Spigot “applicationupdater.exe”

A few days ago, I’ve noticed a new process  applicationupdater.exe in the Task Manager processes list, but I did not pay too much attention to it, until today when I decided to discover what application is responsible for it. I mean, it’s normal for almost any application to connect to the web and update itself but respecting a few basic rules :

  • the user must be asked previously for his consent to update a program
  • an updater it’s not running for long, it runs at certain intervals, check the official site for updates and immediatelyit’s closing
  • an application updater inform the user about what updates it’s looking for, for what program and if there is any updates available or not

At a certain moment, I realized that applicationupdater.exe an always-running process, which firstly I supposed to be what its name describes to be, has not a normal behaviour for an updater.

A short search on Google.com for this process reveal the fact this process is more than a mysterious one, it’s a possible threat, so I start to analyze it more carefull. The majority of the sites on the web sustain this application is installed in the computer via PDF Forge or PDF Creator programs, but I have none of these programs installed in my computer or at least downloaded, that’s mean the application was arrived and installed in my computer in other way, I simply don’t know how, I very often download trials or open source programs for testing purposes.

First of all, the program create a Windows service (that’s why it runs continuosly) with name :

Application Updater

and a vague description:

Automatically downloads and installs application updates

This does not sound good, it does not make any reference to any application which is supposed to be updated.

The installation path is :

%Program Files%\Application Updater\applicationupdater.exe

and from the file Properties :

  • Company: Spigot, Inc
  • File version: 1.1.2.16
  • Original File name:  ApplicationUpdater.exe

Further more, the analysis is made with Sandboxie 3.46 with Buster Sandbox Analyzer(BSA) add-on. The following actions are reported by the Malware  Analyzer module :

  • Defined Autostart registry location added
  • Detected keylogger functionality
  • Enumerated running processes
  • Internet connection: Connects to “.mybrowserbar.com” on port 80.
  • Listed all entry names in a remote access phone book
  • Opened a service named: RASMAN
  • Opened a service named: Sens

Risk evaluation result: High

The full report :

[ General information ]
* File name: c:\documents and settings\administrator\desktop\tests\applicationupdater.exe
* File length: 380928 bytes
* File signature: Microsoft Visual C++ ?.? *
* MD5 hash: 293e66aa529f0fba1aa56340e293a389
* SHA1 hash: 48ce7f1e56dbfc352c67e8081b4381f4e6826b2f
* SHA256 hash: bb9a50948b0fe28011566a1d36c4e9b6485bac0d1e95eb2ded0b82422f495a81

[ Changes to filesystem ]
* No changes

[ Changes to registry ]
* Deletes Registry key HKEY_LOCAL_MACHINE\software\Classes\clsid\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* Creates Registry key HKEY_LOCAL_MACHINE\Subscriptions
* Creates value “SBIE_ProcessId=EC050000″ in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Application Updater
* Creates value “SBIE_CurrentState=04000000″ in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Application Updater
* Creates value “SBIE_ControlsAccepted=01000000″ in key HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Application Updater
* Modifies value “SavedLegacySettings=46000000280A0000010000000000000000000000000000000400000000000000C0C2EB74-

-0031CB0101000000C0A80165000000000000000000000000″ in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value “SavedLegacySettings=46000000270A0000010000000000000000000000000000000400000000000000C0C2EB74-

-0031CB0101000000C0A80165000000000000000000000000″
* Deletes Registry key HKEY_CURRENT_USER\software\classes\*\shell\sandbox

[ Network services ]
* Looks for an Internet connection.
* Connects to “.mybrowserbar.com” on port 80.

[ Process/window information ]
* Keylogger functionality.
* Creates a mutex “CTF.LBES.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Compart.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Asm.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.Layouts.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.TMD.MutexDefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Creates a mutex “CTF.TimListCache.FMPDefaultS-1-5-21-839522115-261903793-1417001333-500MUTEX.DefaultS-1-5-21-839522115-261903793-1417001333-500″.
* Enumerates running processes.
* Creates a mutex “AppUpdaterPingMutex_BF46BBD8-8935-4adf-B837-19951E6E4AEC”.
* Creates a mutex “Local\_!MSFTHISTORY!_”.
* Creates a mutex “Local\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!”.
* Creates a mutex “Local\c:!documents and settings!administrator!cookies!”.
* Creates a mutex “Local\c:!documents and settings!administrator!local settings!history!history.ie5!”.
* Creates a mutex “RasPbFile”.
* Lists all entry names in a remote access phone book.
* Opens a service named “RASMAN”.
* Opens a service named “Sens”.

The analysis continues with Process hacker , and ApplicationUpdater service is seen connecting to :

174.36.215.20-static.reverse.softlayer.com remote port 80, local port 1227 and 1226 TCP

Perhaps an interesting fact is observed using a debugger like IDA – The Interactive Disassembler :  applicationupdater.exe contain code to call a Windows function which prevent a debugger to be attached to the target process. A debugger, for who does not know, is a tool for examining a program code, running it instructions by instructions or step by step controlled by the user, attaching itself to the target process. This way, the program flow can be better understood and an eventually bug can be track down. However, using some Windows functions or other tricks, a program can “verify” if it’s debugged and prevent the debugger running normally, forcing the termination of the process immediately.

applicationupdater.exe uses functions like ntdll!DbgUiRemoteBreakIn or ntdll!DbgBreakPoint in order to avoid a debugging session.

applicationupdater debugger view

It must be mentioned that under the run key of the registry-the main AutoStart registry key, a new value is created for an Internet Explorer BHO (Browser Helper Object) a dll with name “searchsettings.dll” by the same company Spigot, Inc. The complete object path is :    c:\program files\search settings\searchsettings.dll and the folder contain also an executable, “searchsettings.exe”.

It can be observed a be behavioral change of both browsers used by me, Firefox 3.6.10 and Internet Explorer 8, the startup page URL adress is something like : 

http://search.conduit.com/ctid=CT2475029&SearchSource=13

and the browser windows is displaying a search box similar to that of Google.com but with a banner to a well known software vendor.

Considering all these, it’s obvious that applicationupdater it’s an agressive and dangerous advertising tool which is affecting the user privacy and worsening the user Internet experience. Hiding its scope and its actions from the user, it is a constant threat to the safety of the computer system and my recomandation is to get rid of it as soon as possible.

Keep safe !

 

Posted in Thoughts.

22 Responses

Leave a Reply