Thursday, January 03, 2008

Zango's in your Face(book)

The Zangonistas are at it again, this time deftly disguising their "software" as a Facebook Widget. Fortinet, who discovered the issue, discusses the "Secret Crush" widget at length, so no need to repeat their extensive effort.
Instead, I'd like to offer a bit of analysis, then invoke a debate.


I ran Setup.exe, as found in hxxp://, through the analysis mill and I think the evidence speaks for itself.
IMPORTANT NOTE FOR YOUR CONSIDERATION: All of the following occurs BEFORE you accept the EULA.

IPs called: Zango Zango Zango Zango


Registy Keys:
softwareurl: %s, registry: %s
The software you are trying to install does not yet support Windows Vista@.
The software you are trying to install does not support your operating system.
Anti-virus and firewall applications can interfere with this and other software installation programs.
You may want to temporarily disable these applications during software installation.
HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility

API Log (edited for brevity, but oh so interesting):
416a68 LoadLibraryA(crypt32.dll)=762c0000
762ec91d RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\OID)
77ddecaf RegOpenKeyExA (SOFTWARE\Microsoft\Cryptography\Providers\Type 001)
77dded3f RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001)
77ddee3b RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider)
77ddf4b3 ReadFile()
77e6ce44 CreateFileA(C:\WINDOWS\System32\rsaenh.dll)
ffeb87e ReadFile()
77ddf43f LoadLibraryA(C:\WINDOWS\System32\rsaenh.dll)=ffd0000
ffe8206 RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography)
ffeb11f RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\Offload)
762ec6c4 RegOpenKeyExA (CryptDllFindOIDInfo)

What are we encrypting and offloading? Hmm?

719546f9 LoadLibraryA(UxTheme.dll)=5ad70000
41996b RegOpenKeyExA (HKLM\SOFTWARE\WindUpdates)
4195f3 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Winad Client)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows SyncroAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Win Comm)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdTools)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdControl)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows TaskAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ControlAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ServeAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admilli Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\DeskAd Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admanager Controller)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdStatus Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdStatus)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows FormatAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdTools Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Preview AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Pass)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Access)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Gateway)
41996b RegOpenKeyExA (HKLM\SOFTWARE\MediaGateway)

Wait a minute...I haven't accepted the EULA yet!
Let's discuss.


You know my opinion, I think Zango's offerings are spyware, I always have and I always will. They'd prefer their products be referred to as adware and that they're harmless. I have debated this issue with them in person (perfectly nice people, but analysis supplants personality), and they would argue that, because their software only installs with the explicit consent of the enduser, it can't be labeled as spyware. To which I say, if it calls home, reports behavior, and shapes a response based on said behavior, it's spyware, EULA or not. Round and round we go, where we stop, no one knows. The searches define:spyware and define:adware will provide impetus for the debate.
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
Comments welcome. Cheers.

Zango's in your Face(book) at Digg Zango's in your Face(book)

No comments:

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...