The High Cost of Free MP3s

I originally published this blog at http://community.ca.com/blogs/securityadvisor

Published:         October 31 2007, 04:09 PM         by         Benjamin Googins

Free, free, free.  I love free MP3s, how about you?  Yesterday I took a look around some MP3 sites, and what I found startled me.  Instead of freebies, I was hit with loads of spyware.  I repeated my search three different times, visiting different sites on each occasion and my machine getting littered with more adware and spyware each time.

My test was pretty simple.  I picked three key terms – “free”, “mp3” and “site” – and clicked through the results Google returned.  On my first go-round, it took only 5 minutes before my machine was loaded down with spyware – to a point that it could not function.  By booting into SafeMode (a special diagnostics boot mode) I was able to see the damage. 

The ”loads of new spyware” I mentioned included: Adloader, AdSense Helper Object, AVP, AVSystem Care, IKatzu IE App, MalwareAlarm, OneStepSearch, PowerAgent, TTC D, WebBuying  and WinAble.  Yikes, that is a lot of spyware.  Starting with a computer free of any spyware infection, I tried the same search again and got the same results – loads of spyware.  On my third attempt, before starting, I increased my computer’s memory in hopes of actually finishing my test.

Third Times a Charm  After doing my same keyword search, I clicked on some popular looking songs and videos like, “Britney Spears” and “Angelina Jolie”.  I was able to snag a free Britney track titled “Gimme More”.  Cool.  It seemed to play ok.  I downloaded another MP3 by Wyclef Jean.  I could not play it because “my license information had expired”.  Unfortunately, that wasn’t all I downloaded.

Image 1: Initial Google Search

Using some tracking software, I could see that along with my supposed Wyclef Jean track, I also received a couple of trojan downloaders running with the filenames tsitra77.exe and tsitra1000106. Once executed, these trojans immediately started downloading spyware like WebBuying and InternetSpeed Monitor

Shortly after that I started receiving popup ads.  When I opened my browser I had a new toolbar installed.  My homepage was hijacked and other browser settings changed.

After all this, my machine was starting to take a hit, so I stopped browsing for MP3s and sat back to survey the results.  The trojan downloaders kept downloading after reboot; the results are listed below.

Performance Impact  After knowing I was infected with a few trojan downloaders, I let my machine sit for 5 minutes or so.  As you can see in Table 1, after the first reboot, my test system’s performance started to degrade.  By the third reboot things got precipitously worse, going from bad to horrible.

                                     Table 1: Performance Impact of MP3 Searching

Measure Pre-MP3 Searching Post MP3 Searching – After First Boot Post MP3 Searching – Second Boot Post MP3 Searching – Third Boot
Boot Time (seconds) 79 83 156 208
Free Disk Space (bytes) 2,090,225,664 2,048,552,960 2,042,458,112 1,927,364,608
CPU Usage 2% 9% 19% 38%
Available Physical Memory (K units) 162016 140152 124928 39780
Processes 26 29 32 38
Time to load ca.com (seconds) 6.861 9.216 12.001 16
Popup ads/5 minutes 0 2 6 7

My first reboot took only a few seconds longer than my first, but my third reboot took a painful 3 times longer.  My computer’s memory was severely impacted.  By my third reboot, 4 times the amount of memory was being consumed by spyware.  Popup ads jumped from 0 prior to the MP3 search to 2 ads, then 6 and finally a whopping 7 ads per five minute period.  (Refer to Table 2: Trickler Effect for more info).  In the end, I had the following spyware on my system: WebBuying, Star Recipe Bar, new trojan downloaders, InternetSpeed Monitor, WinAble, QdrPack, and AVSystem Care

Poor Coding  The spyware loaded onto my system via the trojan downloaders installed without user permission.  When software is installed without user permission, the rigors of checking for proper system compatibility are not done.  Also, the trojan donwloaders seemed indiscriminate about what was downloaded — often downloading conflicting software.  For these and other reasons I received a remarkably high number of errors.  As shown below, I received no less than 8 different errors during testing, often receiving the same one multiple times.

  • Windows Script Host error
  • Internet Explorer ‘encountering problems and needing closed’
  • End Program – Brdr
  • “Problems with this Web page might prevent it from being displayed properly or functioning properly…
  • gadya.exe has encountered a problem and needs to close
  • Run-time error ‘35761’: Request time out
  • Microsoft Visual C++ Runtime Library
  • iexplorer.exe – Application Error

The Trickler Effect  Prior to searching for free MP3s my system had 1993 MB of storage available, but after downloading a trojan downloader (which subsequently downloaded more downloaders) my storage space was getting squeezed.  By the third reboot I was down to 1838 MB.  None of the subsequent spyware downloads presented a user interface to me.  In other words, after downloading one MP3 that didn’t play, I received a consistent flow of spyware like “Internet Speed Monitor”, “WinAble”, “AvSystem Care” and others already mentioned.  I show in Table 2 how, with every reboot, my storage decreased, new programs were installed and my boot time was prolonged.

