Ads for x-ware on noscript site?

Discussion about the board itself, forums organization and site bugs.
Post Reply
HappyNoScriptUser
Posts: 18
Joined: Fri May 23, 2014 5:07 pm

Ads for x-ware on noscript site?

Post by HappyNoScriptUser »

When I started Firefox today, I got an extra tab that showed that NoScript was updated to 2.6.8.42rc1
Image

Usually I only close those, but this time I saw the ad showing the text
We Recommend: Click for better video performance

When using Firefox's Inspector, I found out that this was in an IFRAME:
Image

Although I am very happy with the setup I have for playing videos;
normal (2D) videos: a combination of CCCP (MPC-HC, LAV filters, Haali Splitter, VSFilter), ffdhow-tryouts, SmoothVideo Project,
stereo (3D) videos: NVIDIA 3D Vision 2 & ASUS VG278H, and either 3dtv.at's Stereoscopic Player (for mkv's) or Cyberlink PowerDVD (for ISO's)
- I was curious about what type of thing those smart guys responsible for InformAction / NoScript / FlashGot would recommend!

So, I clicked the link..
Image
..which led me to a page with this URL:
Image
Image

..and then I clicked on the big, green "Free Download" button, with the link
Image
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
HappyNoScriptUser
Posts: 18
Joined: Fri May 23, 2014 5:07 pm

Re: Ads for x-ware on noscript site?

Post by HappyNoScriptUser »

..which led me to a page with this URL:
Image
Image

..which immediately wanted to me to download this URL:
Image

..which, when saved, became a file called FlvPlayerSetup.exe
Image

I ran it through HashMyFiles, with the results being
a649593cb2725aa2af6f2d2152381c78 - MD5
083b80f0b181020b1d6705ac3419d97c94f728fa - SHA1
f573eaa6755779582f3d1f94198f0ab1d418314fa76a627d3a6419b8e4bd021a - SHA-256
Image

- but none of these hashes gave me any results when searching on Google.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
HappyNoScriptUser
Posts: 18
Joined: Fri May 23, 2014 5:07 pm

Re: Ads for x-ware on noscript site?

Post by HappyNoScriptUser »

A quick view in PE Explorer showed the BSS section, indicating that this was Borland Pascal / Delphi,
and by looking at the DATA section I confirmed that this was indeed Inno Setup.
Image

However, using innounp.exe to try to unpack it, gave me only two small files;
Image

1) a file called "Faro"
Image
- which was a 4,486 bytes file with between 137 and 180 instances of each of the characters from "a" to "y",
and 443 instances of 0x20h (spacebar)

2) the 845 bytes large install_script.iss Inno Setup Script file,
Image

When I opened the file in a hex editor, it became apparent why only those two files were possible to unpack.

Whereas in a normal Inno Setup file, one have first the "program" which contains the logic, and a ZLIB / LZMA unpacker,
then after that, there is just one large ZLIB / LZMA compressed "data" section, which goes on until the end of the file.
(Except if the file is signed, then there are a few kB's at the very end, containing certificates.)
Since a inherent property of compressed file are even distribution of byte values,
it is easy to spot this when looking at the structure - it is similar to noise.
Here is first a normal Inno Setup file that shows this:
Image

But then there is the FlvPlayerSetup.exe...:

Image

As you see, the "noise" only goes on for a short range, then after that there are clear patterns that are showing,
a clear evidence that those bytes are not compressed, and therefore not a part of the ZLIB section.

Although a disassembly of the file might show what those other bytes are used for,
there is in fact another way of getting to them - that is running the file.
When it is run, it will load those bytes into memory, and then one could look at them there.

However, the very idea of "hiding data" is something that gives me a feeling of distrust.
I simply do not trust this file, so I will not run it on my own pc.
Instead, I upload it to several malware analysis sites, and let them run it,
and then look at the results they give me.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
HappyNoScriptUser
Posts: 18
Joined: Fri May 23, 2014 5:07 pm

Re: Ads for x-ware on noscript site?

Post by HappyNoScriptUser »

But first, there is one other thing:
PE Explorer shows that this file is signed;
that Comodo Code Signing CA 2 has issued a certificate to a company called "Bestop-app" located in Tel-Aviv, IL.
Image

Now, I think the reason why the MD5 / SHA1 / SHA-256 hash searches came up with nothing,
was because the .exe file is being auto-generated, at the time of download,
and it fills it with some random data, to make each downloaded .exe unique
- maybe just to make sure that it does not match any known hashes.
Or maybe - if the random data is in fact based upon a cookie value,
it is also to make sure the installer .exe will only run properly on the same PC that requested the download..

