Home > News content

Baidu admitted that its website hidden malicious code: outsourced implants in order to cheat into a report

via:博客园     time:2017/3/3 19:01:30     readed:1603

In this regard, Baidu today responded that, after investigation, the relevant reports are true, the computer will be affected by the browser, web site navigation hijacked, also disguise tampering, affiliate links, cheat Baidu traffic revenue, the Baidu brand and caused economic losses.

Baidu said, Hao123 software to download the two website, third party outsourcing development team, in the download platform in the implantation of the existence of the risk drivers, suspected of being black production network used to defraud the Baidu alliance as to hijack user traffic, hurt the user experience, from the illegal profit.

Baidu said it was the first time to remove all infected downloader to ensure that these two sites to download the software safe and reliable. It will provide the relevant information to the Tencent, killing 360, NSFocus security vendors, and the development of Zhuanshagongju, comprehensive killing, eliminate this kind of malicious code, is expected to March 4th can be downloaded for use on the hao123 home page.

Baidu said it had reported to the public security organs, will assist the competent authorities to conduct a comprehensive investigation. At the same time will strictly regulate and optimize product management processes, to prevent such things from happening again. (Yi Ke)

undefinedundefined

Baidu's website accused of malicious code hidden crazy harvest traffic

Source: Public Security tinder No.

I. overview

Recently received a number of computer labs tinder browser hijacked user help, in the analysis of the infected computer, to extract multiple suspicious files and traffic hijacking related: HSoftDoloEx.exe, bime.dll, MsVwmlbkgn.sys, LcScience.sys, WaNdFilter.sys, document contains the suspicious Baidu signature.

These contain malicious code suspicious files, is located to the name of a nvMultitask.exe release, when the user in the www.skycn.net and soft.hao123.com of the two download site to download any software, will be bound to download the release, and then to the user computer into these suspicious files. Needs to be emphasized is that will immediately release silently in the background and implementation of release nvMultitask.exe download operation, malicious code, even if the user does not do any operation directly off the download, malicious code will be implanted.

图1、下载器向用户计算机植入恶意代码图1、下载器向用户计算机植入恶意代码

Figure 1, download the malicious code into the user's computer

The malicious code is remotely activated, will hijack a variety of Internet traffic, the user's browser, home, navigation station will be hijacked, the flow of traffic to the hao123 navigation station. At the same time, but also tamper with the electricity supplier website, web site advertising links, such as access to the flow of these sites revenue sharing (details in the second chapter of this report).

图2、火绒安全软件检测结果图2、火绒安全软件检测结果

The test results of the 2, tinder security software diagram

In two, the main hijacking behavior description

1 navigation station hijacking: when users visit other navigation station, will be hijacked to the Baidu hao123 navigation station.

图3、常见导航站被直接为图3、常见导航站被直接为 hao123

Figure 3, common navigation station is directly hao123

2 home hijacking: modify the user's home page to hao123 navigation station.

Users using IE browser, its home page is modified to hao123 navigation station, and through the Baidu union billing statistics.

3 browser hijacking: replace the 360 browser into a IE browser or fake IE browser.

When you find that the user uses the 360 security browser or the 360 speed browser, the default browser is modified to IE browser, or modified to fake IE browser, in order to avoid security software browser protection. In any case, after the home page will be replaced by a hao123 navigation station, and through the Baidu union billing statistics.

4: Baidu union advertising network alliance will hijack other channels for a billing channel cheetah (Kingsoft).

There are many Baidu union channels, these channels are sold to Baidu union traffic, the hijacking will promote billing other channel name in Jinshan, in this case, which should belong to the other channel of Baidu network alliance promotion expenses, is to get the cheetah cheetah, the creators of malicious code.

百度旗下网站被指暗藏恶意代码疯狂收割流量百度旗下网站被指暗藏恶意代码疯狂收割流量

5 electricity supplier traffic hijacking: use IE browser to visit Jingdong and other electricity supplier website, the first jump to the electricity supplier diversion site, and then jump back to the electricity supplier website.

