Recap
If you missed Parts I and II of this blog series, you can find them here and here. I finished Part II promising to reveal the organization behind this sorry saga.
Following the trail
The trail really wasn’t very hard to follow. When we looked up some of the IP addresses from the Active Connections listing (in Part II), we found some interesting results:
This one appeared in both lists (along with several other addresses in the same subnet); the list from Derek’s computer and the one from our virus lab machine. It was also the top generator of traffic on our virus lab machine (we didn’t take such stats from Derek’s pc). Doing a lookup using robtex.com on this address tells us it’s hosted in Sweden and at the time of the lookup was blacklisted in three lists:
The big picture
A bit more checking and another of the IP addresses we saw in the active connections list—
—leads us to the source. This time the results from robtex.com were more telling:
67.15.107.164 = p2pcontrol.com, also based in Sweden. Well, no real surprises there, but let’s see what else is hosted in that domain by using the very handy graph-generating capability provided by robtex.com.
Now that gives us the big picture—literally. Not only was one of the hosts listed there the very one that Derek was directed to in order to download the “free” media player, several infamous sites hosting malware were also included. One that certainly stuck out was 3wPlayer.com. It even has its own wiki page - http://en.wikipedia.org/wiki/3wPlayer.
The media player Derek downloaded wasn’t 3wPlayer, but sadly the result was the same. Coincidentally, Symantec has had a write-up for 3wPlayer since July 2007, which the wiki entry quotes from:
“The program may then download a copy of Adware.Lop on to the computer.”
And, I can confirm we did see an Adware.Lop detection during our testing of the 3wPlayer install file downloaded from the p2pcontrol website.
A glimpse inside
I want to keep this story relatively non-technical, so I'll only provide a quick overview of the actual P2P program. When p2control.exe is installed, it creates a series of folders on the compromised computer that mimic the eMule file sharing application (not to be confused with, but related to, the eDonkey network). It adds itself to the Windows registry Run key so it runs automatically when Windows starts. It also adds itself as an authorized application of the Windows Firewall (if Windows Firewall is running in memory), using the INetFwMgr interface. It then downloads several configuration files, including “Server.met,” which contains the server list used by eMule to keep track of the servers it connects to for file sharing. So, p2pcontrol (that is, the actual application as opposed to just the executable file) is effectively emulating a node on the eMule/eDonkey network. Current versions of eMule reportedly also have support for the Kad network.
In short, p2pcontrol is attempting to control which files are downloaded via P2P networks, such as eMule, BitTorrent, and possibly others. As a result, anyone using the eMule and BitTorrent file sharing networks may be exposed to files that have been manipulated by p2pcontrol to appear at the top of their search results.
Wrapping up
I think we’ve probably covered enough to explain the background to Derek’s plight, but let’s quickly join up to one last dot. A further search of the p2pcontrol.com domain, this time the .85 address, returned the following:
The cash4downloads website rang some bells. I knew that Symantec products detected practically everything available for download from their site and a quick check confirmed my suspicion that 3wPlayer was one of the files listed there, along with several others that either charged a usage fee or installed adware. All of this is to allow you to view (compress/archive/etc) files that, before they wrapped their DRM encryption layer around them, were already viewable.
Now that’s quite a notion, so I’ll repeat it here for added emphasis:
To allow you to view files that, before they wrapped their DRM encryption layer around them, were already viewable.
Interesting, to say the least.
So we’ve made a connection between the files Derek came across and known security risks from various web sites on the Internet, including 3Wplayer. But what of the actual company responsible for the events leading up to Derek calling me for help with his bandwidth problem?
No joining of dots required there. We only have to take another look at the EULA:
This End User License Agreement ("Agreement") governs use of Circle Development Ltd.'s ("CiD") software product and related written materials (the "Software") that you are about to install.
Epilogue – what can we learn from this?
So what’s the moral of this rather unfortunate story? To be honest I think it speaks for itself, but my advice to Derek was this: in the future, if the existing media players on his computer aren’t capable of playing the media files he wants to see and prompt him to download an entirely separate player, a new “codec,” a Flash player “update,” or something along those lines, then perhaps he really doesn’t need to see the video that badly after all. Using social engineering tricks such as these is a very common method employed by the creators of security risks and rogue applications to fool people into installing their “warez” and people really need to be cautious about installing software from unknown sources. In Derek’s case, a quick Internet search on the name of the “free media player” would have probably allowed him to avoid the situation he found himself in. I also advised him not to rely solely on antivirus, but to run a comprehensive security suite that includes a secure firewall, intrusion prevention (IPS), and browser protection. Some of these other detection technologies can add protection where antivirus alone may not be able to.
There will always be villains
I rhetorically asked him why, given hundreds of years to learn and a seemingly endless supply of (our) money to use in protecting themselves, banks still get robbed or scammed. (He just grinned and informed me that none of it was his money since he didn’t have any to be robbed of). The basic truth is that there will always be evildoers trying to cheat the system, and through dogged persistence sometimes some of them will succeed. Security companies work 24x7 to protect their customers from those with ill intent, but people should also educate themselves about the potential risks when using a computer on the Internet in order to help make their Internet experience a safer and ultimately more enjoyable one. Computer users can help defend themselves against relentless attacks in their many guises by making informed decisions and using best practices in their daily computing.
I hope this series of articles describing Derek’s bandwidth-challenging experience has been entertaining, but more importantly, has provided food for thought. If there is even a single reader who has learned something from it, then it was well worth writing. Safe surfing everyone.
A special thanks to Irfan Asrar for his help researching this story.