Shop At Home Select- What's Happened.
by Chris Boyd, Wayne Porter
Date: October 18, 2005
Spyware Reseach
A recent install from a website pushing photographs of celebrities installs numerous
programs onto the end-user's PC, including Shop at Home Select, Sidefind, Your Site Bar, Powerscan, Bullseye Networks and Internet Optimizer. This payload
is enough to cause issues with CPU performance - however, there are number of additional items which appear on the desktop some time after the initial install
is complete. These additional links lead to more installs, one of which attempts to cause deliberate confusion with a service name similar to a legitimate
program.
The install in action
We have a film of the bundle in action - unfortunately due to
the length of time it takes to install, the videofile is well over 350MB in size! From the video, we can tell you that in IE,
the Active X installer is presented to the user upon
visiting the target website (00:06) and clicking "no" (00:32) will result
in repeated popups asking the user to
click "yes" to continue to view the site - even though after cancelling out, the content is perfectly viewable without installing the software.
Once the user attempts to navigate to any section containing images, the Active X installer will continue to appear on every page and at (1:03), clicking
an "image" file actually opens up a prompt to
install software. In this case, the .EXE is named after the celebrity. In effect, there are no images to view barring the thumbnails.
Switching
to Firefox, we now find at (1:46) that the familiar ysbweb tactic of checking for either an IE browser or a Firefox one comes into play, and instead of an
Active X prompt, we are greeted with
a "fake" yellow information
bar across the top of the screen, and a java applet - which gives no indication
of what lies behind it. The yellow bar attempts to install a plugin, and the applet tries to lead you back to the bundle launched from IE.
At (2:08) the
desktop executable is launched. At this point, the install begins and the software downloads onto the target PC.
Shop at Home Select makes an
appearance at (3:15), along with numerous other programs.
After the install
Upon opening
IE, you can see a few of the programs that have been installed (SideFind and Your Site Bar, branded on this occasion with
MTV logos):
But after switching the machine off
and restarting, it becomes clear that the install does not complete in one session. After a while, numerous icons appear on the desktop -
three IE links, and one MS-Dos file:
Of the three links,
the "career boost" and "dream date" links used redirects to take you to pages apparently supplied
by Azoogle. The third, "Casino games", brings up the following as yet) unknown
executable:
This .EXE attempts to install Casino software, which prompts players to create login details (including name, address etc) as long as the player is legally allowed to gamble.
The final installer is the MS-Dos file misleadingly entitled "pictures". Running the .EXE does not appear to do anything - however, two lines of traffic
are transmitted, apparently from ysbweb:
and a new service is added - the misleadingly
titled aolserviceshosts.exe:
This is clearly intended to cause confusion with the genuine Aolservicehost.exe (note the "s" is missing from the end of the word "host" in the genuine version). Once this was
installed, the CPU usage went crazy and the system became unstable, resulting in no other option but to turn the machine off.
This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.
Read other articles (back to full list)
|