A search for "Bestopp-app" however..
Image
..indeed gives several results.
Several of them which indicicates that this is ..not very good software.

The second result, with the URL
Image
classifies this as "Adware", based on the fact that 11/68 scanners came up with "something"
Image
Last edited by HappyNoScriptUser on Sat Sep 20, 2014 9:43 pm, edited 1 time in total.
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
HappyNoScriptUser
Posts: 18
Joined: Fri May 23, 2014 5:07 pm

Re: Ads for x-ware on noscript site?

Post by HappyNoScriptUser »

So, I first started with good, old VirusTotal.
By pasting in the last URL I got, the one which actually downloaded the file from freestockyard..
Image

..I first got a result that showed that 2 / 58 engines meant the site itself was "Malware site"
Image
Image

..then, when clicking the URL for downloaded file analysis
Image
Image
..I first got a confirmation on the theory that the .exe file is indeed auto-generated whenever a new download is requested,
seeing how the same URL gave VirusTotal a different "FlvPlayerSetup.exe" with a different SHA-256 hash:

f573eaa6755779582f3d1f94198f0ab1d418314fa76a627d3a6419b8e4bd021a - the SHA-256 hash that my "FlvPlayerSetup.exe" file had
615caceecfbe52e41216279fcc5cc762a9a22d793eeecb7ab3e3f16404419851 - the SHA-256 hash that VirusTotal's "FlvPlayerSetup.exe" file had

Then, it is apparent that several of the scanner engines agrees upon that this is an "InstallCore" installer,
which Wikipedia tells is a product of the company ironSource, located in Tel-Aviv, IL
- which seems to be very true, given the "Bestop-app" code signing certificate and all.
So, not Inno Setup, but an "Inno Setup-like" installer, then.

I uploaded the actual .exe file that I downloaded to an analyzing site who runs such files in a VM environment and gives very detailed reports.
However, for this particular file, the site were not able to run it properly; it had stopped after a while, coming up with the error message
"The setup files are corrupted. Please obtain a new copy of the program."
Image

Maybe the reason for this was that this .exe file was auto-generated by using some cookie or other ID that is unique for my pc,
so that it will only run properly on my pc.
Unfortunately, that site does not have an option to enter an URL and have a file downloaded.
So - apart from disassembling it - which I find too time-consuming for this thing, this is as far as I can get unless I actually run the file myself.
And I am not that curious - all indications so far tells me that this is software that I would not like to use.

To summarize - I wonder, is this software really that good that it is worthy of the tag "We Recommend:" from the revered NoScript developers..?

My guess is that the "Please, do NOT download this:" or a similar tag might generate at least as many clicks, if not more,
and then you wouldn't have to ..twist the truth so much? :)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0
User avatar
therube
Ambassador
Posts: 7924
Joined: Thu Mar 19, 2009 4:17 pm
Location: Maryland USA

Re: Ads for x-ware on noscript site?

Post by therube »

> hash searches came up with nothing, was because the .exe file is being auto-generated, at the time of download

Very possible.
For me (& since the [particular] site & file are no longer available), a name/size search was more fruitful for & turned up the same sites as your "Bestopp-app" search.

> Several of them which indicates that this is ..not very good software.

To say the least.

Good analysis.


PS: Universal Extractor.
It's old, but still very useful.
You can update the apps in its /bin/ directory; TrIDDefs.TRD, UnRAR.exe, 7z.dll, 7z.exe, innounp.exe, upx.exe - whatever else might happen to update from time to time.
There are "newer" versions about. I think originally on some .ru website, now maybe on sourceforge or somewhere, but I've never messed with them.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0 SeaMonkey/2.29.1
dhouwn
Bug Buster
Posts: 968
Joined: Thu Mar 19, 2009 12:51 pm

Re: Ads for x-ware on noscript site?

Post by dhouwn »

BTW, 7-zip can now also unpack some setup formats.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:33.0) Gecko/20100101 Firefox/33.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: Ads for x-ware on noscript site?

Post by Giorgio Maone »

I cannot believe I completely missed this thread, sorry :(

I had already removed FLV Player (which in theory was a very good fit for FlashGot) from my direct advertising channel years ago, when I could verify by myself its malicious behavior.

The guys at delivery49 (formerly "After Download") apparently sneaked it back, even though I had repeatedly submitted them a blacklist of software which the should never advertise on my websites (or elsewhere, for the matter) and requested them to preemptively submit new additions to my approval.

Since they failed on both accounts, I've just outright removed their banners from all my web properties.

I deeply regret I didn't notice it earlier, since they serve different content to different users by using geo IP localization and (if you allow them) cookies, so I never got to see anything wrong. This just makes me even madder :evil:
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Post Reply