understand
the business. halt the spies. own your data.
|
|
|
May I Help You: The Search Assistants Download PDF infectionvectors.com April 2005
Overview
Spyware and adware often arrives in the form of “helper” applications, software designed to push advertisements to users by monitoring search and viewing habits. Variations of the software have been around for years; versions are generally installed only after an End User License Agreement (EULA) is accepted (which indicates that other software may be placed on the machine). Its chief components are often described as adware or spyware, and some packages have contained applications that kill security services/processes.
Search Assistant (by 180Search) is an application that records the web locations a user visits and reports them back to the 180Search servers. This information is compiled and analyzed, leading to targeted advertisements on the local device in the form of pop-up windows, redirections, and additional software. IMIServ is a family of programs that download additional adware/spyware to the local device. Both of these applications have been around for years and serve as the examples for this report.
Search assistant spyware is an especially profitable venture for some companies that are capable of getting their applications on a high number of machines. The mechanisms employed to accomplish this are often less than forthright, but nonetheless allow companies to capitalize on the millions of dollars available in web referral commissions.
180-Degree Turn
Targeted advertising has become quite a growth industry over the last decade. The Internet has provided numerous mediums for delivering ads, and tracking user habits, that did not exist prior to the web explosion.
180Search Assistant repeatedly shows up in the adware/spyware forums as users ask how to rid their systems of the troubling and annoying software.1 Although it does provide a EULA as the evidence that it is acting legitimately, it also uses tactics such as giving executables nonsensical, random names to avoid immediate recognition and detection. The 180solutions family of software has also been noted to kill security software running on the local system (a tough function to explain away when defending the code as a legitimate marketing tool).2 The software will update itself, even fixing broken or missing pieces, by checking with the website upon startup.
The application itself keeps exceptional logs of what it downloads and provides to both the user and the 180Search Assistant servers. A portion of one of the logs (salm.log) is shown here (note that although each entry is in the same format as was found in the logs, all unique identifiers, including partner/merchant identifiers have been altered):3
03/14/05 04:20:57 1724 1328 0 2 1048 0 connecting to ad page : http://64.94.137.50/showme.aspx?keyword=%2ecnn%2ecom&did=495& ver=5.15&duid=136ltcquqavixczjtqgzyhevgnosmx&partner_id= B6674A282&product_id=495&browser_ok=y&rnd=15&basename=salm& tzbias=5&MT=0163A241738EF7A5F7CBF97BDD23FD7083AAA51A2E454490D AC35D1276EF2B1207&DMT=0163A241738EF7A8F6CBF97BDD23FD7083AAA51 A2E454490DF735D1276EF2B1207&WID=019DB1DED53E8000&GVI=1&HMP=E6 A4F760106CB5182E1F623D6E2948123F8560B303A57F02765CD056BBA48AA A&bid=0&SID=FMNAXWDE&OS=5.0.2195.2&SLID=1033&ULID=1033&TLOC= 1033&ACP=1252&OCP=437&DB=iexplore.exe&IEV=5.50.4934.1&TPM= 266330112&APM=33841152&TVM=2147352576&AVM=2067390464&FDS= 4294967295&LAD=1601:1:1:0:0:0&WE=5 CAdWindow.cpp 578 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:20:58 1724 1536 0 4 1014 0 Inserting key ".cnn.com" with interval 21600 into SleepList CKeywordDictionary.cpp 122 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:20:58 1724 1328 0 2 1004 0 successfully connected to ads.aspx CAdWindow.cpp 361 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:21:57 1724 1280 0 4 1063 0 new url : http://ar.atwola.com/html/93205690/553829876/aol?SNM=HIDBF&width= 120&height=90&target=_blank&TZ=300&TVAR=class%3Dus.low&CT=I CBrowserMonitor.cpp 61 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
In the above snippet, one can see the keyword “cnn.com” picked up by the sentinel watching browsing habits as well as a connection to one of the advertiser sites. Below, the salm.log file shows the download of additional components to the local device. All transactions are controlled by the version tracker and unique identifier that salm generates for each installation.
