May I Help You: The Search Assistants infectionvectors.com April 2005
Overview
Spyware and adware often arrives in the form of “helper” applications, software designed to push advertisements to users by monitoring search and viewing habits. Variations of the software have been around for years; versions are generally installed only after an End User License Agreement (EULA) is accepted (which indicates that other software may be placed on the machine). Its chief components are often described as adware or spyware, and some packages have contained applications that kill security services/processes. Search Assistant (by 180Search) is an application that records the web locations a user visits and reports them back to the 180Search servers. This information is compiled and analyzed, leading to targeted advertisements on the local device in the form of pop-up windows, redirections, and additional software. IMIServ is a family of programs that download additional adware/spyware to the local device. Both of these applications have been around for years and serve as the examples for this report. Search assistant spyware is an especially profitable venture for some companies that are capable of getting their applications on a high number of machines. The mechanisms employed to accomplish this are often less than forthright, but nonetheless allow companies to capitalize on the millions of dollars available in web referral commissions. 180-Degree Turn
Targeted advertising has become quite a growth industry over the last decade. The Internet has provided numerous mediums for delivering ads, and tracking user habits, that did not exist prior to the web explosion. 180Search Assistant repeatedly shows up in the adware/spyware forums as users ask how to rid their systems of the troubling and annoying software.1 Although it does provide a EULA as the evidence that it is acting legitimately, it also uses tactics such as giving executables nonsensical, random names to avoid immediate recognition and detection. The 180solutions family of software has also been noted to kill security software running on the local system (a tough function to explain away when defending the code as a legitimate marketing tool).2 The software will update itself, even fixing broken or missing pieces, by checking with the website upon startup.
The application itself keeps exceptional logs of what it downloads and provides to both the user and the 180Search Assistant servers. A portion of one of the logs (salm.log) is shown here (note that although each entry is in the same format as was found in the logs, all unique identifiers, including partner/merchant identifiers have been altered):3 03/14/05
to ad page : http://64.94.137.50/showme.aspx?keyword=%2ecnn%2ecom&did=495&ver=5.15&duid=136ltcquqavixczjtqgzyhevgnosmx&partner_id=B6674A282&product_id=495&browser_ok=y&rnd=15&basename=salm&tzbias=5&MT=0163A241738EF7A5F7CBF97BDD23FD7083AAA51A2E454490DAC35D1276EF2B1207&DMT=0163A241738EF7A8F6CBF97BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&WID=019DB1DED53E8000&GVI=1&HMP=E6A4F760106CB5182E1F623D6E2948123F8560B303A57F02765CD056BBA48AAA&bid=0&SID=FMNAXWDE&OS=5.0.2195.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252&OCP=437&DB=iexplore.exe&IEV=5.50.4934.1&TPM=266330112&APM=33841152&TVM=2147352576&AVM=2067390464&FDS=4294967295&LAD=1601:1:1:0:0:0&WE=5
key ".cnn.com" with interval 21600 into SleepList
successfully connected to ads.aspx CAdWindow.cpp
http://ar.atwola.com/html/93205690/553829876/aol?SNM=HIDBF&width=120&height=90&target=_blank&TZ=300&TVAR=class%3Dus.low&CT=I
In the above snippet, one can see the keyword “cnn.com” picked up by the sentinel watching browsing habits as well as a connection to one of the advertiser sites. Below, the salm.log file shows the download of additional components to the local device. All transactions are controlled by the version tracker and unique identifier that salm generates for each installation. 03/14/05
to : http://config.180solutions.com/config.aspx?did=495&ver=5.15&duid=136ltcquqavixczjtqgzyhevgnosmx&partner_id=36670434A&product_id=&browser_ok=y&rnd=9&basename=salm&tzbias=5&MT=0163A241738EF7A8F6BBF97BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&DMT=0163A241738EF7A8F6ABF97BDD23FD7083AAA51A2E454490DF735D1276EF2B1207&WID=019DB1DED53E8000&GVI=1&HMP=E6A4F760106CB5182E1F62303A57F02765CD056BBA48AAA&SID=FMNAXWDE&OS=5.0.2195.2&SLID=1033&ULID=1033&TLOC=1033&ACP=1252&OCP=437&DB=iexplore.exe&IEV=5.50.4934.1&TPM=266330112&APM=42864640&TVM=2147352576&AVM=2084282368&FDS=4294967295&LAD=1601:1:1:0:0:0&WE=5&TCA=0&SCA=0&MRDS=0&LCAT=1601/01/01%2000:00:00
136ltcquqavixczjtqgzyhevgnosmx 366704282
downloading boomering - using latest version
salm 5.15 495 136ltcquqavixczjtqgzyhevgnosmx
add/remove programs entry: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\salm
downloading file: http://downloads.180solutions.com/keywords/kyf.450/kyf.450.mods.gz
to download http://installs.180solutions.com/Downloads/DLL/3.0/ncmyb.dll to c:\winnt\FLEOK\salmhook.dll CWeb.cpp 129 salm
downloading file: http://downloads.180solutions.com/actionurls/ActionUrl.133/ActionUrl.133.0.gz
And then the discovery of keywords and the related advertising hooks (note these “keywords” were found in ads being displayed on a site being visited): 03/14/05
