Network Security: Detailed info on [Full-disclosure] Backdoor in RelevantKnowledge adware (What are we figh

Subject:	[Full-disclosure] Backdoor in RelevantKnowledge adware (What are we fighting for?)
Date:	Tue, 30 May 2006 14:25:43 +0400



Authors:         YAG KOHHA (skyhole@gmail.com), Lame
Title:           Backdoor in RelevantKnowledge adware (What are we fighting 
for?)
Vendor:          TMRG, Inc.

Description:

RelevantKnowledge  is  an  adware  distributed  with different shareware
projects, e.g. Artisian Burner.

RelevantKnowledge   was   found  to  contain  backdoor  proxy  component
rlvknlg.exe   (Marketscore  OSSProxy),  which  is  configured  to  allow
incoming  network  connections  on TCP/8254, probably acts as open proxy
and  also performs keylogging and monitoring for active windows content.
Component can not be disabled by user.

Details (by YAG KOHHA, Lame):

Recently I download freeware CD burner software to create some absolutely legal 
copies
from ISO image. Of cause where is adware in installer which promise to "boost 
your
internet Connection" and "free coupons". 
After I finished my works I uninstall burner and adware via add/remove programs 
and reboot
the computer. After reboot I check Windows Firewall rules. In exception tab I 
found
RelevantKnowledge application. I map'ed my host and found strange HTTP server 
on port 8254
which answers as OSSProxy. I check netstat and found that this port used by
%windir%\system32\rlvknlg.exe process which also referred in
Software\Mircosoft\Windows\CurrentVersion\Run\ key. I check this file and found 
that this
programs hooks keyboard, mouse, current window and post info to the
http://www.relevantknowledge.com/upgraderesult.aspx site via locally installed 
proxy. I
check this site and found that "privacy procedures are regularly audited and 
certified by
the nationally-recognized firm, Ernst & Young, who assure that we conform with 
the
international trust services and privacy principles developed and managed by 
the American
Institute of Certified Public Accountants"
(http://www.relevantknowledge.com/RKPrivacy.aspx).
So guys, may be I miss something. If I see software which doesn't get removed 
via Add/Remove
Programs,  breaks  my firewall settings, hook my keyboard and mouse, and has 
remote
management capabilities, I call it Remote Access Trojan. What should I do to be 
"conform
with the international trust Services" and Ernst & Young say: "This is good 
code, Joe,
well done!" when I write new all-in-one client for my botnet? Or this is part 
of anti
piracy program? And MPAA want to know which films I burn on DVD? Or this is 
Uncle Sam's
hand? I don't understand. 

YAG KOHHA, Lame

File with binary and disassembly can be found here:
http://www.secyrity.nnov.ru/files/ossproxybd.zip
Archive password is "backdoor".

-- 
/3APA3A
http://www.security.nnov.ru/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] Backdoor in RelevantKnowledge adware (What are we fighting for?), 3APA3A <= Re: [Full-disclosure] Backdoor in RelevantKnowledge adware (What are we fighting for?), Ag. System Administrator [Full-disclosure] Re: Backdoor in RelevantKnowledge adware (What are wefighting for?), Dave \"No, not that one\" Korn

Previous by Date:	Re: [Full-disclosure] Internet Explorer Ver6.0.2800.1106 vulnerability, Aaron Gray
Next by Date:	Re: [Full-disclosure] Backdoor in RelevantKnowledge adware (What are we fighting for?), Ag. System Administrator
Previous by Thread:	Re: [Full-Disclosure] Fwd: Re: FullDisclosure: Security aspects of time synchronization infrastructure, Steve Kudlak
Next by Thread:	Re: [Full-disclosure] Backdoor in RelevantKnowledge adware (What are we fighting for?), Ag. System Administrator
Indexes:	[Date] [Thread] [Top] [All Lists]