03/14/05 04:10:29 1724 464 0 2 1067 0 connecting to : http://config.180solutions.com/config.aspx?did=495&ver=5.15&duid= 136ltcquqavixczjtqgzyhevgnosmx&partner_id=36670434A&product_id=& browser_ok=y&rnd=9&basename=salm&tzbias=5&MT=0163A241738EF7A8F6BBF9 7BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&DMT=0163A241738EF7A8F6 ABF97BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&WID=019DB1DED53E80 00&GVI=1&HMP=E6A4F760106CB5182E1F62303A57F02765CD056BBA48AAA&SID=FM NAXWDE&OS=5.0.2195.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252&OCP=437 &DB=iexplore.exe&IEV=5.50.4934.1&TPM=266330112&APM=42864640&TVM= 2147352576&AVM=2084282368&FDS=4294967295&LAD=1601:1:1:0:0:0&WE=5 &TCA=0&SCA=0&MRDS=0&LCAT=1601/01/01%2000:00:00 CConfig.cpp 421 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282
03/14/05 04:10:30 1724 464 0 2 1010 0 downloaded config info and settings have changed CConfig.cpp 472 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:10:28 1724 464 0 4 1005 0 not downloading boomering - using latest version CBoomerang.cpp 155 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:10:28 1724 464 0 2 1119 0 adding add/remove programs entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\salm CInstaller.cpp 783 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:10:29 1724 1768 0 2 9004 0 keyword: downloading file: http://downloads.180solutions.com/keywords/kyf.450/kyf.450.mods.gz CBaseDictionary.cpp 515 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:10:29 1724 464 0 2 1037 0 attempting to download http://installs.180solutions.com/Downloads/DLL/3.0/ncmyb.dll to c:\winnt\FLEOK\salmhook.dll CWeb.cpp 129 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 04:10:29 1724 1516 0 2 9104 0 actionurl: downloading file: http://downloads.180solutions.com/actionurls/ActionUrl.133/ActionUrl.133.0.gz CBaseDictionary.cpp 318 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
And then the discovery of keywords and the related advertising hooks (note these “keywords” were found in ads being displayed on a site being visited):
03/14/05 05:55:32 1396 280 0 2 1064 0 keyword(s) (+american*idol+robot) found in url (http://cl.cnn.com/ctxtlink/jsp/cnn-story.jsp?domid=contextuallinks&time= 1110808551901&category=cnntvent&url=http://robots.cnn.com/2005/showbiz/tv/ 03/14/tv.american.idol.ap/index.html&site=cnn_tvent_dyn_ctxt) CBrowserMonitor.cpp 353 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 05:55:32 1396 1216 0 2 1002 0 wm_show_ad request received CAdWindow.cpp 138 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 05:55:32 1396 1216 0 2 1003 0 already showing an ad - not showing requested ad CAdWindow.cpp 143 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
03/14/05 05:55:32 1396 280 0 4 1014 0 Inserting key "american*idol" with interval 21600 into SleepList CKeywordDictionary.cpp 122 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 495 366704282
What is the purpose of such software? At first glance, the motive may seem to be simply pushing targeted advertisements to the general Internet-using public. Direct marketing has become more and more personal over the years, this being the logical extension of that practice. However, independent researchers have found another goal of such software. When 180solutions takes users to web sites that the user may not have intended to visit, they ensure that the destination web site “knows” that 180solutions was responsible for the connection. In this way, they are making sure that 180solutions receives any commission that is available for the referral.
One of the files dropped by the initial installation is a list of major web sites with that pay the commissions as mentioned above (directly or via affiliate programs). In addition, it includes “keywords” that trigger a redirection, pop-up, etc. Benjamin Edelman has documented the exact nature of the 180solutions software, and its proclivity to “pirate” commissions from other referring services/sites extensively in an excellent research piece.4 In it he shows how 180solutions gets their software installed by more subversive and stealthy means than the EULA/installation method and the tricks used to grab referral fees.
Plugging Away
In a similarly nefarious fashion, IMIServ plant itself on an unsuspecting user’s box by exploiting the capabilities of ActiveX controls. These “drive by” installations plague web surfers that may do nothing more than connect to a site that uses a banner ad service to generate revenue.5 Much of the software that supports this program is retrieved from the IEPlugin.com (IEPL) site.
The installation routine sets an autostart entry in the Registry to ensure the application is launched with every reboot, from a strings output of the executable:
0000D274 0040D274 SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0000D2A4 0040D2A4 %swupdt.exe
The rights to add new software once this application is present on a system are mentioned in the lengthy agreement that accompanies many of the installations. An updated version of the agreement is available on the IEPL web site. IEPlugin.com’s current EULA contains the following:6
6. UPDATES. You grant IEPL permission to add/remove features and/or functions to the Software and/or Service, or to install new applications, at any time, in IEPL’s sole discretion with or without your knowledge and/or interaction. You also grant IEPL permission to make any changes to the Software and/or Service provided at any time.
