Maybe some of you have met the next weird situation: you want to download a trial of a program, a shareware, from a well established downloading site but when you click the download button instead of the wanted program, another little program is downloaded and executed in the computer, it’s the so-called “download manager” which in its turn downloads the desired program. Nobody fully understands this scheme, why is needed by this “download manager” instead of offering directly the wanted program but a lot suspect this program of “grey” missions. The concerns are raised when the antivirus software detect these “download managers” as adware or spyware and there must be some truth here, what other purpose can have these forcefully pushed programs? Let’s tell the truth, behind them always is a scheme involving financial gains in a form or another, be it advertising or building statistics . It’s their business, OK, but when the user privacy is affected more or less, when browsing experience is deteriorated more or less, it’s time to treat seriously these apparently inoffensive but unwished programs.
There is an interesting story about the reputed website CNET download.com website which embedded in the original installers they distributed, otherwise clean, their own adware and malware parasitic programs, see Nmap example.
The case analyzed in this article is about a new file sharing website, http://fileze.com/ which is advertised on some forums and promises great payouts in a PPI(pay per install) system. Simply the users can upload files, share links and when somebody wants to download the file he’s forced to install their download manager in order to be able to reach the wanted file.
Here is a part of their TOS:
How we work:
Once a user clicks on your link and downloads fileze’s download manager your account will be credited as a successful install .You can view the payment rates on the right hand side of this page. We reward users that receive more files downloaded by increasing payouts, we base our revenue structure on different tiers. For example if a user downloads your file and is not from one of these countries your account will not be credited.
Install Rates
Monthly InstallsTier 1 Tier 2 Tier 3
1 to 3,000 $0.85 $0.38 $0.10
3,001 to 10,000 $1.00 $0.40 $0.11
10,001 to 20,000 $1.10 $0.49 $0.12
20,001 to 40,000 $1.21 $0.53 $0.14
40,001 to 80,000 $1.29 $0.68 $0.15
80,001 to 160,000 $1.37 $0.71 $0.16
160,001 to 1,000,000 $1.45 $0.75 $0.17Tier Countries
1 United States
2 France ,Germany ,United Kingdom
3 Australia ,Austria ,Belgium ,Denmark ,Finland ,Ireland ,Italy ,New Zealand ,Norway ,Portugal ,Sweden ,Switzerland ,Netherlands ,Canada
I have uploaded a file to the website, generated a download link and I visited it with a monitored browser. Of course the “download manager” forced offer popped up.
download manager
Part of the requests made by the browser were :
GET /fd2fed27b5ce840faea85789afd68db03ad0 HTTP/1.0
User-Agent: Mozilla/5.0 (Windows NT 5.1; en; rv:2.0) Gecko/20100101 Firefox/4.0 Opera 11.61
Host: interstitial.powered-by.latestdl.info
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate
Referer: http://fileze.com/download?file=14c17846e3cb177ccd2e12cf80a3f2e5_dwlG132_drivers_130.zipGET /logger/interstitial/hit/247762/1440498/?v.offer=ravenbleu%2Cmp3tube%2Cbasicscan&lp=http%3A%2F%2Ffileze.com%2Fdownload%3Ffile%3D14c17846e3cb177ccd2e12cf80a3f2e5_dwlG132_drivers_130.zip&v.sid= HTTP/1.1
Host: install.onlinedl.info
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://fileze.com.powered-by.onlinedl.info/generate/interstitial/247762/?pp=http%3A%2F%2Ffileze.com%2Fdownload%3Ffile%3D14c17846e3cb177ccd2e12cf80a3f2e5_dwlG132_drivers_130.zip
As you can see, a lot of redirects occured, to a latestdl.info subdomain, onlinedl.info subdomain and finally to:
http://org.freeflixapp.net/NCIC/20120323072153494E434647493031_4b5a0858-0071-4760-bf53-7793c426bcb6/20120323104817dc83f3-ed26-4c0a-8074-5d9c320f1a90/Setup.exe
from where it was downloaded a single file, the “download manager” in question:
Name: setup.exe
Description: Installer
Digital Signature: Pinball Corporation
Size: 230 KB
MD5: 375EDE343070D8E823408FAB8DEF3F84
What does this setup file when it is executed? Let’s see it analyzed in Sanbdboxie with BSA add-on, only the most interesting parts:
Detected keylogger functionality
Detected privilege modification
Detected process privilege elevation
Enumerated running processes
Got system default language ID
Got user name information
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{33524c00-63fb-43db-a6bf-0a4e14b24649}\displayname = basicscan
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{33524c00-63fb-43db-a6bf-0a4e14b24649}\url = http://www.basicscan.com/?prt=bscscnpb&keywords={searchterms}
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{b3fc32b0-1a54-4aa4-910b-d6d335668969}\displayname = yahoo-mp3tube
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{b3fc32b0-1a54-4aa4-910b-d6d335668969}\faviconurl = http://www.yahoo.com/favicon.ico
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\{b3fc32b0-1a54-4aa4-910b-d6d335668969}\url = http://mp3tubetoolbar.com/?tmp=toolbar_sb_results&prt=pinballtbfour01ie&keywords={searchterms}&clid=fcc0a10518894c7fa747679421b1dba5
IE settings change: user\current\software\microsoft\internet explorer\searchscopes\defaultscope = {b3fc32b0-1a54-4aa4-910b-d6d335668969}
Internet connection: Connects to “173.194.35.164” on port 80.
