Ads for x-ware on noscript site?

[HappyNoScriptUser]

When I started Firefox today, I got an extra tab that showed that NoScript was updated to 2.6.8.42rc1


Usually I only close those, but this time I saw the ad showing the text
We Recommend: Click for better video performance

When using Firefox's Inspector, I found out that this was in an IFRAME:


Although I am very happy with the setup I have for playing videos;
normal (2D) videos: a combination of CCCP (MPC-HC, LAV filters, Haali Splitter, VSFilter), ffdhow-tryouts, SmoothVideo Project,
stereo (3D) videos: NVIDIA 3D Vision 2 & ASUS VG278H, and either 3dtv.at's Stereoscopic Player (for mkv's) or Cyberlink PowerDVD (for ISO's)
- I was curious about what type of thing those smart guys responsible for InformAction / NoScript / FlashGot would recommend!

So, I clicked the link..

..which led me to a page with this URL:



..and then I clicked on the big, green "Free Download" button, with the link

[HappyNoScriptUser]

..which led me to a page with this URL:



..which immediately wanted to me to download this URL:


..which, when saved, became a file called FlvPlayerSetup.exe


I ran it through HashMyFiles, with the results being
a649593cb2725aa2af6f2d2152381c78 - MD5
083b80f0b181020b1d6705ac3419d97c94f728fa - SHA1
f573eaa6755779582f3d1f94198f0ab1d418314fa76a627d3a6419b8e4bd021a - SHA-256


- but none of these hashes gave me any results when searching on Google.

[HappyNoScriptUser]

A quick view in PE Explorer showed the BSS section, indicating that this was Borland Pascal / Delphi,
and by looking at the DATA section I confirmed that this was indeed Inno Setup.


However, using innounp.exe to try to unpack it, gave me only two small files;


1) a file called "Faro"

- which was a 4,486 bytes file with between 137 and 180 instances of each of the characters from "a" to "y",
and 443 instances of 0x20h (spacebar)

2) the 845 bytes large install_script.iss Inno Setup Script file,


When I opened the file in a hex editor, it became apparent why only those two files were possible to unpack.

Whereas in a normal Inno Setup file, one have first the "program" which contains the logic, and a ZLIB / LZMA unpacker,
then after that, there is just one large ZLIB / LZMA compressed "data" section, which goes on until the end of the file.
(Except if the file is signed, then there are a few kB's at the very end, containing certificates.)
Since a inherent property of compressed file are even distribution of byte values,
it is easy to spot this when looking at the structure - it is similar to noise.
Here is first a normal Inno Setup file that shows this:


But then there is the FlvPlayerSetup.exe...:



As you see, the "noise" only goes on for a short range, then after that there are clear patterns that are showing,
a clear evidence that those bytes are not compressed, and therefore not a part of the ZLIB section.

Although a disassembly of the file might show what those other bytes are used for,
there is in fact another way of getting to them - that is running the file.
When it is run, it will load those bytes into memory, and then one could look at them there.

However, the very idea of "hiding data" is something that gives me a feeling of distrust.
I simply do not trust this file, so I will not run it on my own pc.
Instead, I upload it to several malware analysis sites, and let them run it,
and then look at the results they give me.

[HappyNoScriptUser]

But first, there is one other thing:
PE Explorer shows that this file is signed;
that Comodo Code Signing CA 2 has issued a certificate to a company called "Bestop-app" located in Tel-Aviv, IL.


Now, I think the reason why the MD5 / SHA1 / SHA-256 hash searches came up with nothing,
was because the .exe file is being auto-generated, at the time of download,
and it fills it with some random data, to make each downloaded .exe unique
- maybe just to make sure that it does not match any known hashes.
Or maybe - if the random data is in fact based upon a cookie value,
it is also to make sure the installer .exe will only run properly on the same PC that requested the download..

A search for "Bestopp-app" however..

..indeed gives several results.
Several of them which indicicates that this is ..not very good software.

The second result, with the URL

classifies this as "Adware", based on the fact that 11/68 scanners came up with "something"

[HappyNoScriptUser]

So, I first started with good, old VirusTotal.
By pasting in the last URL I got, the one which actually downloaded the file from freestockyard..


..I first got a result that showed that 2 / 58 engines meant the site itself was "Malware site"



..then, when clicking the URL for downloaded file analysis


..I first got a confirmation on the theory that the .exe file is indeed auto-generated whenever a new download is requested,
seeing how the same URL gave VirusTotal a different "FlvPlayerSetup.exe" with a different SHA-256 hash:

f573eaa6755779582f3d1f94198f0ab1d418314fa76a627d3a6419b8e4bd021a - the SHA-256 hash that my "FlvPlayerSetup.exe" file had
615caceecfbe52e41216279fcc5cc762a9a22d793eeecb7ab3e3f16404419851 - the SHA-256 hash that VirusTotal's "FlvPlayerSetup.exe" file had

Then, it is apparent that several of the scanner engines agrees upon that this is an "InstallCore" installer,
which Wikipedia tells is a product of the company ironSource, located in Tel-Aviv, IL
- which seems to be very true, given the "Bestop-app" code signing certificate and all.
So, not Inno Setup, but an "Inno Setup-like" installer, then.

I uploaded the actual .exe file that I downloaded to an analyzing site who runs such files in a VM environment and gives very detailed reports.
However, for this particular file, the site were not able to run it properly; it had stopped after a while, coming up with the error message
"The setup files are corrupted. Please obtain a new copy of the program."


Maybe the reason for this was that this .exe file was auto-generated by using some cookie or other ID that is unique for my pc,
so that it will only run properly on my pc.
Unfortunately, that site does not have an option to enter an URL and have a file downloaded.
So - apart from disassembling it - which I find too time-consuming for this thing, this is as far as I can get unless I actually run the file myself.
And I am not that curious - all indications so far tells me that this is software that I would not like to use.

To summarize - I wonder, is this software really that good that it is worthy of the tag "We Recommend:" from the revered NoScript developers..?

My guess is that the "Please, do NOT download this:" or a similar tag might generate at least as many clicks, if not more,
and then you wouldn't have to ..twist the truth so much?

[therube]

> hash searches came up with nothing, was because the .exe file is being auto-generated, at the time of download

Very possible.
For me (& since the [particular] site & file are no longer available), a name/size search was more fruitful for & turned up the same sites as your "Bestopp-app" search.

> Several of them which indicates that this is ..not very good software.

To say the least.

Good analysis.


PS: Universal Extractor.
It's old, but still very useful.
You can update the apps in its /bin/ directory; TrIDDefs.TRD, UnRAR.exe, 7z.dll, 7z.exe, innounp.exe, upx.exe - whatever else might happen to update from time to time.
There are "newer" versions about. I think originally on some .ru website, now maybe on sourceforge or somewhere, but I've never messed with them.

[dhouwn]

BTW, 7-zip can now also unpack some setup formats.

[Giorgio Maone]

I cannot believe I completely missed this thread, sorry

I had already removed FLV Player (which in theory was a very good fit for FlashGot) from my direct advertising channel years ago, when I could verify by myself its malicious behavior.

The guys at delivery49 (formerly "After Download") apparently sneaked it back, even though I had repeatedly submitted them a blacklist of software which the should never advertise on my websites (or elsewhere, for the matter) and requested them to preemptively submit new additions to my approval.

Since they failed on both accounts, I've just outright removed their banners from all my web properties.

I deeply regret I didn't notice it earlier, since they serve different content to different users by using geo IP localization and (if you allow them) cookies, so I never got to see anything wrong. This just makes me even madder