The application creates a unique identification number for each copy (much in the same way as worms like Beagle do) and uses that to track the browsing habits. The identifier is uploaded to the ieplugin.com site:
0000D2DC 0040D2DC 0 Accept: */* 0000D2E9 0040D2E9 0 Host: sysupdate.ieplugin.com 0000D310 0040D310 0 HTTP/1.0 0000D324 0040D324 0 &level= 0000D32C 0040D32C 0 &fstat=6 0000D338 0040D338 0 &ATL=YES 0000D344 0040D344 0 &ATL=NO 0000D34C 0040D34C 0 /?UID=%s&VERSION=%s
The initial retrieval from ieplugin.com places the following files on a user’s machine:
abi.exe bargain4.exe clipg.exe extract.exe loud.exe qool.exe rgrt.exe salmbundle.exe ssk.exe systb.dll winobject.dll winserv.exe
These applications match keywords lifted from active browser windows and supply pop-up advertisements to the user’s session. Often, browser redirection is used to take potential customers to the advertiser, a new form of “marketing” not available in other mediums.
The ferocity of the installations, their proclivity to repair themselves and add new pieces, and the level of annoyance has lead many remediation sites to label it the IMIServ “virus.”
Helping Hands
Although many people have called these applications “viruses,”7 they cannot be considered such under the traditional definition of the term. They are self-replicating programs and there is no parasitic quality (although it could be argued they do consume resources from their hosts without consent in the same way biological parasites do). Nonetheless, there is certainly enough evidence to consider them malware. Applications that forcibly change the behavior of a system without the explicit acceptance of its owner, open the door for additional applications, and transmit data back to a collection source are most often referred to as Trojan Horses, or Backdoors (as well as hybrid terms such as Backdoor Trojans).
Many software developers faced with having their products called spyware (including 180solutions, which does provide its technical defense on its website) would point to the acceptance of a EULA. Although that is a valid defense, it would be difficult to stick to this policy for installing tracking software. With the exceptional amount of money available in the paid referral market, it is inevitable that a group will capitalize on two things: 1) it is possible to install code without consent, 2) if you can get your code a machine, it is likely that you can remove/disable all other competing software and pirate referral profits from the pirates. In fact, this has been alleged a number of times; adware that carries process killers has been well documented, sometimes those routines are aimed at competing adware applications.8
Given the state of the “marketplace,” it is easy to see why many adware/spyware creators may be forced into less than ethical decisions to maintain their customers. The poor choices and strategies of just a few organizations would be enough to give the industry a bad reputation; unfortunately, it seems to most users that every adware distributor is malicious.
Numerous anti-spyware groups have grown out of a worldwide frustration with the threat.9 The malware research community has wrestled with whether the software is in a unique category (i.e.: spyware) or is just another incarnation of the Trojan. The difficulty in dealing with spyware can completely avoid such discussions if an organization views the threat as nothing more than another reason to enforce configuration management practices and harden client devices against intrusion. Users, being familiar with the plight of their home computers, will likely be easy to convince of the dangers of spyware and will accept restrictions on browsing options if required. Companies should take a thorough look at spyware in terms of resource costs (bandwidth and computing power sucked away) and data costs (threats to data confidentiality and integrity). The resources available at infectionvectors.com can help evaluate assets, prioritize mitigation tactics, and plan overall malware defense strategies.
References
1. The core application for the Search Assistant, SALM.EXE, is catalogued as spyware/adware at LI Utilities: http://www.liutilities.com/products/wintaskspro/processlibrary/salm/
Symantec catalogs it as Adware and describes the routines of this software: http://sarc.com/avcenter/venc/data/adware.180search.html
Called ADW_NCASE (because of 180solution’s Comparison Alternative Shopping Engine) by Trend http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FNCASE%2EC
2. Some 180Search Applications Have Additional Code that Kills Security Software http://vil.mcafeesecurity.com/vil/content/Print128590.htm
3. All logs are from a device with a running installation of the software described. The only change, outside of snipping from the original context, is to change the characters in the unique identifiers.
4. Research Inidcates 180solutions Artificially Inflates Tracking Statistics for Merchant Pay-Per-Click This is a very interesting study, very detailed: http://www.benedelman.org/spyware/180-affiliates/
5. The IMIServ Family is described by Computer Associates: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41623
It is catalogued as Backdoor.IMIServ (called Trojan Horse) by Symantec: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.imiserv.html
And a description of its “drive by” nature by Symantec: http://sarc.com/avcenter/venc/data/adware.ieplugin.html
6. EULA for IMIServ http://www.ieplugin.com/terms.html and: c). This agreement is governed by the laws of Belize. The United Nations Convention on Contracts for the Sale of Goods does not apply to this Agreement.