Internet connection: Connects to “173.194.35.165” on port 80.
Internet connection: Connects to “173.194.35.178” on port 443.
Internet connection: Connects to “174.35.6.12” on port 80.
Internet connection: Connects to “208.87.149.236” on port 80.
Internet connection: Connects to “208.87.149.250” on port 80.
Internet connection: Connects to “217.163.21.35” on port 80.
Internet connection: Connects to “64.94.137.121” on port 80.
Internet connection: Connects to “66.150.14.46” on port 80.
Internet connection: Connects to “66.150.14.66” on port 80.
Internet connection: Connects to “66.150.14.73” on port 80.
Internet connection: Connects to “68.67.179.215” on port 80.
Internet connection: Connects to “68.67.185.216” on port 80.
Internet connection: Connects to “74.125.232.193” on port 80.
Internet connection: Connects to “74.125.232.225” on port 80.
Internet connection: Connects to “74.125.232.228” on port 80.
Internet connection: Connects to “74.125.232.238” on port 80.
Internet connection: Connects to “74.125.232.239” on port 443.
Internet connection: Connects to “74.125.232.249” on port 80.
Internet connection: Connects to “74.125.232.251” on port 80.
Internet connection: Connects to “74.86.195.220” on port 80.
Internet connection: Connects to “77.238.167.32” on port 80.
Internet connection: Connects to “81.196.26.169” on port 80.
Internet connection: Connects to “81.196.26.177” on port 80.
Internet connection: Connects to “81.196.26.192” on port 80.
Internet connection: Connects to “82.77.159.229” on port 80.
Internet connection: Connects to “config.ravenbleu.com” on port 80.
Internet connection: Connects to “downloads.ravenbleu.com” on port 80.
Internet connection: Connects to “files.freeflixapp.net” on port 80.
Internet connection: Connects to “jookz.com” on port 80.
Internet connection: Connects to “te.ravenbleu.com” on port 80.
Internet connection: Connects to “tei.ravenbleu.com” on port 80.
Internet connection: Connects to “toolbaroptions.com” on port 80.
Internet connection: Connects to “upgrade.jookz.com” on port 80.
Listed all entry names in a remote access phone book
Localhost connection: Connects to “127.0.0.1” on port 2019.——————————————————
Opened a service named: BasicScan Service
Opened a service named: LanmanServer
Opened a service named: Mp3Tube Toolbar Service
Opened a service named: RASMAN
Opened a service named: Sens
Opened a service named: WinDefend
Amongst other folders created, the installer creates in Program Files folder, two sub-folders, BasicScan and MP3Tube Toolbar.
BasicScan folder contains three files:
- basicscan.exe
MD5 545D831AEAB423AFCFDED91E1B3C6C82
- basicscan.dll
MD 5 3D5327B5F9FBA95ABDE3021CE33EBB69
- uninstaller.exe
MD5 FF2284EC3E5422D3A58EDB11B0B1A5C4
The scan result at virustotal.com availble here shows a detection ratio of 3/41, it is detected as: Win32:Zwangi-DQ [PUP], Skodna.Generic_r.E or Adware.OneStep.
The results for basicscan.dll are here and shows detection ratio of 11 / 43 being predominantly detected as BHO.Win32.Zwangi!IK.
We see Zwangi for both files, google-ing for it we find:
From microsoft.com website:
BrowserModifier:Win32/Zwangi is the detection for a program that runs as a service in the background and modifies Internet browser search functionality.
From wikipedia.org:
Win32/Zwangi is a malware program that infects Windows computers. It is also known as Spyware.Screenspy, Mal/BHO-S, and Seekapp. The program redirects URLs typed into the browser’s address bar to a search page at www.zwangi.com, and may also take screenshots without permission.
Enough said I think, obviously it is a true malware. I will end here, already this article becomes too long. Looking back we understand that forcing users to download their “download manager”, http://fileze.com file sharing website in fact is spreading malware and acts as a mass infection system.
Do you want to keep your computer clean of malware? Then never install additional software, dubious toolbars and downloaders or alleged needed video codecs. There are countless malevolent persons making great efforts to compromise your computer and use it as a zombie for their nefarious purposes, or ready to steal your accounts credentials and empty your bank account or at least ready to forcefully serve you advertisements. Behind all these is always the people greediness.
Keep safe !
Leave a Reply