Published:
October 31 2007, 04:09 PM
by
Benjamin Googins
Free, free, free. I love free MP3s, how about you? Yesterday I took a look around some MP3 sites, and what I found startled me. Instead of freebies, I was hit with loads of spyware. I repeated my search three different times, visiting different sites on each occasion and my machine getting littered with more adware and spyware each time.
My test was pretty simple. I picked three key terms – “free”, “mp3” and “site” – and clicked through the results Google returned. On my first go-round, it took only 5 minutes before my machine was loaded down with spyware – to a point that it could not function. By booting into SafeMode (a special diagnostics boot mode) I was able to see the damage.
The ”loads of new spyware” I mentioned included: Adloader, AdSense Helper Object, AVP, AVSystem Care, IKatzu IE App, MalwareAlarm, OneStepSearch, PowerAgent, TTC D, WebBuying and WinAble. Yikes, that is a lot of spyware. Starting with a computer free of any spyware infection, I tried the same search again and got the same results – loads of spyware. On my third attempt, before starting, I increased my computer’s memory in hopes of actually finishing my test.
Third Times a Charm
After doing my same keyword search, I clicked on some popular looking songs and videos like, “Britney Spears” and “Angelina Jolie”. I was able to snag a free Britney track titled “Gimme More”. Cool. It seemed to play ok. I downloaded another MP3 by Wyclef Jean. I could not play it because “my license information had expired”. Unfortunately, that wasn’t all I downloaded.
Image 1: Initial Google Search
Using some tracking software, I could see that along with my supposed Wyclef Jean track, I also received a couple of trojan downloaders running with the filenames tsitra77.exe and tsitra1000106. Once executed, these trojans immediately started downloading spyware like WebBuying and InternetSpeed Monitor.
Shortly after that I started receiving popup ads. When I opened my browser I had a new toolbar installed. My homepage was hijacked and other browser settings changed.
After all this, my machine was starting to take a hit, so I stopped browsing for MP3s and sat back to survey the results. The trojan downloaders kept downloading after reboot; the results are listed below.
Performance Impact
After knowing I was infected with a few trojan downloaders, I let my machine sit for 5 minutes or so. As you can see in Table 1, after the first reboot, my test system’s performance started to degrade. By the third reboot things got precipitously worse, going from bad to horrible.
Table 1: Performance Impact of MP3 Searching
| Measure |
Pre-MP3 Searching |
Post MP3 Searching - After First Boot |
Post MP3 Searching - Second Boot |
Post MP3 Searching - Third Boot |
| Boot Time (seconds) |
79 |
83 |
156 |
208 |
| Free Disk Space (bytes) |
2,090,225,664 |
2,048,552,960 |
2,042,458,112 |
1,927,364,608 |
| CPU Usage |
2% |
9% |
19% |
38% |
| Available Physical Memory (K units) |
162016 |
140152 |
124928 |
39780 |
| Processes |
26 |
29 |
32 |
38 |
| Time to load ca.com (seconds) |
6.861 |
9.216 |
12.001 |
16 |
| Popup ads/5 minutes |
0 |
2 |
6 |
7 |
My first reboot took only a few seconds longer than my first, but my third reboot took a painful 3 times longer. My computer’s memory was severely impacted. By my third reboot, 4 times the amount of memory was being consumed by spyware. Popup ads jumped from 0 prior to the MP3 search to 2 ads, then 6 and finally a whopping 7 ads per five minute period. (Refer to Table 2: Trickler Effect for more info). In the end, I had the following spyware on my system: WebBuying, Star Recipe Bar, new trojan downloaders, InternetSpeed Monitor, WinAble, QdrPack, and AVSystem Care.
Poor Coding
The spyware loaded onto my system via the trojan downloaders installed without user permission. When software is installed without user permission, the rigors of checking for proper system compatibility are not done. Also, the trojan donwloaders seemed indiscriminate about what was downloaded -- often downloading conflicting software. For these and other reasons I received a remarkably high number of errors. As shown below, I received no less than 8 different errors during testing, often receiving the same one multiple times.
- Windows Script Host error
- Internet Explorer ‘encountering problems and needing closed’
- End Program – Brdr
- “Problems with this Web page might prevent it from being displayed properly or functioning properly…
- gadya.exe has encountered a problem and needs to close
- Run-time error ‘35761’: Request time out
- Microsoft Visual C++ Runtime Library
- iexplorer.exe – Application Error
The Trickler Effect
Prior to searching for free MP3s my system had 1993 MB of storage available, but after downloading a trojan downloader (which subsequently downloaded more downloaders) my storage space was getting squeezed. By the third reboot I was down to 1838 MB. None of the subsequent spyware downloads presented a user interface to me. In other words, after downloading one MP3 that didn’t play, I received a consistent flow of spyware like “Internet Speed Monitor”, “WinAble”, “AvSystem Care” and others already mentioned. I show in Table 2 how, with every reboot, my storage decreased, new programs were installed and my boot time was prolonged.
Table 2: The Trickler Effect
| Test |
Free Disk Space (bytes) |
New Programs |
Boot Time (seconds) |
| Pre-MP3 Searching |
17,125,023,744 |
0 |
79 |
| Post MP3 Searching - After First Boot |
17,057,550,336 |
5 |
83 |
| Post MP3 Searching - Second Boot |
17,038,295,040 |
8 |
156 |
| Post MP3 Searching - Third Boot |
17,038,139,392 |
9 |
208 |
Issues With Uninstallation
- Complicated Uninstallers
- Adware requires downloading an uninstaller
- Adware program names not easily identifiable in Windows Add/Remove
- Uninstallation left crippling system errors
- Executable files were left on system after reboot
- Shortcuts to spyware sites left on desktop
Threat to Confidentiality
All URLs visited, as well as information entered into online forms was logged and sent to third parties by the different spyware on my system The net effect of all the spyware installed was that a significant amount of personal data was sent to spyware sites, all behind the scenes, and most likely unbeknownst to the typical user. For instance, I used Google to search for the keyword “casino”. I used a packet capture tool while doing this and as you can see in Image 2, below, my keyword search was also sent to www.findstuff(dot)com. In addition, this same information was sent to a variety of other spyware sites like cpvfeed.meditraffic(dot)com, c.webbuying(dot)net and more. In addition,.
- All websites logged and sent to remote server
- All key words entered in search engines logged and sent to remote server
- Banking sites logged
- Web-based email URLs logged
- Destroying or altering system settings
- Desktop littered with shortcuts
Image 2: Personal information sent to unintended address
Conclusion
“Free” MP3 sites serve up a lot more than MP3s. After downloading only one playable MP3, Britney’s “Gimme More”, I was bombarded with a slew of spyware. I repeated this same exercise 3 times and each time was hit with an amazing amount of spyware. System performance began to nose-dive as the trojan downloader “trickled” more and more spyware on my system after every reboot.
-
Testing notes for Table 2:
- Storage Space was the number of bytes of free disk space, as measured by Windows Explorer.
- CPU Usage was that reported by Windows Task Manager.
- Page File Usage was that reported by Windows Task Manager.
- Available Physical Memory was that reported by Windows Task Manager.
- Processes was that reported by Windows Task Manager.
- Boot time was a measure of time elapsed from clicking ‘restart’ until the point Internet Explorer was open and functional
- Time to load ca.com was measured using Ethereal
- Popup ads were measured by having both an open and closed browser window over a period of five minutes