Christopher Boyd: March 2007 Archives

There's a long line of browsers that have completely failed to enhance end-users security and peace of mind on the web. Yapbrowser, which redirected you to illegal porn with the click of a button; The "Safety Browser", which was anything but safe and arrived in the form of an Instant Messaging hijack; Browsezilla, which allegedly increased the hitcount for various adult websites; and now, fresh out of the blocks, NetBrowserPro.

For some reason, the majority of these browsers want to convince you of their focus on security. Look at Yapbrowsers resurrection, where they laid claim to a 100% "guarantee" that no malicious code would enter your system while using the browser. Or Safety Browser, which had popups enabled by default and hijacked your IE Start Page.

NetBrowserPro (whose website actually shares the same IP address as Browsezilla - 216.255.178.220) follows this noble tradition, with the bold claim that:

"NetBrowserPro is the internet browser which aimed to the one thing - help you to watch porn.
Secure, confidential, quick and free.

Secure? Sure it is! About half of all "free porn sites" tries to install trojan or adware program to your computer in some way. According to the researches Internet Explorer was vulnerable to intrusions during 284 days of the last year!. You could always use other browser, like, for instance, Firefox, but it was vulnerable as well, however, during less than 56 days. Some people use antiviruses, but in practice antiviruses databases are being updated less frequently than the virus-makers release new viruses. However, all vulnerabilities are quite similar and do have similar methods of penetration. These methods use browsers' built-in features. In common life you do need such features to visit simple online shops, banks and other sites, but you don't need these features when you surf porn. NetBrowserPro uses only features, which are necessary to surf porn, it switch everything except this off. So there is absolutely no gap for the virus."

Well, there's probably no "gap for the virus" because according to Rootkit Revealer it comes with its very own rootkit!

http://blog.spywareguide.com/upload/2007/03/netbpro1-thumb.jpg
Click to Enlarge

How does this all begin? With a download of something called "121.exe" from the NetBrowserPro website, assuming you liked the sound of the product enough to download it in the first place:

http://blog.spywareguide.com/upload/2007/03/netbpro2-thumb.jpg
Click to Enlarge

Once downloaded, if the user runs the file they'll be faced with the following box containing the kind of EULA that I refer to as a "free for all" - because they effectively want you to agree to them updating pretty much whatever they want, whenever they want without having to notify you. Again, note the reference to "security":

http://blog.spywareguide.com/upload/2007/03/netbpro3-thumb.jpg
Click to Enlarge

It seems "security" is equated with the removal of choice and forcing you to accept their definition of what security might entail - take it or leave it, effectively. But how do we know they've made the right choices with regards their "browser security"? Of course, the answer is we don't.

Once you click through, a site called Codecaddon.com ("Codec Add-on") is contacted, and you are shown a EULA for something called MovieCommander:

http://blog.spywareguide.com/upload/2007/03/netbpro4-thumb.jpg
Click to Enlarge

Wondering what it is? Well, the Codecaddon.com website is a big clue. Look at the graphics and site layout below:

http://blog.spywareguide.com/upload/2007/03/netbpro9-thumb.jpg
Click to Enlarge

....and compare and contrast with the second site listed on this writeup from Sunbelt Software. As you can see, the site is a carbon copy of TVCodec.com. These are known as "fake codecs", and installing them is a very bad idea. Interestingly, many of the sites on the same IP address as both NetBrowserPro and Browsezilla are porn galleries that prompt you to install fake codecs to view their content.

Once everything is installed, the browser will autostart on your desktop. Before we get to the browser itself, look at the logo:

netbpro6.jpg

...seem familiar? It should, because it's almost identical to the Netscape Navigator logo. Indeed, the font used for the N appears to be identical to the Netscape one. We've seen "alternative" browsers use logos that are similar to more familiar browsers before (the Safety Browser did a poor imitation of the Internet Explorer logo, for example). The reason for this similarity can be anything from a lack of creativity on the part of the graphic designer to (in more malign cases) a desire to fool the user that it's somehow related to the more mainstream brand.

Of course, it could just be one huge coincidence.

At this point, we can finally take a look at the browser:

http://blog.spywareguide.com/upload/2007/03/netbpro5-thumb.jpg
Click to Enlarge

Note the (limited) options at the top include the ability to turn images on and off, add links and "boss", which presumably is a panic button for when you're in the workplace. I'm not entirely sure who would be using this in any sort of workplace, but at any rate, that's about all you can do with this thing. With regards your saved bookmarks, the NetBrowserPro website states:

"Moreover, all bookmarks are being kept on the remote server, which excludes the opportunity of viewing them, even with the full access to the computer."

