The Rogue Google Toolbar: History and Variants
by Christopher Boyd, Security Research Manager, FaceTime Security Labs


There is currently a browser hijacker in circulation which installs a fake Google Toolbar, hijacking the HOSTS file to redirect most Google domains and placing a homepage hijacker in the Temporary Internet Files folder, from which an Internet Explorer based search engine claims to be powered by Google. The bundle also includes a rogue antispyware tool, called “World Antispy”.

However – this attack, viewed out of context, does not build up a sufficient picture of the tactics / techniques used by the group responsible for the install. A press release by Panda Antivirus has covered the main features of this install here, and they had previously discovered an earlier version of this hijacker in April. Sunbelt Software also found a variant some weeks ago. But the group behind this has actually been trying to exploit Google since 2003.

Through systematic research, FaceTime Security Labs have found that there are three distinct versions of this attack, each one exploiting different security vulnerabilities and installing a different payload. Here is a HJT log from September 14th, 2003. Note the Google HOSTS file hijack. Here is a discussion thread that contains the same HOSTS file hijack, from even further back – July 9th, 2003. Finally, here is one more discussion of this infection technique from September 26th, 2003.

The timeline should actually look something like this (taking into account the various elements of each installer):

July / September 2003: The attack begins with a similar install process to what we have now – HOSTS file redirect, and a fake toolbar, made by an uknown third-party. There are no versions of this installer in the wild, from the research done on this particular file. Most likely, it has been long since abandoned by the creators.

March / May 2005: Bootpd.exe file found

This file was UPX packed, and had the contents of the HOSTS file hijack hard coded into it. In addition, it added a “Google” folder though it is unclear when looking from forensic logs at the time if the fake Google toolbar was included. Bootpd.exe seems to reside in the “Google” folder from the majority of the logs examined, so this would seem to suggest no fake toolbar in this installer. Premiumsearch is still the eventual destination of the hijacked end-user, although this version of the exploit includes an uninstaller for the Bootpd.exe file, called “Easysearch”. Numerous HJT logs from that time would suggest the uninstaller did not work, hence the numerous pleas for assistance on security forums.

Present day: The install seems to borrow elements of a CWS exploit, where the initial Perfhost page that begins the install calls a Windows Help File. This help file then launches the install, as long as the end-user allows apisvc.exe to run. Once this happens, the full install is launched and the HOSTS file hijack is inserted, the fake toolbar appears upon reboot and the antispyware program known as “World Antispy” launches at boot up.

At all stages, the same (or similar) IP addresses are used for the HOSTS file hijack.

The next section in this amazing unraveling is called “Atypical Attack Vector?” Check out the balance of this article at the link for this article.

Additional background can be found here and here at Chris Boyd AKA PaperGhost’s

More perspectives about this hijacker:

Google Toolbar Whacking- Developing Story
by ReveNews – Wayne Porter, Sr. Director Greynet Rese

The criminal element tries to steal from Google – Alex Eckelberry (Thanks to Eric Howes for his extensive contribution to this post)

Moral of the story: It’s not nice to mess with Google.

Tag Cloud

%d bloggers like this: