Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

What’s Hogging my Bandwidth? Part 2 - Analysis

Created: 11 Jun 2010 15:38:44 GMT • Updated: 23 Jan 2014 18:26:59 GMT
John McDonald's picture
+2 4 Votes
Login to vote

Recap

I left off promising to reveal the mysterious application that was consuming my friend Derek’s bandwidth and trying to figure out how it got on his computer in the first place. Please note that all images (except one from this point on) were not actually taken from Derek’s computer, but instead were captured from a recreation of events using a honeypot computer inside our virus lab, and therefore may not accurately reflect what exactly took place on Derek’s machine.
 
Recalling events

Roughly a week prior to asking for my help, Derek had been surfing the Web, reading blogs, chatting with friends, and checking out some of his favorite sites as usual. That day he came across a video trailer for a movie that had just been released and decided to watch it. After downloading it onto his computer—which, as you might guess, requires a certain amount of patience at 128kbps—he double-clicked on the file to view it. Windows Media Player opened and the movie trailer started playing normally. After a few seconds, however, it suddenly stopped playing and he was presented with a message inside Windows Media Player that told him the media file he was trying to watch was encoded content and could only be played using a specific (but free) media player. It also provided a URL for him to download the player from.

 

 
He who hesitates… might be thankful he did

Well, as Derek could now recall, he really wanted to see the trailer and hey, the media player was free after all. So he opened his Web browser and carefully typed in the URL that was provided. In no time at all Derek had the necessary software downloaded and installed on his computer, and was merrily watching the trailer he had so badly wanted to see.
 
What Derek didn't see, however, was what was going on behind the scenes. The seemingly innocent media player had installed something that Derek most certainly wouldn't have wanted on his computer, free or not. And not only had it installed something else, but unbeknownst to Derek that “something else” was now hard at work communicating with other computers across the Internet.
 
So, just what was all that communication about? Why was the program that had surreptitiously installed itself along with the free media player consuming so much of Derek's scarce bandwidth over the past week? What information could it possibly be transferring—in both directions?
 
The bandit revealed

As I mentioned earlier, it turned out to be one of the processes we saw inside the Task Manager window (to run Task Manager, either press Ctrl+Shift+Esc; or press Ctrl+Alt+Del and on the pop-up box that appears, click Task Manager; or click Start > Run… and in the pop-up box that appears, type taskmgr and click OK) although again, to the untrained eye, it may not have been at all obvious just which processes were out of place.

 

To be fair, Derek’s Task Manager showed more processes than are listed here
 
The process p2control.exe appeared to be the villain. It was also interesting that two instances of the Internet Explorer process (IEXPLORE.EXE) were running, even though no browser windows were open.
 
So what was p2control.exe and what exactly was it doing? A quick look at the list of folders under Program Files showed a folder called P2Control. OK, how about the Start menu? Yes, surprisingly it was there, and even provided the option of uninstalling itself. I can only imagine that these are attempts to appear as a legitimate program. “I’m not trying to hide, so I must be innocent.” That certainly doesn't change the fact that it was unwanted in the first place and was doing some very undesirable things on Derek's machine.
 
Connection city

Here’s a subset of the active connections shot from Derek’s computer again, this time with the true executable name showing and the remote IP address translated into the host name, where available. You can see this on any Windows computer by opening a command prompt (click Start > Run… and in the pop-up box that appears, type cmd.exe and click OK). After the command prompt (black looking window) opens, type netstat /? to see the available options. The following output (as before, reformatted for clarity) was generated using netstat –b (b is to see the executable; adding n will show IP addresses instead of host names):

Now, here’s a look at some of the active connections on our virus lab machine along with a breakdown of the incoming and outgoing traffic. For this test we set our bandwidth to 128kbps to mimic Derek’s setup and let p2control.exe run for a while:

 

The full list is longer, but you get the idea.

As you can see, p2control.exe was generating a significant number of data streams in both directions. It appeared to be some kind of peer-to-peer (P2P) application, which would certainly tie in with the name of the executable file.
 
Straight from the horse’s mouth

To shed some light on just what that traffic was, we went directly to the website that is responsible for p2control and this was the first thing that grabbed our attention:

Image captured from the p2control.com website on April 8, 2010
 
Well, there you have it, right on their front page. "We can generate thousands of downloads of your files, every single day". Yes indeed, Derek can certainly testify to that.
 
So, these people provide a paid service, helping place clients’ files at the top of search results in certain P2P programs in the hope that those files will then be the download of choice by users of those P2P programs. They do this by generating massive numbers of downloads of those files onto the computers of people who have either willingly installed, or in Derek’s case, have been duped into installing the software that makes those downloads (and uploads) possible.
 
On that note, let’s briefly back up a couple of steps to the actual installation process—the one that Derek clicked through at lightning speed so he could get to watch the trailer he was so keen to see. After opening the downloaded installation file, the first thing that appeared was the End User License Agreement (EULA):

 

 
As you can see from the vertical scroll bar on the right side, that’s quite a long document. I won’t repeat the entire agreement here, but not far into it I came across the following:
 
“DO NOT ATTEMPT TO USE A THIRD-PARTY UNINSTALLER OR ANTI-SPYWARE PROGRAM, INCLUDING AUTOMATED SCANS AND REMOVAL SWEEPS.”

Well, it’s not hard to figure out why. Because the software will probably be flagged as a security risk and removed.
 
Further down the agreement it reads:
 
“1. By accepting these terms and conditions, P2Pcontrol will be installed on your computer. P2Pcontrol will communicate and transmit data using the BitTorrent and eDonkey protocols. P2Pcontrol may connect your computer to any IP-address through the BitTorrent and eDonkey protocols in order to share data and files from C4DL Media to other internet users. P2Pcontrol will not use more than an average of 1kilobit/second of your available bandwidth.”
 
Oh dear, if only Derek had read it. Then again, how many people actually do read EULAs? Either way, nothing that is contained in a EULA provides the right to install malicious files onto a computer.
 
Getting back to the P2Control website, they go on to say:

“Our unique technology allows us to turn any file "popular" as we can make it seem as many other people are downloading the same file.”
 
“Seem” is obviously the key word here. Now, I can understand honest people and businesses wanting to get their websites and software listed at the top of search engine results, but isn’t this a bit like winding your odometer back before advertising your car for sale? In other words, blatant cheating?
 
And is it not then fair to assume malicious software and pirated software alike can also be, and most likely is, being pushed to the top of P2P search results? I find that somewhat ironic, given that the other service P2PControl advertises on their landing page is helping to “limit the abuse” of piracy.
 
But wait, there’s more

So, now we know the What, the Why, and even the How. But what about the Who and the Where? Now that’s where things got even more interesting. There’s an old saying that a leopard can’t change its spots. Not only leopards it seems. The final chapter in this sordid tale of deceit will reveal the group behind this scam. Stay tuned.