We have absolutely no information about their "remote server", its security, what they do with the stored information or anything else. Does this sound "secure" to you? However, worse is to come. NetBrowserPro lets you click into apparently random galleries of porn that are hosted elsewhere. Sadly, many of the links clicked take the user to the kind of redirect sites that contain nothing but hundreds of images of all sorts of random pornography. Anyone that's been caught in a porn trap will know the kind of pages I'm describing. Well, though most of these redirects serve up "regular" porn, one or two took me to sites that contained what I can only describe as a couple of "dubious looking" models. While they may well be of legal age, the fact that an initial reaction to these images was "how old?" is never a particularly good indicator of the overall content of those sites, or indeed what they link to. As the sites served up by the browser seem to be randomly selected each time you fire it up, there's no real way to know what you're going to get, and that's a surefire way to have your product dropped off a cliff in a hurry. Can the people behind NetBrowserPro absolutely guarantee that none of the redirects won't take you to something you'd rather not see? That all of the people serving up the content they link to are 100% legitimate? I don't see how that's physically possible and because of this random element of chance, of having to put blind faith in a product that apparently uses rootkit / fake codec technology....I'd advise end-users not to install and run this program.

Sadly, yet another browser joins Yap, Safety and BrowseZilla in the naughty corner...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

StatCounter Say No...

| | Comments (1)

A long time ago, I signed up to the StatCounter service, though I don't think I ever used it. Well, sometimes I still get email based newsletters and this particular one happened to catch my eye....

Folks,

A few months back, StatCounter was approached by an advertiser, offered lots of $$$, and asked to include a spyware cookie on all of our member sites?we refused on the spot.

You install StatCounter to track visitors to your site NOT to open yourself and your visitors up to being spied upon by phantom advertising corporations.

It appears, however, that other players in the world of webstats were happy to take up this offer...

Full text can be seen on their blog entry here. However, what really caught my eye was this entry in the comments:

Psst, I know the counter that took the cookie offer and big thumbs down. I visit a site that has it and has the upgraded version which costs them over $20 a month and to add insult to injury they now have the cookie which also tries to redirect them to a strange website - that is when the website LOADS. It gets worse because their site is tied in to a web designer who now charges them to remove the counter code which holds the cookie.

That doesn't sound particularly appealing, does it?

http://blog.spywareguide.com/upload/2007/03/spamlol1-thumb.jpg
Click Image to Enlarge

....any takers? I think someone needs to hire a proof reader...

Check out this piece over at ITWeek. I offer up a few thoughts on the current craze for Chinese Adware and Malware - more and more, this stuff is starting to spread outside the confines of China itself and out into the West. There's a near limitless supply of these infections at the moment, and while a lot of it is throwaway rubbish (or older, rehashed files) some of the more advanced specimens are doing pretty clever things and proving extremely hard to remove in the process....

Here's an interesting one from the database - a colleague of mine came across this a few weeks ago and now here we are, about to plunge into the depths of some more Chinese-related Malware. This time round, there's a little twist thrown in for good measure - East meets West, if you will.

We begin our journey with a Trojan called Symfly - from this file, another payload (sna.exe) was installed and during this process, something called Install7.exe was eventually brought kicking and screaming into the world. Already, we're dealing with a file three notches down a daisy-chain, which will likely give you an idea of the complexity behind this particular hijack. From close examination of the inner workings of the files involved, we can eventually determine that a site called Renwu is at the heart of the action - to the casual observer, you'd think there was nothing to see. However, the login prompt is a sure sign there's something going on. After the Install7 file has executed, a file called Demnsvr.exe is dumped into your Windows directory. Sometimes the install fails at this point - if it works, you'll know for sure because (along with some .dll files, a service and a BHO for Internet Explorer) it deposits a log file on your desktop which is kind of a giveaway:

install7exe2.jpg

At this point, an "updater" section on the Renwu site creates Adcheat and Historyclear on the infected PC. I couldn't decide if history clear was protecting my privacy or offering me a bite to eat, and Adcheat (seemingly) wants to make a call to Australia:

install7exe15.jpg

..however, this is actually a server in China, and has apparently been flagged for matters relating to Spam in the past. Of course, it comes as no shock to discover the Renwu site is tied to this server; less so, the other domains listed on it. Bill Gates is a Registrar for this website? Wow! Even better, check out this guy - Mr Drgd Drgdrgr!

With a background like that, no wonder those spam databases have issues with this box!

