I originally published this blog at http://community.ca.com/blogs/securityadvisor
Published: October 31 2007, 04:09 PM by Benjamin Googins
Free, free, free. I love free MP3s, how about you? Yesterday I took a look around some MP3 sites, and what I found startled me. Instead of freebies, I was hit with loads of spyware. I repeated my search three different times, visiting different sites on each occasion and my machine getting littered with more adware and spyware each time.
My test was pretty simple. I picked three key terms – “free”, “mp3” and “site” – and clicked through the results Google returned. On my first go-round, it took only 5 minutes before my machine was loaded down with spyware – to a point that it could not function. By booting into SafeMode (a special diagnostics boot mode) I was able to see the damage.
The ”loads of new spyware” I mentioned included: Adloader, AdSense Helper Object, AVP, AVSystem Care, IKatzu IE App, MalwareAlarm, OneStepSearch, PowerAgent, TTC D, WebBuying and WinAble. Yikes, that is a lot of spyware. Starting with a computer free of any spyware infection, I tried the same search again and got the same results – loads of spyware. On my third attempt, before starting, I increased my computer’s memory in hopes of actually finishing my test.
Third Times a Charm After doing my same keyword search, I clicked on some popular looking songs and videos like, “Britney Spears” and “Angelina Jolie”. I was able to snag a free Britney track titled “Gimme More”. Cool. It seemed to play ok. I downloaded another MP3 by Wyclef Jean. I could not play it because “my license information had expired”. Unfortunately, that wasn’t all I downloaded.
Image 1: Initial Google Search
Using some tracking software, I could see that along with my supposed Wyclef Jean track, I also received a couple of trojan downloaders running with the filenames tsitra77.exe and tsitra1000106. Once executed, these trojans immediately started downloading spyware like WebBuying and InternetSpeed Monitor.
Shortly after that I started receiving popup ads. When I opened my browser I had a new toolbar installed. My homepage was hijacked and other browser settings changed.
After all this, my machine was starting to take a hit, so I stopped browsing for MP3s and sat back to survey the results. The trojan downloaders kept downloading after reboot; the results are listed below.
Performance Impact After knowing I was infected with a few trojan downloaders, I let my machine sit for 5 minutes or so. As you can see in Table 1, after the first reboot, my test system’s performance started to degrade. By the third reboot things got precipitously worse, going from bad to horrible.
Table 1: Performance Impact of MP3 Searching
|Measure||Pre-MP3 Searching||Post MP3 Searching – After First Boot||Post MP3 Searching – Second Boot||Post MP3 Searching – Third Boot|
|Boot Time (seconds)||79||83||156||208|
|Free Disk Space (bytes)||2,090,225,664||2,048,552,960||2,042,458,112||1,927,364,608|
|Available Physical Memory (K units)||162016||140152||124928||39780|
|Time to load ca.com (seconds)||6.861||9.216||12.001||16|
|Popup ads/5 minutes||0||2||6||7|
My first reboot took only a few seconds longer than my first, but my third reboot took a painful 3 times longer. My computer’s memory was severely impacted. By my third reboot, 4 times the amount of memory was being consumed by spyware. Popup ads jumped from 0 prior to the MP3 search to 2 ads, then 6 and finally a whopping 7 ads per five minute period. (Refer to Table 2: Trickler Effect for more info). In the end, I had the following spyware on my system: WebBuying, Star Recipe Bar, new trojan downloaders, InternetSpeed Monitor, WinAble, QdrPack, and AVSystem Care.
Poor Coding The spyware loaded onto my system via the trojan downloaders installed without user permission. When software is installed without user permission, the rigors of checking for proper system compatibility are not done. Also, the trojan donwloaders seemed indiscriminate about what was downloaded — often downloading conflicting software. For these and other reasons I received a remarkably high number of errors. As shown below, I received no less than 8 different errors during testing, often receiving the same one multiple times.
