In this regard, Baidu today responded that, after investigation, the relevant reports are true, the computer will be affected by the browser, web site navigation hijacked, also disguise tampering, affiliate links, cheat Baidu traffic revenue, the Baidu brand and caused economic losses.

Baidu said, Hao123 software to download the two website, third party outsourcing development team, in the download platform in the implantation of the existence of the risk drivers, suspected of being black production network used to defraud the Baidu alliance as to hijack user traffic, hurt the user experience, from the illegal profit.

Baidu said it was the first time to remove all infected downloader to ensure that these two sites to download the software safe and reliable. It will provide the relevant information to the Tencent, killing 360, NSFocus security vendors, and the development of Zhuanshagongju, comprehensive killing, eliminate this kind of malicious code, is expected to March 4th can be downloaded for use on the hao123 home page.

Baidu said it had reported to the public security organs, will assist the competent authorities to conduct a comprehensive investigation. At the same time will strictly regulate and optimize product management processes, to prevent such things from happening again. (Yi Ke)

Baidu's website accused of malicious code hidden crazy harvest traffic

Source: Public Security tinder No.

I. overview

Recently received a number of computer labs tinder browser hijacked user help, in the analysis of the infected computer, to extract multiple suspicious files and traffic hijacking related: HSoftDoloEx.exe, bime.dll, MsVwmlbkgn.sys, LcScience.sys, WaNdFilter.sys, document contains the suspicious Baidu signature.

These contain malicious code suspicious files, is located to the name of a nvMultitask.exe release, when the user in the www.skycn.net and soft.hao123.com of the two download site to download any software, will be bound to download the release, and then to the user computer into these suspicious files. Needs to be emphasized is that will immediately release silently in the background and implementation of release nvMultitask.exe download operation, malicious code, even if the user does not do any operation directly off the download, malicious code will be implanted.

Figure 1, download the malicious code into the user's computer

The malicious code is remotely activated, will hijack a variety of Internet traffic, the user's browser, home, navigation station will be hijacked, the flow of traffic to the hao123 navigation station. At the same time, but also tamper with the electricity supplier website, web site advertising links, such as access to the flow of these sites revenue sharing (details in the second chapter of this report).

The test results of the 2, tinder security software diagram

In two, the main hijacking behavior description

1 navigation station hijacking: when users visit other navigation station, will be hijacked to the Baidu hao123 navigation station.

Figure 3, common navigation station is directly hao123

2 home hijacking: modify the user's home page to hao123 navigation station.

Users using IE browser, its home page is modified to hao123 navigation station, and through the Baidu union billing statistics.

3 browser hijacking: replace the 360 browser into a IE browser or fake IE browser.

When you find that the user uses the 360 security browser or the 360 speed browser, the default browser is modified to IE browser, or modified to fake IE browser, in order to avoid security software browser protection. In any case, after the home page will be replaced by a hao123 navigation station, and through the Baidu union billing statistics.

4: Baidu union advertising network alliance will hijack other channels for a billing channel cheetah (Kingsoft).

There are many Baidu union channels, these channels are sold to Baidu union traffic, the hijacking will promote billing other channel name in Jinshan, in this case, which should belong to the other channel of Baidu network alliance promotion expenses, is to get the cheetah cheetah, the creators of malicious code.

5 electricity supplier traffic hijacking: use IE browser to visit Jingdong and other electricity supplier website, the first jump to the electricity supplier diversion site, and then jump back to the electricity supplier website.

The first jump to the electricity supplier diversion website yaohou network (www.xmonkey.com), and then return to the original shopping site, link with the electricity supplier website name yaohou billing network, website promotion expenses will be paid to the network according to the network traffic yaohou, yaohou to creators of malicious code.

Figure 5, visit the electricity supplier website will jump to the electricity supplier diversion website

Three. Summary analysis

Execute any download from soft.hao123.com to download, do not need any operation, malicious code will be implanted in the user's computer. The process uses the sword tinder can monitor the malicious code, as shown below:

Malicious code for the first time into the user computer process:

1 download to perform the release of nvMultitask.exe. The current download contains the 0.2.0.1 version of the nvMultitask.exe, which will only be implanted on the user's computer malicious code, as follows:

A) 3.2.0.1 version of HSoftDoloEx.exe

B) 1.7.0.1 version of bime.dll

C) 0.4.0.130 version of LcScience.sys

D) 0.5.30.70 version of WaNdFilter.sys

E) 1.0.0.1020 version of npjuziplugin.dll

Each time the computer restarts, the malicious code starts and checks for updates:

After several updates, nvMultitask.exe will be upgraded to the latest version of the 3.2.0.4, subsequent analysis will be launched in this version.

The latest version of the malicious components in the user after each boot will perform the following processes:

1 LcScience.sys registration process and image load callback bime.dll will be injected into the services.exe, explorer.exe, iexplore.exe and other third party browser process.

2 services.exe injected into the bime.dll is responsible for starting HSoftDoloEx.exe

4 svcprotect.dat (1.0.0.11) after loading release of the two new traffic hijacking module:

1) 5.0.0.1 version of iexplorer_helper.dat

2) 1.5.9.1098 version of iexplore.exe

Figure 7, malicious code into the user's computer processes

1 5.9.1098 version of the iexplore.exe system is a fake fake IE browser, we upload this file to the VirusTotal found that many security software to detect this file is a virus, as shown in figure:

Figure 8, Virustotal test results

Figure 9, malicious code contains Baidu signature

Finally, all files containing malicious code on the user's computer are as follows:

Installation directory

install files

%HOMEPATH% AppDataRoamingHSoftDoloEx

X86, x64

HSoftDoloEx.exe (3.2.0.4)

X86

Bime.dll (1.7.0.5)

X64

Bime64.dll (1.7.0.5)

%Drivers%

X86

LcScience.sys (0.4.0.130)

WaNdFilter.sys (0.5.30.70)

MsVwmlbkgn.sys (0.6.60.70)

X64

LcScience64.sys (0.4.0.130)

WaNdFilter64.sys (0.5.30.70)

MsVwmlbkgn64.sys (0.6.60.70)

%HOMEPATH%AppDataLocalInternet Explorer

X86, x64

Iexplorer_helper.dat (5.0.0.1)

%HOMEPATH%AppDataLocalProgramData

X86

Svcprotect_32_1.0.0.11.dat (1.0.0.11)

X64

Svcprotect_64_1.0.0.11.dat (1.0.0.11)

%HOMEPATH%AppDataRoaming{E233850D-5D6E-48E3-98B5-8049F7E9FC68}

X86, x64

Iexplore.exe (1.5.9.1098)

%HOMEPATH% AppDataLocalLowJuziPlugin1.0.0.1020

X86, x64

Npjuziplugin.dll (1.0.0.1020)