Promotion by rogue

Promotion by rogue

I wonder if you may encounter such a scenario from time to time: There are a lot of unknown programs in the computer, and you don't even know when to install them; or was it originally intended to install A program A, who once thought about the recent activities of program A's home -- buy one get two, by hand, you will be given a "one-click installation" and "high quality" service for your computer. If you do ".

What is rogue promotion? As the name implies-the nature is "rogue" and the purpose is "promotion ". They will try their best to install the program of the partner manufacturer on your computer to earn a great "promotion fee ". The 360 security center has always been a killer of such programs. Recently, some new variants of this type of program have been found in our background data, which is quite interesting. I decided to share them with you.

Source

First of all, the program source is very important. The first step to promote is to ensure that these rogue promotion programs can themselves enter the user's computer and run by the user. How can we achieve this? Download pages of such programs are generally ......

There are:

Such:

And ...... This is ...... (In order for this article to be delivered smoothly without receiving the express delivery from the relevant departments, we have done some necessary processing on the image, and the processing scope is slightly larger ......)

I think everyone understands that this kind of website cannot be controlled at all ...... The result is, of course, listening to what people do, making it hard to install a player? But you just need to install it!

Analysis

Most of these programs are NSIS installation packages. You can directly decompress them to see the programs in them. But xuanjicang is in the NSIS script. Each NSIS package carries an installation script. In addition to releasing the files in the package, the NSIS installation package also performs some additional work according to the content of the script. This is the problem:

What happened to a 163 blog? With curiosity, I opened this link.

 

IT is a blog post titled "Thinking about the future of the website construction industry" in the blog "Wuhan leisheng IT education center".

 

Mm ...... Well written ...... Although I don't understand it, I feel so bad. Blog is okay. Is it a program that recommends its own blog? Is it true?

When I used to view the page source code, my friends and I were stunned ......

The value of the style attribute of this pre element is "display: none? Why do we need to hide this section? What do you mean?

After a closer look at the content, you can see the following:

[Soft0]
SoftTitle = Recommend
[Soft1]
SoftTitle = YinyueFM
SoftName=setup_3038.exe
SoftUrl = http://down.yinyue.fm/open/setup_3155.txt
SoftUrl2 = http://down.yinyue.fm/open/setup_3155.txt
[Soft2]
SoftTitle = 365 weather
SoftName=365weatherIns_60.exe
SoftUrl = http://lm.beilequ.com/update/365/365weatherIns_60.rar
SoftUrl2 = http://play001.b0.upaiyun.com/365weatherIns_60.txt
[Soft3]
SoftTitle = BaiduWeishi
Softnameuuqacmk_70067.exe
SoftUrl = http://our.lxhj.net/uqacmk_70067.txt
SoftUrl2 = http://play001.b0.upaiyun.com/uqacmk_70067.txt
[Soft4]
SoftTitle = Rising
SoftName=setup1146568.exe
SoftUrl =/Article/UploadPic/2014-8/201482214858649. gif
SoftUrl2 =/Article/UploadPic/2014-8/201482214858649. gif
[Soft5]
SoftTitle = Dianxin
Softname=dianxin_silent=0000.exe
SoftUrl = http://xz.ieanquan.com/download/dianxin_silent?#.txt
SoftUrl2 = http://xz.ieanquan.com/download/dianxin_silent?#.txt
[Soft6]
SoftTitle = LieYan
SoftName=xkyy_31.exe
SoftUrl = http://our.lxhj.net/xkyy_31.gif
SoftUrl2 =/Article/UploadPic/2014-8/20148221490857. gif
[Soft7]
SoftTitle = Wuji
SoftName=setup_open_3747.exe
SoftUrl = http://our.lxhj.net/setup_open_3747.txt
SoftUrl2 = http://play001.b0.upaiyun.com/setup_open_3747.txt
[Soft8]
SoftTitle = Guangsu
SoftName=setup_qd206.exe
SoftUrl = http://down.guangsu.cn/qdn/setup_qd206.txt
SoftUrl2 = http://down.guangsu.cn/qdn/setup_qd206.txt
[Soft9]
SoftTitle = Sonlinetime
SoftName=sonlinetime_1199.exe
SoftUrl = http://download.035668.com/onlinetime/sonlinetime_1199.txt
SoftUrl2 = http://download.035668.com/onlinetime/sonlinetime_1199.txt
[Soft10]
SoftTitle = BaiduShadu
SoftName=zfocvyt_30520.exe
SoftUrl = http://our.lxhj.net/zfocvyt_30520.txt
SoftUrl2 = http://play001.b0.upaiyun.com/zfocvyt_30520.txt
[Soft11]
SoftTitle = 2345 Explorer
Softname%2345%er_314911_silence.exe
SoftUrl = http://our.lxhj.net/2345.txt
SoftUrl2 = http://play001.b0.upaiyun.com/2345.txt
[Soft12]
SoftTitle = Kuping
SoftName=kuping4_ B _51022.exe
SoftUrl = http://down.shuyeer.net/kuping4_ B _51022.txt
SoftUrl2 = http://down.shuyeer.net/kuping4_ B _51022.txt
[Soft13]
SoftTitle = uCalendar
SoftName=s2222.exe
SoftUrl = http://down.xiaoxinrili.com/hezi/jm/s2222.txt
SoftUrl2 = http://down.xiaoxinrili.com/hezi/jm/s2222.txt
[Soft14]
SoftTitle = WebGame
SoftName=KXWebBox_3314_R.exe
SoftUrl = http://our.lxhj.net/KXWebBox_3314_R.txt
SoftUrl2 = http://play001.b0.upaiyun.com/KXWebBox_3314_R.txt
[Soft15]
SoftTitle = Jdrl
SoftName=wauee_jx014.exe
SoftUrl = http://down.jdrili.com/wauee_jx014.txt
SoftUrl2 = http://down.jdrili.com/wauee_jx014.txt
[Soft16]
SoftTitle = sohuv
SoftName=SoHuVA_4.2.0.88-c203949026-run-s-bgs-bdj-x.exe