The first jump to the electricity supplier diversion website yaohou network (www.xmonkey.com), and then return to the original shopping site, link with the electricity supplier website name yaohou billing network, website promotion expenses will be paid to the network according to the network traffic yaohou, yaohou to creators of malicious code.

图5、访问电商网站时会跳转到电商导流网站图5、访问电商网站时会跳转到电商导流网站

Figure 5, visit the electricity supplier website will jump to the electricity supplier diversion website

Three. Summary analysis

Execute any download from soft.hao123.com to download, do not need any operation, malicious code will be implanted in the user's computer. The process uses the sword tinder can monitor the malicious code, as shown below:

百度旗下网站被指暗藏恶意代码疯狂收割流量百度旗下网站被指暗藏恶意代码疯狂收割流量

Malicious code for the first time into the user computer process:

1 download to perform the release of nvMultitask.exe. The current download contains the 0.2.0.1 version of the nvMultitask.exe, which will only be implanted on the user's computer malicious code, as follows:

A) 3.2.0.1 version of HSoftDoloEx.exe

B) 1.7.0.1 version of bime.dll

C) 0.4.0.130 version of LcScience.sys

D) 0.5.30.70 version of WaNdFilter.sys

E) 1.0.0.1020 version of npjuziplugin.dll

Each time the computer restarts, the malicious code starts and checks for updates:

After several updates, nvMultitask.exe will be upgraded to the latest version of the 3.2.0.4, subsequent analysis will be launched in this version.

The latest version of the malicious components in the user after each boot will perform the following processes:

1 LcScience.sys registration process and image load callback bime.dll will be injected into the services.exe, explorer.exe, iexplore.exe and other third party browser process.

2 services.exe injected into the bime.dll is responsible for starting HSoftDoloEx.exe

4 svcprotect.dat (1.0.0.11) after loading release of the two new traffic hijacking module:

1) 5.0.0.1 version of iexplorer_helper.dat

2) 1.5.9.1098 version of iexplore.exe

图7、恶意代码植入用户计算机流程图7、恶意代码植入用户计算机流程

Figure 7, malicious code into the user's computer processes

1 5.9.1098 version of the iexplore.exe system is a fake fake IE browser, we upload this file to the VirusTotal found that many security software to detect this file is a virus, as shown in figure:

图图 8、Virustotal 检测的结果

Figure 8, Virustotal test results

图图 9、恶意代码包含百度签名

Figure 9, malicious code contains Baidu signature

Finally, all files containing malicious code on the user's computer are as follows:

Installation directory

install files

%HOMEPATH% AppDataRoamingHSoftDoloEx

X86, x64

HSoftDoloEx.exe (3.2.0.4)

X86

Bime.dll (1.7.0.5)

X64

Bime64.dll (1.7.0.5)

%Drivers%

X86

LcScience.sys (0.4.0.130)

WaNdFilter.sys (0.5.30.70)

MsVwmlbkgn.sys (0.6.60.70)

X64

LcScience64.sys (0.4.0.130)

WaNdFilter64.sys (0.5.30.70)

MsVwmlbkgn64.sys (0.6.60.70)

%HOMEPATH%AppDataLocalInternet Explorer

X86, x64

Iexplorer_helper.dat (5.0.0.1)

%HOMEPATH%AppDataLocalProgramData

X86

Svcprotect_32_1.0.0.11.dat (1.0.0.11)

X64

Svcprotect_64_1.0.0.11.dat (1.0.0.11)

%HOMEPATH%AppDataRoaming{E233850D-5D6E-48E3-98B5-8049F7E9FC68}

X86, x64

Iexplore.exe (1.5.9.1098)

%HOMEPATH% AppDataLocalLowJuziPlugin1.0.0.1020

X86, x64

Npjuziplugin.dll (1.0.0.1020)

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments