 Badware Behavior |
|
| Installs additional software without disclosure (Deceptive installation) |
|
| Installs Trojan horse applications (Deceptive installation) |
|
| Installs adware (Deceptive installation) |
|
| Disables Windows Firewall (Modifies other software without disclosure) |
|
| Redirects valid web addresses (Modifies other software without disclosure) |
|
| Bundled software cannot easily be closed (Interferes with computer use) |
|
| Bundled applications automatically run on startup (Modifies other software without disclosure) |
|
| Adds toolbars to Internet Explorer (Modifies other software without disclosure) |
|
| Changes user's homepage (Modifies other software without disclosure) |
|
| Adds an item to the taskbar (Modifies other software without disclosure) |
|
| Displays pop-ups (Interferes with computer use without disclosure) |
|
| Impairs computer performance and causes intermittent shutdown (Interferes with computer use) |
|
| Difficult or impossible to uninstall (Unacceptable uninstallation) |
|
| Bad or Undisclosed Behavior |
| Installs additional software |
FastMP3Search Plugin is a Trojan horse that downloads an array of additional components that are
reported to behave as badware. Although the producers of the plugin claim that installation should
"only take seconds," the process actually takes much longer because the plugin opens up the user's
computer, allowing all the other components to download. First, the plugin disables Windows Firewall
to ensure a completely unprotected network. In the minutes that follow, four different toolbars
install themselves onto Internet Explorer (Toolbar 888, Search, Related Page, and UCMore). Search
toolbar also installs itself on the user's taskbar. The plugin then continues to download other
badware onto the system after the installation completes, including TagASaurus, Mirar toolbar,
UCmore Search Accelerator, Command Service, DyFuCA.Internet Optimizer, Look2Me, CoolWWWSearch,
DollarRevenue, Smitfraud-C, and Windows Overlay Components. Upon completion of the installation
process, the user's root directory (C:\ Drive for most people) is filled with unknown executible
files. Installation of these additional applications is done without the user's knowledge or consent.
|
| Installs Trojan horse applications |
|
Certain components detected on the infected system after the installation of FastMP3Search Plugin
are reported to behave as Trojan horse applications. The majority of the Trojan horses detected
on the system are remote access Trojans. This means that they run without the user's knowledge
and allow attackers unrestricted access to the infected system. Most of these Trojan horses are
also added to the Startup folder, so they run as soon as Windows starts. Installation of these
Trojan horse applications is not disclosed to the user during installation, nor would any
disclosure be adequate, as no valid reason exists for their inherently harmful and deceptive behavior.
|
| Installs adware |
|
Other components installed by the FastMP3Search Plugin bundle are reported to behave as adware --
these include Look2Me, CoolWWWSearch and DollarRevenue. The amount of pop-ups we observed on our
infected system after installation confirmed these reports. Installation of adware components is
not disclosed to the user, nor is there an opportunity to consent to or decline their installation.
|
| Disables Windows Firewall |
During the installation of the FastMP3Search Plugin, Windows Firewall is disabled. Without this
firewall protection, the user's computer is left completely unprotected and open, allowing additional
software to secretly install itself without the user's knowledge or consent. This behavior is not
disclosed to the user either prior to or during the installation process, nor is there any valid
reason for disabling the user's firewall.
|
| Redirects valid web addresses |
The installation of FastMp3Search Plugin also results in the addition of several entries to the
user's host file. These entries change thirty-two web addresses belonging to several major
anti-virus, anti-spyware, and other badware detection tools, including Symantec, McCafee,
Computer Associates, and Sophos. As a result of these modifications, any attempt by the
user to reach these websites through a web browser would result in an error page. In addition,
any application that attempts to connect to these sites in order to install updates, would also
suffer a connection error. This behavior is especially egregious since it effectively prevents
the user from getting the advice or applications she needs to remove the badware that
FastMP3Search Plugin has installed. The redirecting of these valid web addresses is not
disclosed to the user, nor would any disclosure be adequate, as no valid reason exists
for such behavior.
|
| Bundled software cannot easily be closed |
|
Most of the bundled components installed along with FastMP3Search run in the background of the
user's system and cannot be easily closed. This is particularly worrisome since many of these
processes reportedly connect to the internet and are capable of downloading additional badware
to the user's computer. This behavior is not disclosed to the user during installation or
otherwise. As a result, the average user would not be aware that these processes are running
on their computer, and would not be able to close them even if they did. Furthermore, a subset
of these components are reported to have the ability to restart themselves after the user ends
them using Windows Task Manager.
|
| Bundled applications automatically run on startup |
In addition to installing additional badware applications without disclosure or user consent,
FastMp3Search Plugin also adds these badware components to startup, thereby causing them to
run in the background as soon as Windows starts. This is particularly worrisome since many
of these processes reportedly connect to the internet and are capable of downloading
additional badware to the user's system. This behavior is not disclosed to the user.
|
| Adds toolbars to Internet Explorer |
The installation of FastMp3Search plugin also results in installation of four different toolbars
on Internet Explorer (Toolbar 888, Search, Related Page, and UCMore). Installation of these toolbars
is not disclosed to the user.
|
| Changes user's homepage |
One of the applications installed by FastMP3Search Plugin -- CoolWWWSearch -- reportedly behaves
as a browser hijacker. This behavior was confirmed during our tests, as the Internet Explorer
homepage on the infected system was changed to http://www.findthewebsiteyouneed.com. This
modification is not disclosed to the user during the installation process, nor does the user
have the opportunity to consent to or decline this change.
|
| Adds an item to the taskbar |
|
Search Toolbar, one of the bundled applications installed on Internet Explorer, also adds a search
box to the taskbar. This behavior, along with the installation of the Search bar application, is
not disclosed to the user.
|
| Displays pop-ups |
Any web browsing on a system infected by the FastMP3Search Plugin results in a plethora of pop-up
advertisements. Even worse, these pop-ups are for applications that portray themselves as anti-badware
applications, but are in fact badware applications themselves. The text of these pop-ups asks
"If the user has experienced a sudden slowdown in system performance" and suggests the user
conduct a "free scan" of their system with the anti-badware application they advertise.
Causing so many pop-ups that web browsing is difficult is, in itself, bad behavior, but this
behavior is made worse by the fact that the pop-ups attempt to deceive the user into downloading
more applications that reportedly behave as badware. The cause for the pop-ups are the adware
programs that are installed on the user's computer without disclosure.
|
| Results in impaired computer performance and intermittent shutdown |
|
Our infected system suffered severe impairment in performance upon installation of the FastMP3Search
Plugin and all the badware components that it is bundled with. This slowdown was exacerbated during
web browsing, due to the constant bombardment of pop-ups. During our tests, the infected system froze
multiple times and we were compelled to shut down the computer manually using the power button.
The system also shut down intermittently without any warning or notification to the user.
|
| Difficult or impossible to uninstall |
|
The FastMP3Search Plugin that we tested failed to provide any uninstallation tools to the user to remove
the plugin. The plugin is also not listed in Add/Remove programs. As such, it would very difficult or
impossible for the average user to remove this application. Furthermore, the application is not
identifiable from the list of add-ons on Internet Explorer. This is where Internet Explorer lists
any add-ons to IE that are currently installed -- including toolbars, plugins, etc. Therefore,
there is no way of disabling the plugin to stop the badware behavior it demonstrates.
Most of the bundled components that come with FastMP3Search Plugin also lack proper uninstallation
tools and do not appear in Add/Remove programs. A few of the badware components that were
downloaded after installation of FastMP3Search do offer such tools; however, given the fact
that the user was never notified of or agreed to the installation of these additional components,
it is unclear that the user would know to uninstall them.
|
| Recommendations |
| We recommend that the producers of the FastMP3Search Plugin do the following: |
- Do not install additional applications without seeking the user's informed consent.
- Do not install adware without informing the user and seeking their consent.
- Do not install Trojan horse applications.
- Do not disable Windows Firewall.
- Do not change host file entries to redirect valid web addresses or disable proper
running of important system security applications such as anti-virus and anti-spyware
applications.
- Clearly disclose any and all changes made to previously installed software on the user's
computer and give the user an option to accept or decline these changes.
- Clearly disclose any system configuration changes made and provide the reasons for
such behavior.
- Clearly disclose any and all components that run on startup.
- Disable and discard any components that result in retardation of system performance and
interfere with computer use, such as excessive pop-up advertisements.
- Provide the user with simple, effective uninstallation of the software.
|
|
We currently recommend that users do not download the version of FastMP3Search Plugin that we tested,
unless the user is comfortable with the level of risk we identify or until the application is updated
consistent with the recommendations in this report.
|
|
|