- Windows Script Host error
- Internet Explorer ‘encountering problems and needing closed’
- End Program – Brdr
- “Problems with this Web page might prevent it from being displayed properly or functioning properly…
- gadya.exe has encountered a problem and needs to close
- Run-time error ‘35761’: Request time out
- Microsoft Visual C++ Runtime Library
- iexplorer.exe – Application Error
The Trickler Effect Prior to searching for free MP3s my system had 1993 MB of storage available, but after downloading a trojan downloader (which subsequently downloaded more downloaders) my storage space was getting squeezed. By the third reboot I was down to 1838 MB. None of the subsequent spyware downloads presented a user interface to me. In other words, after downloading one MP3 that didn’t play, I received a consistent flow of spyware like “Internet Speed Monitor”, “WinAble”, “AvSystem Care” and others already mentioned. I show in Table 2 how, with every reboot, my storage decreased, new programs were installed and my boot time was prolonged.
Table 2: The Trickler Effect
|Test||Free Disk Space (bytes)||New Programs||Boot Time (seconds)|
|Post MP3 Searching – After First Boot||17,057,550,336||5||83|
|Post MP3 Searching – Second Boot||17,038,295,040||8||156|
|Post MP3 Searching – Third Boot||17,038,139,392||9||208|
Issues With Uninstallation
- Complicated Uninstallers
- Adware requires downloading an uninstaller
- Adware program names not easily identifiable in Windows Add/Remove
- Uninstallation left crippling system errors
- Executable files were left on system after reboot
- Shortcuts to spyware sites left on desktop
Threat to Confidentiality All URLs visited, as well as information entered into online forms was logged and sent to third parties by the different spyware on my system The net effect of all the spyware installed was that a significant amount of personal data was sent to spyware sites, all behind the scenes, and most likely unbeknownst to the typical user. For instance, I used Google to search for the keyword “casino”. I used a packet capture tool while doing this and as you can see in Image 2, below, my keyword search was also sent to http://www.findstuff(dot)com. In addition, this same information was sent to a variety of other spyware sites like cpvfeed.meditraffic(dot)com, c.webbuying(dot)net and more. In addition,.
- All websites logged and sent to remote server
- All key words entered in search engines logged and sent to remote server
- Banking sites logged
- Web-based email URLs logged
- Destroying or altering system settings
- Desktop littered with shortcuts
Image 2: Personal information sent to unintended address
Conclusion“Free” MP3 sites serve up a lot more than MP3s. After downloading only one playable MP3, Britney’s “Gimme More”, I was bombarded with a slew of spyware. I repeated this same exercise 3 times and each time was hit with an amazing amount of spyware. System performance began to nose-dive as the trojan downloader “trickled” more and more spyware on my system after every reboot. –
Testing notes for Table 2:
- Storage Space was the number of bytes of free disk space, as measured by Windows Explorer.
- CPU Usage was that reported by Windows Task Manager.
- Page File Usage was that reported by Windows Task Manager.
- Available Physical Memory was that reported by Windows Task Manager.
- Processes was that reported by Windows Task Manager.
- Boot time was a measure of time elapsed from clicking ‘restart’ until the point Internet Explorer was open and functional
- Time to load ca.com was measured using Ethereal
- Popup ads were measured by having both an open and closed browser window over a period of five minutes
By: Benjamin Googins
Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..
6 people have left comments:
Very interesting and informative article. Presents eye opening facts about something that we all have done at some point- trying to find a mp3 and downloading a program that promises to deliver it. Given the tremendous pain and suffering that such a seemingly innocent act might entail, it’s probably better to pay a dollar a song on itunes!
May be I missed it, but which OS are u using? XP? How about Vista? Is it any better?
Posted by: Ankur | October 31, 2007 6:36 PM
A famous quotation from the The Art of War is ” If you know both yourself and your enemy, you will
Posted by: CA Security Advisor Research Blog | November 1, 2007 10:03 AM
Ankur, I was using Windows XP. I would like to conduct the same test using Vista and a different browser.
Posted by: Benjamin Googins | November 5, 2007 4:54 PM
V.interesting article. I would be interested if the same issues existed with torrent and other p2p sites.
Posted by: Lani | November 27, 2007 6:23 PM
I am just speculating here, but, yes, I would guess somthing similar exists. That will go on my list of tests to conduct. Thanks. -Ben
Posted by: Benjamin Googins | December 2, 2007 9:04 PM
It has been quite common in recent times that a wide variety of malware has been distributed over the
Posted by: CA Security Advisor Research Blog | January 9, 2008 9:55 AM