15 Apr 2015

Hijacking of Super software from erightsoft.com

Something that I never even grappled with until now was the thought that the open source software that many people download could be a source of potentially unwanted programs (PUP) distributing adware, malware or even worse.

How wrong I was, and when you think about, it is a pretty easy thing to do for people with malicious intent.

Open source is by definition developed within a community of individuals, most of whom are only interested in getting picked up by headhunters to get more lucrative programming jobs, or they may just be interested in developing a solution for their own particular special needs.

The problem with these communities, is that it is easy for bad seeds to get in.

Much open source software is distributed via other well known platforms, think of CHIP.DE or CNET.COM as two examples. Most of us who visit these sites see no reason not to trust their links, but the fact is that even these sources can be compromised.

Then of course there is sourceforge.net, which is where you can find the original source code for many open source programmes.  But how secure is it ? That is an open question by the way and i would love feedback.

Here is a description of one problem I had with one particular piece of software for video converting, namely SUPER from www.erightsoft.com   

SUPER - not this time....

For years I have been using this software which has served me very well for compressing and converting the sometimes large videos produced by Adobe's After Effects and other programmes. I have never had any reason to expect anything wrong with it, although it has to be said that their website is a challenge to browse, and seems to be geared for indirect revenue generation. Still, if you know where to find the hidden download link on the site, you will get the goods.  

My last experience, however, was in another league.

On March 29th 2015 I downloaded an update which I wish I hadn't.

Firstly the installer deviously got me to accept the download of other software (which I am usually wary of, but sometimes in a hurry one clicks on one OK too many).

Once it was downloaded and installed, I noticed that my browsers had become hijacked, and that my computer would start reporting KERNEL DATA IMAGE ERRORs which I had never had before. Upon the self initiated restart after this error, I got a blue on black BIOS screen saying that the boot drive was missing or the boot had failed. thankfully upon a hard restart the computer booted up normally.



This error would repeat itself after 5 hours, or when I ran my Ad Aware scans.

I then uninstalled all the little nasties that had installed with SUPER from the programme manager, deleted the directories they were installed too, deleted all the temp files, deleted strange tasks that had been created. Then I ran MALWAREBYTES, HITMAN and ADWCLEANER, and sure enough lots of little nasty entries came up which I removed...there were two notable omissions though which I shall come to in the next section.

For a while after restart my browsers ran OK, but adter a while I noticed these annoying adware tabs coming up in the browsers. Apparently the clean had not been complete, and I also noticed that my computer was wtill periodically crashing in the way that I mentioned above.

 AC3DX.AX and LIBBLURAY.DLL


The only persisting problems which my scanners were reporting (which i didnt remove) were two hidden files in the Windows/SysWOW64 file which were evaluated as "Suspicious" but no  threat by Hitman. I was loath to remove them as they appeared to be system files which Windows might have a problem living without.

I checked both files with virus-total.com, and no flags were raised, none of the 57 antivirus solutions were flagging the files as dangerous.

Upon searching these files on the internet, it was apparent that they were indeed part of the SUPER installation process, but apart from a few badly written blogs claiming they were indeed malicious files, they were for the most part reported as normal.

There were some unusal features however:
  • The hidden flag was set
  • They were in a system folder
  • There was no author or signature information
Pointing towards their legitimacy was the fact that their file size seemed to tally with what was expected from internet searches.

However, there was one remaining suspicioous thing about the files, namely, Hitman reported that they were written at the time that I installed my SUPER, which was to be expected since they seemed to belong to Super and were reported on the internet as such. However, upon inspection in the file manager, their "Last Modified Date" was reported as sometime long in the past (2009). This seemed really strange to me, as they had clearly been written during my recent SUPER installation.

Given that i had first experienced problems upon installing the upgraded SUPER, and I figured that they probabley werent central to my computers operating system (Windows 8), I decided to quarantine them in Hitman.

Then I rebooted.

And then I had a crisis, because Windows rebooted extremely slowly, had no internet function when it did, and I couldnt even open the Control Panel. Windows explorer seemed to be functioning normally, and non Office programmes were running (Office 365 needs online authentication), but everything was clearly not right.

Panic stations....

I thought it was time for a complete system restore....

Luckily I kept a cool head, ran MALWAREBYTES (reported 12 nasties), HITMAN (none) and ADWCLEANER (about 8), and rebooted.

Thankfully everything rebooted fine, and after 12 hours operation I havent had a single crash, so MAYBE my system is finally cured.

MALWARE CREATORS ARE GETTING MORE DEVIOUS


I know this isn't the most obvious statement to make, but it seems to me that these miscreants are creating malware that can evade the majority of anti-virus scanners. Also, they are obfuscating the modified legitimate files so that they have more or less the same size as the originals that they engineer, I am lucky that Hitman found these damned things, I dont know what they may have been capable of.       
 My advice BE CAREFUL DOWNLOADING OPEN SOURCE STUFF AND TRUST NOBODY, EVEN POPULAR DOWNLOADER SITES.

This seems to be a new way for folks with bad intentions to hijack your PC 


Below is a synopsis of the same problem I wrote in German, for those who might be interested.     

 

AUF DEUTSCH




Für Jahren habe ich der Video Converter von Erightsoft "SUPER" ohne Problemen benutzt. Der Webseite war immer schwer umzugehen und mit Ads vollgepumpt, aber der Software hat mich gut über die Jahren verdient, und ich hatte kein Problem es als "vertrauten" Software zu behandeln.

Mein letzter Erfahrung war aber in ein ganz andere Liga.

Ende Maerz (29er) habe ich ein neue Version downgeloadet und installiert, und seit dann habe ich nur Problemen mit mein Computer.

Erstens hat es ohne Menge Adware downgeloadet, der schwer zu entfernen war. Mein Browsern war konstant unter Attacke von unerwuenschten Browser Bars und redirects, und mein Computer stuerzte sich jeden 2 Stunden mit KERNEL DATA IMAGE ERRORS ab, und beim Reboot hat es mir sogar ein DEFAULT BOOT DRIVE MISSING Fehler gegeben ohne in Windows 8 einzugehen. Gluecklierweisnach ausschalten und einschalten ging es immer wieder normal hoch.

Ich hab MALWAREBYTES, HITMAN und ADWCLEANER eingesetzt, TEMP Ordnern geleert, komische Aufgaben (im Task Maneger und unter Windows-Tasks) geloescht. Aber immer kommt der Scheisse irgenwann zurueck.

HITMAN hat immer 2 Dateien als "Verdächtig" gemeldet, aber nicht als bedrohlich eingestüft. Die Dateien war immer als in Ordnung gemeldet von virus-total.com, aber tatsächlich waren ein Paar Features merkwürdig. Dieser Dateien hiess "ac3DX.ax" und "libbluray.dll" und befand sich im Windows/SysWOW64  Ordner. Da sie Teil des normale Installationsvorgang fuer SUPER zu gehoeren schien, habe ich es zuerst ignoriert. Tatsächlich war ein Paar Sachen merkwürdig aber, z.B. vertseckte Flag würde gesetzt, und es gab kein Autor oder Signatur. Das Merkwüdigste aber, war das Hitman hat korrekt die installierten Datum angegeben fuer dieser Dateien (zeitgleich mit Super). In der File Manager war aber die "Last Modified Dates" weit in der Vergangenheit. Ich hatte Angst die Beiden Dateien zu entfernen, weil die System Dateien war, aber irgenwann habe ich mich entschieden die in die Quarantäne beizulegen.

Das habe ich gemacht, und auf Reboot ging Windows extrem langsam hoch, und obwohl ich zur Windows Explorer gekommen war, mein Internet funktionierte garnichts, und ich könnte nicht mals ins "Control Panel" kommen,

PANIK


Ich dachte alles war im Arsch, und es hilfte nur ein totaler neuer Windows Installation.

Gluecklicherweise hab ich ein kühlen Kopf bewahrt, MALWAREBYTES, HITMAN und ADWCLEANER wieder durchgeführt, und nach Reboot ist alles jetzt wieder normal...seit 20 Stunden habe ich auch keiner Abstürze mehr.

Ich weiss nicht ob alles vorbei ist, aber bisher scheint alles in Ordnung zu sein.

Der Thema um Hijacking von Open Source software ist bisher niemals zur meinen Augen gekommen....aber jetzt weiss ich, man muess vorsichtiger gehen, und selbst Downloads von rumhaftere Webseiten beobachten. Online Erkündigung bringt auch nichts, meisteins wird dieser Dateien als harmlos und nutzvoll gegeben, nur spurios gibt es Inforrmation das sie Trojaner usw. enthalten koennen. VirusTotal gibt nur negativen, aber die Scans von fast alle ihrer Lieferwebseiten sind ueber 2 Monaten alt. Die Dateien war offensichtlich auch so obfusziert, das ihrer Groesse ähnelten sich der normalen zur Verfügung stehende Dateien.

Also vorsicht Leute beim SUPER von www.erightsoft.com.