Eventually, we come to the next oddity of this install.....the Alexa Toolbar, installed without consent via FTP:

http://blog.spywareguide.com/upload/2007/03/install7exe5-thumb.jpg
Click Image to Enlarge

Note the popup asking you to install a Chinese Language Pack.

What happened to the installer prompt / EULA, I hear you cry? Well, a box appears all-too-briefly in the middle of the screen - not exactly brimming with content, but then considering it's only on your screen for about half a second I can't say I'm too surprised. It took me long enough getting that screenshot. At time of writing, the Alexa Toolbar is no longer installing, but as you can see here, the file is still on the server and could easily be re-activated (it's been up and down a few time so far already). It's worth noting that when this file is installed, the desktop has a tendency to become unusable and only a reboot will cure it.

I've mentioned in the past that attempting to tackle Adware and Spyware from China is a whole new world of exploration, because of the difficulties involved in ascertaining the who, what, when, where and why of a case. Here again, we have the same difficulty. Seemingly random websites are called out to - why? Who runs them? Are they legit? Who do you contact? Could they be innocent parties, hosting backdoored files? Or are they just sites the Malware creator likes to visit in his spare time? Here's a sample selection of some of the sites called out to when the initial infection file runs and begins the process of calling down the individual files. Note - none of the below sites actually carry any of the payloads...

http://blog.spywareguide.com/upload/2007/03/install7exe6-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2007/03/install7exe7-thumb.jpg
Click Image to Enlarge
http://blog.spywareguide.com/upload/2007/03/install7exe9-thumb.jpg
Click Image to Enlarge

....at this point, we need to tie it all together. Let's examine the Alexa Toolbar for a moment. It's Wikipedia time:

"The Alexa Toolbar, an application produced by Alexa Internet, is a Browser Helper Object for Internet Explorer on Microsoft Windows that is used by Alexa to measure website statistics."

...in other words, the Alexa figures for website rankings are based on the statistics generated by users who surf with the Alexa Toolbar installed.

Remember the Adcheat file I mentioned earlier? Well, after Adcheat has phoned home and HistoryClear.exe has wiped your cookie cache, the Alexa Toolbar is installed and a call is made to this site (note the two domains listed on the page). From there, a call is made to the below site (note the Alexa sub-domain Renwu.info is touting):

http://blog.spywareguide.com/upload/2007/03/hotrockrenwu-thumb.jpg
Click to Enlarge

This is apparently a redirect to a site called Hotrock.cn.

The question is, is this an incredibly over-elaborate attempt to artificially inflate the Alexa ranking of one (or more) of the sites listed above? If so, they're not having much luck with it. All three sites - Renwu, Hotrock and Aqclub are outside the top 100,000. An interesting tactic would have been to try and generate income via sponsored Amazon links - this is something we're still currently investigating, though it would make sense with regards installing the Alexa Toolbar in the first place. What is interesting is this graph comparing the traffic to the previously mentioned websites:

http://blog.spywareguide.com/upload/2007/03/3sites-thumb.jpg
Click to Enlarge

From about halfway through January (when these files first started showing up) up to the present day, both Hotrock and Aqclub have amazingly similar traffic patterns, right down to the way it rises and falls at certain points on the graph. Remember, both of these sites are mentioned on the Renwu page that's called once the Alexa Toolbar is force-installed.

Coincidence?

It'd have to be a pretty large one...

Research and Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher

If you use Wordpress for Blogging fun and games, make sure you pay attention to this notice. Quote time:

"Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately."

Continuing the current theme of virtual programs creating real-world issues, here's a newspaper having its distribution severely affected because of an infection crippling production equipment.

Must have been one heck of a virus...

Check out Marketscore and New.net. Not a spectacular score, threat wise - there's plenty of things out there with a bigger, badder bite. Yet in some strange way, both of these two have been tangled up in the Julie Amero case (according to the details filtering out from the ongoing case, they were both present on the infected PC spawning the popups) and she faces anything up to forty years in jail because of some fairly generic, otherwise harmless porn adverts.

My question is, do we need to start applying a "real world" danger ranking to Adware and Spyware? And if so, what other possible score could we give than the equivalent of "10 - Extremely Dangerous"? If any and all Adware can now be used to lever a situation where someone could face jail time, what other response could we have?

About this Archive

This page is a archive of recent entries written by Christopher Boyd in March 2007.

Christopher Boyd: February 2007 is the previous archive.

Christopher Boyd: April 2007 is the next archive.

Find recent content on the main index or look in the archives to find all content.