Shop At Home Select- What's Happened.
by Chris Boyd, Wayne Porter
Date: October 18, 2005
Spyware Reseach
A recent install from a website pushing photographs of celebrities installs numerous
programs onto the end-user's PC, including Shop at Home Select, Sidefind, Your Site Bar, Powerscan, Bullseye Networks and Internet Optimizer. This payload
is enough to cause issues with CPU performance - however, there are number of additional items which appear on the desktop some time after the initial install
is complete. These additional links lead to more installs, one of which attempts to cause deliberate confusion with a service name similar to a legitimate
program.
The install in action
We have a film of the bundle in action - unfortunately due to
the length of time it takes to install, the videofile is well over 350MB in size! From the video, we can tell you that in IE,
the Active X installer is presented to the user upon
visiting the target website (00:06) and clicking "no" (00:32) will result
in repeated popups asking the user to
click "yes" to continue to view the site - even though after cancelling out, the content is perfectly viewable without installing the software.
Once the user attempts to navigate to any section containing images, the Active X installer will continue to appear on every page and at (1:03), clicking
an "image" file actually opens up a prompt to
install software. In this case, the .EXE is named after the celebrity. In effect, there are no images to view barring the thumbnails.
Switching
to Firefox, we now find at (1:46) that the familiar ysbweb tactic of checking for either an IE browser or a Firefox one comes into play, and instead of an
Active X prompt, we are greeted with
a "fake" yellow information
bar across the top of the screen, and a java applet - which gives no indication
of what lies behind it. The yellow bar attempts to install a plugin, and the applet tries to lead you back to the bundle launched from IE.
At (2:08) the
desktop executable is launched. At this point, the install begins and the software downloads onto the target PC.
Shop at Home Select makes an
appearance at (3:15), along with numerous other programs.
After the install
Upon opening
IE, you can see a few of the programs that have been installed (SideFind and Your Site Bar, branded on this occasion with
MTV logos):
But after switching the machine off
and restarting, it becomes clear that the install does not complete in one session. After a while, numerous icons appear on the desktop -
three IE links, and one MS-Dos file:
Of the three links,
pqnelhleyy 26673f3d 48c4b50f
the "career boost" and "dream date" links used redirects to take you to pages apparently supplied
by Azoogle. The third, "Casino games", brings up the following as yet) unknown
executable:
This .EXE attempts to install Casino software, which prompts players to create login details (including name, address etc) as long as the player is legally allowed to gamble.
The final installer is the MS-Dos file misleadingly entitled "pictures". Running the .EXE does not appear to do anything - however, two lines of traffic
are transmitted, apparently from ysbweb:
and a new service is added - the misleadingly
titled aolserviceshosts.exe:
This is clearly intended to cause confusion with the genuine Aolservicehost.exe (note the "s" is missing from the end of the word "host" in the genuine version). Once this was
installed, the CPU usage went crazy and the system became unstable, resulting in no other option but to turn the machine off.
Unless otherwise
noted this article is Copyright © 2008
by FaceTime Communications, Inc. This article may not be resold,
reprinted, or redistributed for compensation of any kind without
prior written permission from FaceTime
Communications, Inc. For reprint or media inquires please contact
us with the phrase "Spyware
Guide Articles" in the subject line and we will by happy
to assist you. Links to this article from other websites are appreciated
and encouraged. Users are also encouraged to utilize our RSS
system to provide unique content and extracts for their site.
Read other articles (back to
full list)
|