SoftUrl = http://our.lxhj.net/SoHuVA_4.2.0.88-c203949026-run-s-bgs-bdj-x.txt
SoftUrl2 = http://play001.b0.upaiyun.com/SoHuVA_4.2.0.88-c203949026-run-s-bgs-bdj-x.txt
[Soft17]
[Soft18]
SoftTitle = Funshion
SoftName=FunshionInstall_C171693.exe
SoftUrl = http://neirong.funshion.com/software/files/silent5/FunshionInstall_C171693.exe
SoftUrl2 = http://play001.b0.upaiyun.com/FunshionInstall_C171693.txt
[Soft19]
SoftTitle = QIYImedia
SoftName=QIYImedia_C_01.exe
SoftUrl = http://our.lxhj.net/QIYImedia_C_01.txt
SoftUrl2 = http://play001.b0.upaiyun.com/QIYImedia_C_01.txt
[Soft20]
SoftTitle = WanDouJia
SoftName=WanDouJiaSetup_zhimeng10_kb.exe
SoftUrl = http://dl.wandoujia.com/files/third/WanDouJiaSetup_zhimeng11_kb.txt
SoftUrl2 = http://play001.b0.upaiyun.com/WanDouJiaSetup_zhimeng10_kb.txt
[Soft21]
SoftTitle = Ailiao
SoftName=al_bind_1.exe
SoftUrl = http://cot2.ailiao. TV: 7045/90018 _albind.exe
SoftUrl2 = http://cot2.ailiao. TV: 7045/90018 _albind.exe
[Soft22]
SoftTitle = Xuanku
SoftName=xkss_50002.exe
SoftUrl = http://down.hzspzs.com/sousuo/xkss_50002.txt
SoftUrl2 = http://down.hzspzs.com/sousuo/xkss_50002.txt
[Soft23]
SoftTitle = Jinshan
SoftName=vvkKAVSETUPS_66_131833.exe
SoftUrl = http://our.lxhj.net/vvkKAVSETUPS_66_131833.txt
SoftUrl2 = http://play001.b0.upaiyun.com/vvkKAVSETUPS_66_131833.txt
[Soft24]
SoftTitle = Bianqian
SoftName=peuip_69_12345.exe
SoftUrl = http://download.laochehe.com/new/peuip_69_12345.txt
SoftUrl2 = http://download.laochehe.com/new/peuip_69_12345.txt
[Soft25]
SoftTitle = Xiaocai
SoftName=setup_ggjm_zm478284.exe
SoftUrl = http://our.lxhj.net/setup_ggjm_zm478284.txt
SoftUrl2 = http://play001.b0.upaiyun.com/setup_ggjm_zm478284.txt

 

From Soft0 to Soft25 ...... A total of 24 Promotion software (26 items in total, Soft0 is only a "Recommend" label, and no software is promoted; Soft17 is blank), which is spectacular ......

These programs will all be installed on your computer without knowing it ...... It's chilling to think about it ......

Run

Running the program also proves my previous ideas-visit this 163 blog as soon as it comes up:

Get the promotion list from the blog page, and then download the promotion list in various ways ......

The following is a process in my VM test. All the processes circled are program installation processes being promoted:

Sorry, I have not cut a few more. My virtual machine is stuck ......

I believe that even if the target user machine is not stuck to a dead machine, it will be unable to do anything ......

 

Last

For such programs, 360 of the principle has always been no killer. Needless to say:

At the same time, we also need to remind the majority of Internet users, especially the majority of Otaku: downloading software must go through formal channels and do not trust the programs recommended by various small websites-even if it looks attractive ......