(+american*idol+robot) found in url (http://cl.cnn.com/ctxtlink/jsp/cnn-story.jsp?domid=contextuallinks&time=1110808551901&category=cnntvent&url=http://robots.cnn.com/2005/showbiz/tv/03/14/tv.american.idol.ap/index.html&site=cnn_tvent_dyn_ctxt) CBrowserMonitor.cpp
showing an ad - not showing requested ad CAdWindow.cpp
key "american*idol" with interval 21600 into SleepList
What is the purpose of such software? At first glance, the motive may seem to be simply pushing targeted advertisements to the general Internet-using public. Direct marketing has become more and more personal over the years, this being the logical extension of that practice. However, independent researchers have found another goal of such software. When 180solutions takes users to web sites that the user may not have intended to visit, they ensure that the destination web site “knows” that 180solutions was responsible for the connection. In this way, they are making sure that 180solutions receives any commission that is available for the referral. One of the files dropped by the initial installation is a list of major web sites with that pay the commissions as mentioned above (directly or via affiliate programs). In addition, it includes “keywords” that trigger a redirection, pop-up, etc. Benjamin Edelman has documented the exact nature of the 180solutions software, and its proclivity to “pirate” commissions from other referring services/sites extensively in an excellent research piece.4 In it he shows how 180solutions gets their software installed by more subversive and stealthy means than the EULA/installation method and the tricks used to grab referral fees. Plugging Away
In a similarly nefarious fashion, IMIServ plant itself on an unsuspecting user’s box by exploiting the capabilities of ActiveX controls. These “drive by” installations plague web surfers that may do nothing more than connect to a site that uses a banner ad service to generate revenue.5 Much of the software that supports this program is retrieved from the IEPlugin.com (IEPL) site. The installation routine sets an autostart entry in the Registry to ensure the application is launched with every reboot, from a strings output of the executable: 0000D274 0040D274 SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0000D2A4 0040D2A4 %swupdt.exe The rights to add new software once this application is present on a system are mentioned in the lengthy agreement that accompanies many of the installations. An updated version of the agreement is available on the IEPL web site. IEPlugin.com’s current EULA contains the following:6 6. UPDATES. You grant IEPL permission to add/remove features and/or functions to the Software and/or Service, or to install new applications, at any time, in IEPL’s sole discretion with or without your knowledge and/or interaction. You also grant IEPL permission to make any changes to the Software and/or Service provided at any time.
The application creates a unique identification number for each copy (much in the same way as worms like Beagle do) and uses that to track the browsing habits. The identifier is uploaded to the ieplugin.com site: 0000D2DC 0040D2DC 0 Accept: */*
0000D2E9 0040D2E9 0 Host: sysupdate.ieplugin.com 0000D310 0040D310 0 HTTP/1.0 0000D324 0040D324 0 &level= 0000D32C 0040D32C 0 &fstat=6 0000D338 0040D338 0 &ATL=YES 0000D344 0040D344 0 &ATL=NO 0000D34C 0040D34C 0 /?UID=%s&VERSION=%s The initial retrieval from ieplugin.com places the following files on a user’s machine: abi.exe bargain4.exe clipg.exe extract.exe loud.exe qool.exe rgrt.exe salmbundle.exe ssk.exe systb.dll winobject.dll winserv.exe These applications match keywords lifted from active browser windows and supply pop- up advertisements to the user’s session. Often, browser redirection is used to take potential customers to the advertiser, a new form of “marketing” not available in other mediums. The ferocity of the installations, their proclivity to repair themselves and add new pieces, and the level of annoyance has lead many remediation sites to label it the IMIServ “virus.” Helping Hands
Although many people have called these applications “viruses,”7 they cannot be considered such under the traditional definition of the term. They are self-replicating programs and there is no parasitic quality (although it could be argued they do consume resources from their hosts without consent in the same way biological parasites do). Nonetheless, there is certainly enough evidence to consider them malware. Applications that forcibly change the behavior of a system without the explicit acceptance of its owner, open the door for additional applications, and transmit data back to a collection source are most often referred to as Trojan Horses, or Backdoors (as well as hybrid terms such as Backdoor Trojans). Many software developers faced with having their products called spyware (including 180solutions, which does provide its technical defense on its website) would point to the acceptance of a EULA. Although that is a valid defense, it would be difficult to stick to this policy for installing tracking software. With the exceptional amount of money available in the paid referral market, it is inevitable that a group will capitalize on two things: 1) it is possible to install code without consent, 2) if you can get your code a machine, it is likely that you can remove/disable all other competing software and pirate
