareguide.com/upload/2007/04/vmdetect7-thumb.jpg
Click to Enlarge

There are numerous other websites mentioned in files, install logs and executables - as usual, they vary from blank pages to game websites:

http://blog.spywareguide.com/upload/2007/04/vmdetect8-thumb.jpg
Click to Enlarge

Finally, some of the files make reference to a well known IRC Server used for Botnet activity - though we didn't see any live Botnet action while testing the files, there's nothing to say they couldn't install additional Bot components sometime after the initial hijack. We did find a Login page on one of the related sites, but that proves nothing - it could just as easily be an Admin Panel as it could a Command and Control Center:

http://blog.spywareguide.com/upload/2007/04/vmdetect6-thumb.jpg
Click to Enlarge

What's interesting here is that it seems to share some similarities with this Worm. They both seem to have emerged at the same time - I'd love to know which one came first, though I'd prefer it if they hadn't emerged at all...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: FSL Threat Research Team, WV

Today, we'll see that even the simplest of hijacks can result in one seriously broken PC, and install what are apparently files related to a "non-profit" group taking orders from the Chinese Government's "Ministry of Information Industry" in the process. After observing a file in the database flagged by one of our researchers, I decided to take it for a test drive and see what happened. In theory, it should have been a straightforward search hijack. In practice, if this had been my "real" PC instead of a test box, I'd now be calling in the world's biggest platoon of priests and holy water.

Let's begin, shall we?

The product we'll be looking at is this thing. Starting off the action with the oldest file in the Database:

ssearch1.jpg

....it didn't take long before my PC started acting strangely. And by "strangely", I do of course mean, hijacked with a whole bunch of random bits and pieces of awfulness:

ssearch2.jpg

The above is what had been dumped into my System32 Folder. Not a lot to go on at this point, and things are about to get worse. Before my computer-based Apocalypse takes place though, let's have a look inside one of the files and see what's lurking:

ssearch3.jpg

...hmm. Randomly named file handed the task of calling down lots of executables? Usually not a good sign - especially as some of the files mentioned weren't actually showing up on the PC at this point. Hidden downloaders? Looks that way, doesn't it. However, before we can pursue this line of enquiry, all the tech forensics go out of the window when....

http://blog.spywareguide.com/upload/2007/04/ssearch5-thumb.jpg
Click to Enlarge

...Internet Explorer pops open, complete with new Toolbar related addition! Is this a good time to see if anything has been deposited into the Program Files directory? You bet:

ssearch6.jpg

....hooray! Randomly named folders and files mixed in with the Toolbar folder and something called CNNIC. Remember this, because we'll be coming back to it. For now, we'll quickly examine the Add-ons in Internet Explorer and see how many new additions there have been. The short answer is "lots":

http://blog.spywareguide.com/upload/2007/04/ssearch7-thumb.jpg
Click to Enlarge

As I'm sure you'll agree, there's a fair amount of Browser Helper Objects in there! At this point, I decided to give the Toolbar a go and see if it worked or not. After entering a search for "Paperghost", this is what I got:

http://blog.spywareguide.com/upload/2007/04/ssearch9-thumb.jpg
Click to Enlarge

The results returned are given via the Baidu Search Engine. However, check out the bottom right hand corner - when the Toolbar was activated, a "fake warning" appeared telling me my PC had been infected and I needed to run a scan. Coincidence? Possibly. Either way, before I could click the warning and see which wonderful rogue product was about to greet me, the whole system collapsed and died in a horrible, horrible mess.

From this point onwards, the test PC would not function unless run in Safe Mode, and even then, only for a limited amount of time before rebooting itself. After a couple of attempts, I finally managed to get into the desktop and saw some new icons had appeared in Internet Explorer:

ssearch10.jpg

The yellow money-bag thing is for the Sofa Toolbar - however, the toolbar would no longer work, and it was impossible to reinstall it. Remember CNNIC? Well, clicking the blue icon on the left takes you to....

http://blog.spywareguide.com/upload/2007/04/ssearch11-thumb.jpg
Click to Enlarge

...the China Internet Network Information Center!

From Wikipedia:

China Internet Network Information Center: founded as a non-profit organization on June 3, 1997, is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China.

.....uh, okay, Government related webpages appearing in a hijack....new one on me. But wait, there's more:

Software produced by CNNIC

* Official version of Chinese url software, which is Malware. It installs in the user's system secretly and compulsorily, and will be automatically re-installed after you uninstall or delete it.

I had to do a little more digging than usual to find out more information on this one, because I couldn't actually get the thing to work, but one Antispyware team alleges the CNNIC software is used to hijack search results, and "also hijacks 404 pages to a controlling web server in China". In addition, you can see complaints regarding CNNIC software here and here.

Closing down Internet Explorer, I jumped over to the System32 Folder to see if anything new had been added. The answer was a resounding "yes":

http://blog.spywareguide.com/upload/2007/04/ssearch12-thumb.jpg
Click to Enlarge

No wonder the PC kept keeling over, because the System32 Folder had been completely overrun by a huge amount of files (the full list of things dumped into that folder would probably have required 3 or 4 full screenshots stitched together to give you an accurate idea of what was going on in there). A few more reboots, and eventually the fake popup from earlier on returned:

ssearch13.jpg

I was able to grab one final screenshot before the PC went into a sort of Permadeath, and we were finally able to see what rogue application had been installed:

http://blog.spywareguide.com/upload/2007/04/ssearch15-thumb.jpg
Click to Enlarge

....BraveSentry! After that, the test box was officially DOA. The total time taken to install all of these components was roughly ten minutes - from a seemingly harmless executable that promised maybe a Toolbar or something at best, and a few runs of your favourite Antispyware scanner at worst. If you value your PC, your sanity and your rapidly dwindling supplies of Internet Holy Water, steer well clear of this one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery, Research: Chris Mannon, FSL Senior Threat Researcher

Pages

About this Archive

This page is a archive of entries in the Adware / Spyware Issues category from April 2007.

Adware / Spyware Issues: March 2007 is the previous archive.

Adware / Spyware Issues: May 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.