One corner of the gray industry chain on the Internet: rogue software is also a "fight"

One corner of the gray industry chain on the Internet: rogue software is also a "fight"

Overview

As an important part of the gray industrial chain of the Internet, rogue software is growing and spreading faster and faster. Currently, this type of forced bundling and forced installation of rogue software is everywhere in China, with the huge benefits brought by this interest chain, rogue software is increasingly advanced in use. These rogue software adopts more concealed, confusing, and violent promotion methods, without knowing it, users have become a pawn in their interest chain.

Analysis

 

More concealed communication channels

 

This method, which is used by some special trojan programs, has also begun to appear on rogue software. Han Haiyuan found a strange sample during the analysis of the captured sample. The sample is based on the specified Baidu space, Sina Blog, and Netease blog, websites such as Hexun blog update the program itself. The program uses multiple fixed URLs to obtain the update link.

This program intercepts part of the blog content as an update link, and some implement concealed communication by embedding a URL on the blog page:

The official blog of the software development group has accessed more than 10 thousand pages. The blog page is linked to a cloud bucket. The software obtains the latest installer through these links, and the installer obtains the promotion software installation package from some software or advertising alliance.

 

The installer obtains information about the local operating system, security software status, and QQ number and uploads it to the statistics server.

K11548207 represents the promoter's ID. We can see that some software was modified or replaced with the promotion link with the ID K11548207 around 2013.

Through further analysis, we found that these programs all come from the 126 Disk of "youlancai" with the user name:

 

These samples will be uploaded to the online storage in July.

More confusing download link

We often encounter this situation: When downloading a software, we find that it is just a download tool. However, these Downloaders may not be able to download the software you finally want to download.

When analyzing malicious programs on the 126 network disk, our team found that all the programs on the 126 Network Disk were directed to another download link, so we also issued an alert on Weibo's hanhaiyuan Security yesterday, as shown in figure

For example, the real download link of the *** helper v5.exe to be downloaded is intentionally hidden, and all other download links are tampered with as the address of the Promotion Program:

Http://dl.yizhan123.com/?software name=&# 1-&## 1-3]

 

The replaced program is named "high-speed download loader" and has a normal digital signature. After the program runs, the request parameters and the downloaded file name are determined based on the file name.

After the promotion program runs, a request is sent to dl.27cha.com Based on the file name as a parameter.

Http://dl.27cha.com /? Id = 1986785 & uid = 1

Then, based on the returned json data, determine the content display and program of the download interface:

 

Download the package and save it on the desktop. Run the first part of the & Symbol of the previous program, and silently install several promotion programs.
The website may have been intruded and tampered with from Security Alliance Monitoring and wooyun vulnerability platform reports.

Because the website contact is invalid, we try to contact the webmaster by querying the email address of the registered domain name's WHOIS information. However, we found that the registrant of the registered email address is also interested in security-related fields. Therefore, we are not sure whether the website was tampered with after being attacked by attackers or intended by the webmaster. However, you should pay more attention when downloading Network Disk Files from 126disk.

More "violent" promotion means

If the promotion of the above methods has made us unable to defend against attacks, we should also look at the following promotion means of rogue software.
This is an example of the combination of promotion of rogue software and exploitation of vulnerability Trojans. Attackers first intrude into a website with a large access volume and replace the template js file on the website, after using multiple page Jump to load contains multiple Flash Nday vulnerabilities (CVE-2014-0515, CVE-2014-0497, CVE-2013-0634) to take advantage of the page, when the user system has these vulnerabilities and accesses the website, malicious programs are automatically implanted. The malicious programs reside on the system and download other promotion programs, the entire process is hard to detect for common users. Because these installers have normal digital signatures, they are often allowed by anti-virus software.

Trojan page:

 

Used to calculate the installed js files:

 

We track the 51La statistics used by promoters and find that the trojan vulnerability affects at least 0.1 million users. According to the following description, if each computer installs a promotion program, it will earn a net profit of 8.2 yuan, attackers may obtain up to 100,000 RMB.

 

Conclusion

From the CAT/mouse virus that emerged in August this year to the cross-platform wirelurker virus that emerged in October, we can clearly see that this Black Hand is reaching more and wider market space, what's even more embarrassing is that these rogue software promotes security software as a large proportion of the carrier. As the biggest victim, users not only suffer from harassment and threats to the promotion of software, you may also need to pay for excess traffic fees.