Table 2: The Trickler Effect

Test Free Disk Space (bytes) New Programs Boot Time (seconds)
Pre-MP3 Searching 17,125,023,744 0 79
Post MP3 Searching – After First Boot 17,057,550,336 5 83
Post MP3 Searching – Second Boot 17,038,295,040 8 156
Post MP3 Searching – Third Boot 17,038,139,392 9 208
 

Issues With Uninstallation

  • Complicated Uninstallers
  • Adware requires downloading an uninstaller
  • Adware program names not easily identifiable in Windows Add/Remove
  • Uninstallation left crippling system errors
  • Executable files were left on system after reboot
  • Shortcuts to spyware sites left on desktop

Threat to Confidentiality All URLs visited, as well as information entered into online forms was logged and sent to third parties by the different spyware on my system The net effect of all the spyware installed was that a significant amount of personal data was sent to spyware sites, all behind the scenes, and most likely unbeknownst to the typical user.  For instance, I used Google to search for the keyword “casino”.  I used a packet capture tool while doing this and as you can see in Image 2, below, my keyword search was also sent to http://www.findstuff(dot)com.  In addition, this same information was sent to a variety of other spyware sites like cpvfeed.meditraffic(dot)com, c.webbuying(dot)net and more.  In addition,.

  • All websites logged and sent to remote server
  • All key words entered in search engines logged and sent to remote server
  • Banking sites logged
  • Web-based email URLs logged
  • Destroying or altering system settings
  • Desktop littered with shortcuts

            Image 2: Personal information sent to unintended address

Conclusion“Free” MP3 sites serve up a lot more than MP3s.  After downloading only one playable MP3, Britney’s “Gimme More”, I was bombarded with a slew of spyware.  I repeated this same exercise 3 times and each time was hit with an amazing amount of spyware.  System performance began to nose-dive as the trojan downloader “trickled” more and more spyware on my system after every reboot.                –

Testing notes for Table 2:

  • Storage Space was the number of bytes of free disk space, as measured by Windows Explorer.
  • CPU Usage was that reported by Windows Task Manager.
  • Page File Usage was that reported by Windows Task Manager.
  • Available Physical Memory was that reported by Windows Task Manager.
  • Processes was that reported by Windows Task Manager.
  • Boot time was a measure of time elapsed from clicking ‘restart’ until the point Internet Explorer was open and functional
  • Time to load ca.com was measured using Ethereal
  • Popup ads were measured by having both an open and closed browser window over a period of five minutes

By: Benjamin Googins

avatar

Benjamin Googins is a senior engineer working on CA’s Anti-Spyware product. His primary functions include analyzing spyware and privacy breaches, fielding press inquiries, blogging and drafting documents. He has been a significant contributor to the User Permission document , Spyware Scorecard , Threat… Read More..

6 people have left comments:

Very interesting and informative article. Presents eye opening facts about something that we all have done at some point- trying to find a mp3 and downloading a program that promises to deliver it. Given the tremendous pain and suffering that such a seemingly innocent act might entail, it’s probably better to pay a dollar a song on itunes!

May be I missed it, but which OS are u using? XP? How about Vista? Is it any better?

Posted by:                             Ankur |                             October 31, 2007 6:36 PM

A famous quotation from the The Art of War is ” If you know both yourself and your enemy, you will

Posted by:                             CA Security Advisor Research Blog |                             November 1, 2007 10:03 AM

Ankur, I was using Windows XP.  I would like to conduct the same test using Vista and a different browser.

Posted by:                             Benjamin Googins |                             November 5, 2007 4:54 PM

V.interesting article.  I would be interested if the same issues existed with torrent and other p2p sites.

Posted by:                             Lani |                             November 27, 2007 6:23 PM

Lani,

I am just speculating here, but, yes, I would guess somthing similar exists.  That will go on my list of tests to conduct.  Thanks. -Ben

Posted by:                             Benjamin Googins |                             December 2, 2007 9:04 PM

It has been quite common in recent times that a wide variety of malware has been distributed over the

Posted by:                             CA Security Advisor Research Blog |                             January 9, 2008 9:55 AM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s