7. Just as an example, the first link that appeared during an MSN search that supports posters calling this a virus: http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm
8. “Adware cannibals feast on each other.” Stefanie Olsen, 7 December 2004. CNET New.com. http://news.com.com/Adware+cannibals+feast+on+each+other/2100-1024_3-5482276.html
9. One response from Microsoft is their Spyware Information Page: http://www.microsoft.com/athome/security/spyware/strategy.mspx
52048 867911 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52049 867912 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52050 867913 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52052 867915 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52053 867916 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52054 867917 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52055 867918 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52056 867920 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52057 867921 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52058 867922 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52059 867923 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52060 867924 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52061 867925 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52062 867926 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52063 867927 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52064 867928 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52065 867929 prevacid.com prevacid_offers prevacid_offer thank_you.asp 52066 867930 prevacid.com prevacid_offers prevacid_offer thank_you.asp
73672 889911 earthsake.com shopsite_sc shopping_cart thankyou 73673 498456 france.intercasino.com/getting_started/thankyou.shtml 73674 483308 france.intercasino.com/getting_started/thankyou.shtml 73675 512990 deutsch.intercasino.com/getting_started/thankyou.shtml 73676 483329 deutsch.intercasino.com/getting_started/thankyou.shtml 73677 512956 italia.intercasino.com/getting_started/thankyou.shtml 73678 483330 italia.intercasino.com/getting_started/thankyou.shtml 73679 512991 espana.intercasino.com/getting_started/thankyou.shtml 73680 483331 espana.intercasino.com/getting_started/thankyou.shtml 73681 902311 .loanselect.us/fast_loan_submit.php 73682 902312 .loanselect.us/fast_loan_submit.php 73684 931050 .loanselect.us/fast_loan_submit.php 73685 931051 .loanselect.us/fast_loan_submit.php
Appendix B: Snippets from SALM.LOG:
; Search Assistant Log File ; 5.7 ; New log session started. 03/14/2005, 04:10:28 (Process: 1724) 03/14/05 04:10:27 1724 1572 0 4 1061 0 180SA started - version : 5.15.15 180SA.cpp 386 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1572 0 2 1145 0 removing extra boomerangs - leaving 1 behind CUtil.cpp 338 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1328 0 2 1000 0 ad thread started CAdThread.cpp 118 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1572 0 2 1076 0 starting dde thread CDdeUrlDetect.cpp 254 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1280 0 2 1077 0 dde thread started CDdeUrlDetect.cpp 145 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1572 0 2 1055 0 ie monitor thread started CIEMonitor.cpp 74 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1572 0 2 1119 0 adding add/remove programs entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\salm CInstaller.cpp 783 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1572 1 4 5034 126 could not find the dll CMainWnd.cpp 198 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1384 0 2 9005 0 keyword: entering the load dictionary file thread CBaseDictionary.cpp 213 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 856 0 2 9105 0 actionurl: entering the load dictionary file thread CBaseDictionary.cpp 213 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1164 0 2 9205 0 geourl: entering the load dictionary file thread CBaseDictionary.cpp 213 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 464 0 4 1115 0 Timer expired. Now(4165341251) Begin(4134582824) Diff(30758427) Delay(20) CTimer.cpp 61 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 856 0 2 9100 0 actionurl: loading from file CBaseDictionary.cpp 573 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1164 0 2 9200 0 geourl: loading from file CBaseDictionary.cpp 573 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:28 1724 1384 0 2 9000 0 keyword: loading from file CBaseDictionary.cpp 573 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:29 1724 1164 0 1 9208 0 geourl: adding keywords - current keyword count = 0 CBaseDictionary.cpp 759 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:29 1724 1164 0 1 9210 0 geourl: processed 77 keywords - sorting... CBaseDictionary.cpp 828 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:29 1724 1164 0 1 9211 0 geourl: dictionary sorted CBaseDictionary.cpp 832 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:29 1724 1164 0 2 9201 0 geourl: 77 keywords were added - new keyword count = 77 CBaseDictionary.cpp 837 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:29 1724 1164 0 2 9206 0 geourl: leaving the load dictionary file thread CBaseDictionary.cpp 231 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 03/14/05 04:10:29 1724 464 0 2 1067 0 connecting to : http://config.180solutions.com/config.aspx?did=495&ver=5.15&duid= 136ltcquqavixczjtqgzyhevgnosmx&partner_id=366704282&product_id=& browser_ok=y&rnd=9&basename=salm&tzbias=5&MT=0163A241738EF7A8F6CB F97BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&DMT=0163A241738EF7A8 F6CBF97BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&WID=019DB1DED53E 8000&GVI=1&HMP=E6A4F760106CB5182E1F623D6E2948123F8560B303A57F02765CD 056BBA48AAA&SID=FMNAXWDE&OS=5.0.2195.2&SLID=1033&ULID=1033&TLOC=1033 &ACP=1252&OCP=437&DB=iexplore.exe&IEV=5.50.4934.1&TPM=266330112&APM= 42864640&TVM=2147352576&AVM=2084282368&FDS=4294967295&LAD=1601:1:1:0 :0:0&WE=5&TCA=0&SCA=0&MRDS=0&LCAT=1601/01/01%2000:00:00 CConfig.cpp 421 salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx 366704282 |
