The Zangonistas are at it again, this time deftly disguising their "software" as a Facebook Widget. Fortinet, who discovered the issue, discusses the "Secret Crush" widget at length, so no need to repeat their extensive effort.
Instead, I'd like to offer a bit of analysis, then invoke a debate.
ANALYSIS
I ran Setup.exe, as found in hxxp://static.zangocash.com/Setup/46/Zango/Setup.exe, through the analysis mill and I think the evidence speaks for itself.
IMPORTANT NOTE FOR YOUR CONSIDERATION: All of the following occurs BEFORE you accept the EULA.
IPs called:
66.150.14.74 Zango
66.150.14.65 Zango
66.150.14.61 Zango
64.94.137.72 Zango
URLs:
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/seekmo.html
http://installs.zango.com/downloads/valueadd/SRS/UCI/R1/zango.html
http://installs.zango.com/downloads/valueadd/SRS/Installer/2.0.26/R1/Installer.exe
http://static.zangocash.com/Setup/Update/
http://public.zangocash.com/php/rpc_uci.php
http://te.seekmo.com/TrackedEvent.aspx
http://te1.zango.com/te.aspx
Registy Keys:
HKEY_CURRENT_USER\Software\ZangoInstall
HKEY_CURRENT_USER\Software\ZangoDebugSettings
softwaredistributionfaild
HKEY_LOCAL_MACHINE\Software\MediaGateway
SoftwareList
hkey_local_machine\software\seekmo
hkey_local_machine\software\zango
softwareurl: %s, registry: %s
GetSoftwareList
The software you are trying to install does not yet support Windows Vista@.
The software you are trying to install does not support your operating system.
Anti-virus and firewall applications can interfere with this and other software installation programs.
You may want to temporarily disable these applications during software installation.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
HKEY_LOCAL_MACHINE\software\Mozilla\
HKEY_CURRENT_USER\Software\
HKEY_LOCAL_MACHINE\Software\
Software\Microsoft
softwarecount=%d&retrycount=%d&reason=%s
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\
HKEY_LOCAL_MACHINE\software\microsoft\Internet Explorer\ActiveX Compatibility
Software
API Log (edited for brevity, but oh so interesting):
416a68 LoadLibraryA(crypt32.dll)=762c0000
762ec91d RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\OID)
77ddecaf RegOpenKeyExA (SOFTWARE\Microsoft\Cryptography\Providers\Type 001)
77dded3f RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider Types\Type 001)
77ddee3b RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider)
77ddf4b3 ReadFile()
77e6ce44 CreateFileA(C:\WINDOWS\System32\rsaenh.dll)
ffeb87e ReadFile()
77ddf43f LoadLibraryA(C:\WINDOWS\System32\rsaenh.dll)=ffd0000
ffe8206 RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography)
ffeb11f RegOpenKeyExA (HKLM\Software\Microsoft\Cryptography\Offload)
762ec6c4 RegOpenKeyExA (CryptDllFindOIDInfo)
What are we encrypting and offloading? Hmm?
719546f9 LoadLibraryA(UxTheme.dll)=5ad70000
41996b RegOpenKeyExA (HKLM\SOFTWARE\WindUpdates)
4195f3 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Winad Client)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows SyncroAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Win Comm)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdTools)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdControl)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows TaskAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ControlAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows ServeAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admilli Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\DeskAd Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Admanager Controller)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdStatus Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows AdStatus)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Windows FormatAd)
41996b RegOpenKeyExA (HKLM\SOFTWARE\AdTools Service)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Preview AdService)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Pass)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Access)
41996b RegOpenKeyExA (HKLM\SOFTWARE\Media Gateway)
41996b RegOpenKeyExA (HKLM\SOFTWARE\MediaGateway)
Wait a minute...I haven't accepted the EULA yet!
Let's discuss.
DEBATE
You know my opinion, I think Zango's offerings are spyware, I always have and I always will. They'd prefer their products be referred to as adware and that they're harmless. I have debated this issue with them in person (perfectly nice people, but analysis supplants personality), and they would argue that, because their software only installs with the explicit consent of the enduser, it can't be labeled as spyware. To which I say, if it calls home, reports behavior, and shapes a response based on said behavior, it's spyware, EULA or not. Round and round we go, where we stop, no one knows. The searches define:spyware and define:adware will provide impetus for the debate.
If a user knowingly installs a widget or a piece of software with a EULA that describes it behavior, can it objectively be called spyware or malicious?
Comments welcome. Cheers.
Subscribe to:
Post Comments (Atom)
Moving blog to HolisticInfoSec.io
toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...
-
Continuing where we left off in The HELK vs APTSimulator - Part 1 , I will focus our attention on additional, useful HELK features to ...
-
As you weigh how best to improve your organization's digital forensics and incident response (DFIR) capabilities heading into 2017, cons...
-
Ladies and gentlemen, for our main attraction, I give you...The HELK vs APTSimulator, in a Death Battle! The late, great Randy "Macho...
No comments:
Post a Comment