referral profits from the pirates. In fact, this has been alleged a number of times; adware that carries process killers has been well documented, sometimes those routines are aimed at competing adware applications.8 Given the state of the “marketplace,” it is easy to see why many adware/spyware creators may be forced into less than ethical decisions to maintain their customers. The poor choices and strategies of just a few organizations would be enough to give the industry a bad reputation; unfortunately, it seems to most users that every adware distributor is malicious. Numerous anti-spyware groups have grown out of a worldwide frustration with the threat.9 The malware research community has wrestled with whether the software is in a unique category (i.e.: spyware) or is just another incarnation of the Trojan. The difficulty in dealing with spyware can completely avoid such discussions if an organization views the threat as nothing more than another reason to enforce configuration management practices and harden client devices against intrusion. Users, being familiar with the plight of their home computers, will likely be easy to convince of the dangers of spyware and will accept restrictions on browsing options if required. Companies should take a thorough look at spyware in terms of resource costs (bandwidth and computing power sucked away) and data costs (threats to data confidentiality and integrity). The resources available at infectionvectors.com can help evaluate assets, prioritize mitigation tactics, and plan overall malware defense strategies. Copyright 2005 infectionvectors.com. All rights reserved. References
1. The core application for the Search Assistant, SALM.EXE, is catalogued as spyware/adware at LI Utilities: http://www.liutilities.com/products/wintaskspro/processlibrary/salm/ Symantec catalogs it as Adware and describes the routines of this software: http://sarc.com/avcenter/venc/data/adware.180search.html Called ADW_NCASE (because of 180solution’s Comparison Alternative Shopping Engine) by Trend http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=ADW%5FNCASE%2EC 2. Some 180Search Applications Have Additional Code that Kills Security Software http://vil.mcafeesecurity.com/vil/content/Print128590.htm 3. All logs are from a device with a running installation of the software described. The only change, outside of snipping from the original context, is to change the characters in the unique identifiers. 4. Research Inidcates 180solutions Artificially Inflates Tracking Statistics for Merchant Pay-Per-Click This is a very interesting study, very detailed: http://www.benedelman.org/spyware/180-affiliates/
5. The IMIServ Family is described by Computer Associates: http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41623 It is catalogued as Backdoor.IMIServ (called Trojan Horse) by Symantec: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.imiserv.html And a description of its “drive by” nature by Symantec: http://sarc.com/avcenter/venc/data/adware.ieplugin.html 6. EULA for IMIServ http://www.ieplugin.com/terms.html and: c). This agreement is governed by the laws of Belize. The United Nations Convention on Contracts for the Sale of Goods does not apply to this Agreement. 7. Just as an example, the first link that appeared during an MSN search that supports posters calling this a virus: http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm 8. “Adware cannibals feast on each other.” Stefanie Olsen, 7 December 2004. CNET New.com. http://news.com.com/Adware+cannibals+feast+on+each+other/2100-1024_3-5482276.html 9. One response from Microsoft is their Spyware Information Page: http://www.microsoft.com/athome/security/spyware/strategy.mspx
Appendix A: Snippets from the SALM logs: 52048 867911
france.intercasino.com/getting_started/thankyou.shtml
france.intercasino.com/getting_started/thankyou.shtml
deutsch.intercasino.com/getting_started/thankyou.shtml
deutsch.intercasino.com/getting_started/thankyou.shtml
italia.intercasino.com/getting_started/thankyou.shtml
italia.intercasino.com/getting_started/thankyou.shtml
espana.intercasino.com/getting_started/thankyou.shtml
espana.intercasino.com/getting_started/thankyou.shtml
Appendix B: Snippets from SALM.LOG:
Election Commission of India Nirvachan Sadan, Ashoka Road, New Delhi-110001 No.ECI/PN/33/2005 Dated: 5th August, 2005 PRESS NOTE Deletion of names of electors declared as absconders, etc. In connection with the ensuing general election to the Bihar Legislative Assembly, the Commission has obtained information from the State Government of Bihar with regard to, inter
2˚ Fórum Latino-americano de Fotografia de São Paulo Martin Parr Entrevista Alec Soth Luis Wenstein: Tenemos una gran entrevista ahora, donde Martin Parr es el entrevistador. Este fotógrafo ingles es un cronista de nuestro tiempo, afirma el curador alemán Thomas Weski. Para él, las imágenes de Parr brindan la oportunidad de ver el mundo desde una perspectiva única en el torb
