Categories

BitTorrent
Conferences
Direct Revenue
Julie Amero
Myspace
Podcasts
Postbag
The Big Ones
The Fourth Wall
Yapbrowser
Zango

Creative Commons License
All articles licensed
under a Creative
Commons License.  








Home | About me | Press | The Fourth Wall | Links

Thursday, March 03, 2005

65MB Malware Install

The last few days, reports had come back to me at my workplace that someone, somewhere was downloading gigabytes of data onto their PCs. In fact, not just one person - lots of them. Somewhat bemused, I began to investigate and promptly turned up nothing - no network scans picked up anything untoward, no digging through the proxy log revealed anything and all we could do was assume a pirate-film king had started up his own little enterprise on our servers.

The truth is actually far worse.

A little cross-security guy networking later, and it turns out that halfway across the globe, one Eric L Howes was puzzling over a machine slowly dying a death whilst sifting through some ads served by iowrestling.com. Imagine his surprise when he discovered he was 65MB of space down on his PC.

65Mb of Microsoft .NET Framework 1.1 was downloaded and installed without asking permission, or even indicating that such a download was underway.

And that's in addition to the wonderful deluge of malware and served adverts that came with it.

If you're on capped DSL, that's a massive blow to your monthly allowance - not to mention the small matter of the garbage you'd now have to try and clean off. (the actual size of the .NET framework to download is around 23MB, though this is still a lot of bandwidth to use up without asking if you're talking about multiple downloads across a network). In addition, the size of the .NET framework to download can vary drastically depending on what extras you have - don't forget the service packs, SP1 is an extra 10 or so MB in size. But I'm actually understating the amount of space used when installed, as .NET can total up to 100MB).

And lo, he said that the garbage was plentiful and full of ads - the old chestnut of dropping an executable into the temp directory creates a bunch of installers that mostly play mediafiles, trailers - the usual junk. However....the real killer is the .EXE that downloads said .NET framework and convinces your wife that you've wasted all your bandwidth on Bridget the Midget and Gonzo (the blue kind, but not the one with the big nose).

Whilst a little innovation is never a bad thing, in this case it's a shockingly bad thing. Apart from paving the way for ad suppliers installing whatever setups they like on your PC to run their crudware, it also raises the bar yet again for the biggest Malware-based download / install on record. Of the front runners, Mr 8MB-Malware install and Mrs Bube, we now apparently have a bastard child of massive proportions and 65MB+ is a lot of hard drive space to gobble up by anyone's standards.

And now (as they say on the commercials), for the science part - get those blocklists ready:

Broadcastpc.tv's installers are the source of this mega-download. One of their installers (bpc_inst_1006.exe, which resides in the Temp directory) creates a \Program Files\BPT dir with several executables inside. One of those executables creates a file called 27.exe, which downloads the .NET framework without asking.

 27.exe code:
http://report.broadcastpc.tv/report/di_report.php
Report URL http://terminexor.com/updates/update.php
Config URL Version GroupID DownloadFailAmt DownloadWait
RetryUpdateFail RetryUpdateNoConn
C:\Program Files\DInstaller2 TEMP Directory Software\DInstaller2
GUID DI2 Software\Microsoft\Windows\CurrentVersion\Run
?1 Daemon 1 open /q:a /c:"install /l /q" C:\temp1.exe

The same BroadcastPc.tv installer installs a number of other multimedia elements, including several Windows Media files that are then launched full screen to advertise movies. We all love the movies, right?

Maybe not when the price of admission is this much, though. As you might have guessed, this install was the cause of the mega-traffic experienced on my network, and I have a good few days ahead of me trying to clean out those PCs. At least I don't have to foot the bill for the bandwidth, unlike anyone unlucky enough to get nailed on a network by this network hungry monster. Multiple downloads equals multiple headaches. It's also worth noting that although blocking the ad-happy wrestling site and Broadcastpc.tv will help, as the actual installers are relatively small in size they could effectively come from anywhere if someone decides to move them around (and they probably will). And it's quite possible there are more sites / companies involved.

Whatever the Hell next?


Labels:

posted by paperghost at 6:45 PM | Digg it!

All Content © Vitalsecurity.org 2006. The content of this site is entirely the opinion of Paperghost, and is in no way endorsed by FaceTime Communications. In other words - have a problem, come see me.