The Rogue Google Toolbar: History and Variants

by Chris Boyd

Date: October 12. 2005

Introduction

There is currently a browser hijacker in circulation which installs a fake Google Toolbar, hijacking the HOSTS file to redirect most Google domains and placing a homepage hijacker in the Temporary Internet Files folder, from which an Internet Explorer based search engine claims to be powered by Google. The bundle also includes a rogue antispyware tool, called ?World Antispy?.

However ? this attack, viewed out of context, does not build up a sufficient picture of the tactics / techniques used by the group responsible for the install. A press release by Panda Antivirus has covered the main features of this install here, and they had previously discovered an earlier version of this hijacker in April. Sunbelt Software also found a variant some weeks ago. But the group behind this has actually been trying to exploit Google since 2003.

Through systematic research, FaceTime Security Labs have found that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload. Here is a HJT log from September 14^th, 2003. Note the Google HOSTS file hijack. Here is a discussion thread that contains the same HOSTS file hijack, from even further back ? July 9^th, 2003. Finally, here is one more discussion of this infection technique from September 26^th, 2003.

The timeline should actually look something like this (taking into account the various elements of each installer):

July / September 2003: The attack begins with a similar install process to what we have now ? HOSTS file redirect, and a fake toolbar, made by an uknown third-party. There are no versions of this installer in the wild, from the research done on this particular file. Most likely, it has been long since abandoned by the creators.

March / May 2005: Bootpd.exe file found.

This file was UPX packed, and had the contents of the HOSTS file hijack hard coded into it. In addition, it added a ?Google? folder though it is unclear when looking from forensic logs at the time if the fake Google toolbar was included. Bootpd.exe seems to reside in the ?Google? folder from the majority of the logs examined, so this would seem to suggest no fake toolbar in this installer. Premiumsearch is still the eventual destination of the hijacked end-user, although this version of the exploit includes an uninstaller for the Bootpd.exe file, called ?Easysearch?. Numerous HJT logs from that time would suggest the uninstaller did not work, hence the numerous pleas for assistance on security forums.

Present day: The install seems to borrow elements of a CWS exploit, where the initial Perfhost page that begins the install calls a Windows Help File. This help file then launches the install, as long as the end-user allows apisvc.exe to run. Once this happens, the full install is launched and the HOSTS file hijack is inserted, the fake toolbar appears upon reboot and the antispyware program known as ?World Antispy? launches at boot up.

At all stages, the same (or similar) IP addresses are used for the HOSTS file hijack.

Atypical Attack Vector?

As has been noted, the Perfhost page does not hold any content to make the user want to click on things and become infected ? there is no hook. This suggests that at least some of the installs are happening via alternative routes such as Instant Messaging and IRC. This deduction can be made through the following clues:

1) Most (if not all) AIM / Instant Messaging Trojans / virus attacks only need a blank ?Placeholder? page, as the infection does not depend upon users clicking adverts, interacting with banners or agreeing to software. The initial install method usually relies upon clicking a link to the infection in the instant messaging software, using a variety of tricks and crude social engineering. The fact that this site seems to have been installing the rogue files for some time, coupled with the fact that the site still has no usable content on it to draw end-users in, is consistent with a non-webpage based attack vector. (For an example of this see Porter/Hertsens "Anatomy of a Drive-by Install- Even on Firefox" noting the tactics employed by the rogue Spazbox. IRC network.)

2) The file that asks for permission to run, apisvc.exe, is part of the Lamebot Trojan, which commonly spreads through IRC / AIM. If this file is denied permission, the install does not seem to complete.

3) The exploit contains a .CHM ? a windows help file. These files have been used for a long time in online exploits, and they are best implemented when not combined with a standard drive-by install. Hence, they are commonly seen in IRC hijacks, Instant Messaging and also sent via email. It is from the .CHM that the file apisvc.exe attempts to run, and many victims of these attacks have the following line in their HJT logs:

The exploit allows executable files to be downloaded and run in the background without user intervention. Employing a malformed CLSID parameter, the .EXE is allowed to run on the end-user's machine.

Compare the above with this .CHM exploit from February 19^th, 2004.

Viewing the source of the .CHM file in the latest Google exploit reveals the following:

Compare the CLSID to that of the entry taken from a victim's log above ? they are identical. And that CLSID is flagged as Win32:Mhtplo-27 [Trj] by Avast Antivirus, though there is no additional information for it.

More connections to Instant Messaging

The below is a screenshot from the real Google Toolbar. The feature highlighted is the ability to store your credit card details for future use:

The below is a screenshot of an install covered on Vitalsecurity.org from July 5^th, 2005. The install is a bundle from iowrestling.com, and the installs on this site included multiple install agreements from Much Media, KVM Media, Pacerd Ltd and Bluetide Software. Because of this, and the fact that many of these installers appeared side by side and also auto-installed, it is very difficult to pinpoint what software came from which distribution. Though the distributors may not have created the content in the bundle, there is a strange feature of this package:



You can just see the toolbar on the screenshot, just underneath the URL bar. None of the Toolbar elements appeared to function, including the ?Enable pornographic ads? button and the search feature; however, the generic, unbranded toolbar had a ?save your credit card details? section which is almost identical to the Google Toolbar. This feature was fully functional.

In July / August, there was a rash of IM-specific files which delivered a massive payload of advertising software. Some of these files were traced back to a group (or groups) of videogame-hacking teenagers, and the files were analyzed here and here.

The below screenshots show two of the installs in progress, and you can see the same toolbar included in the bundles (highlighted for clarity):

1) Shot taken from IM bundle that includes Aurora:



2) Shot taken from IM Adware bundle:



At the time of the installs, no further information was available for this toolbar with regards who created it, where it came from or why it was there. The only feature that seemed functional in all these cases was the ability to store credit card details.

Summary

Though an element of guesswork is necessary when attempting to contextualize installs from different times, locations and sources, the evidence presented above is clear proof of the connection between these files and Instant Messaging ? or (at the very least), a method of entry other than webpage-based drive-bys. This researcher has had one unconfirmed report of an install through Instant Messaging already, from a trusted spyware analyst. The interesting part of this case is that the IM-Adware bundles were part of an incredibly elaborate and well executed plan, and it is doubtful that the low skilled hackers alone could have masterminded this scenario from start to finish. Add to this the fact that the toolbar with the same elements as the real Google Toolbar were included in many of the IM-Adware bundles, and we have another direction in which to look for the persons responsible for this installer.

For analysis of the suspected origins of this attack, please visit this link - the Dissection of the Rogue Google Toolbar by Chris Chriswell and Wayne Porter.

This article is copyright 2005 by XBlock.com.
It may not be reprinted or copied without the express written consent of the author.

Related Articles

• Dissection of Rogue Google Toolbar Payload

Read other articles (back to full list)