Our good old friend, NSIS Media, comes back for a second ride. As you know, the first ride is always free. It’s good for business. Nothing like a good promotion to draw new customers. But when you come over for a second ride, it won’t be cheap.
Right after I finished writing the last post, I was greeted with a nice pop-up suggesting I should get a green card. I was quite surprised I was infected with NSIS Media, because I only opened the installers on a Virtual PC. After a little meditation, mainly to cool myself, but also to dig in my memories, I recalled I opened one of the installers to take a screenshot. Foolishly, I assumed it’d only install this malware along with the program itself. How deep was my mistake to think they’d actually be that nice. The malware installed itself even before the first wizard page showed up. All doubt was removed. This software is pure evil.
I’ve taken several routes to bring this internet atrocity to an end. So far, the most fruitful route was based on a friend’s advice. I contacted Software Freedom Law Center to get their help sending a cease and desist letter to NSIS Media. In the process, I found out a lot interesting facts about NSIS Media. Like Openwares, they are located in Vanuatu, a Melanesian island which is, of course, outside of the USA. This means a cease and desist won’t affect them and so further research is required. This also raises the intresting question of NSIS Media’s owner. Both companies are based in Vanuatu and are hosted with aplus.net. As clearly stated in Openwares’ RSS and many other places, Openwares is owned by Opensoft Corporation which is making the web more interesting since 2001. It won’t be too far fetched to assume NSIS Media is also a part of this corporation, if not at least its best partner.
This corporate deserves a lot of credit. It has ripped off many open source programs and has plauged the web with Cydoor and NSIS Media malwares. A very paritial list follows.
- Openwares – distributing malware infected packages on download.com.
- Turbo Torrent – G3 Torrent rip off containing NSIS Media, but claiming to be adware free.
- Foxie – CCleaner rip off, Firefox look alike designed to fool people into thinking it’s the new Firefox everyone is talking about. There have also been reports of it packing NSIS Media, but I cannot confirm that. They claim to be based in Israel, however they are hosted on aplus.net, are linked from every Opensoft website and have Opensoft listed in their license as a contractor.
U.S. Government Information Use, duplication, or disclosure by the U.S. Government of the computer and software documentation in this package shall be subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277-7013 (Oct 1988) and FAR 52.227-19 (Jun 1987). The Contractor is Opensoft Corporation, Vanuatu.
- MP3 Shield – another Opensoft venture which is currently offline. Probably packed with NSIS Media as well and most probably a rip off.
- Startup Mechanic – calims to protect your PC but installs NSIS Media.
Now that we’ve gotten to know them, lets dig in and see how NSIS Media works. As I’ve previously said, NSIS Media “enhanced” installations include two DLL files installed into the system folder. The names vary, but the goal is always the same. The first, written using MSVC, leeches on just about every process in the system and loads the second. It is also responsible of installation and removal, according to strings that show up in it. The weird thing about this file is its PDB path which is always under c:\Cydoor_shell_project. Cydoor are reportedly out of this evil business, so I don’t quite know what to make of this. All DLL files have timestamps dating back to 2001, so it might be an old Cydoor DLL used to wrap NSIS Media. On the other hand, Opensoft claims to have established on 2001, but I doubt they still use the same DLL files.
The second DLL is far more interesting. It’s built using VB6 and contains an HTML page with the title Advertisment (typo in source) as resource. But there are no references to the C:\Program Files\Common Files\NSIS directory, nsis.jar, HKLM\Software\NSIS\Media or NSIS Media at all. The third DLL, miraculously installed into Common Files\NSIS along with an uninstaller contains no code. It only contains a resource named IID_NSIS which holds an unknown GUID. The uninstaller, as you might have guessed, doesn’t do much. It creates a new value called OptOut in HKLM\Software\NSIS\Media, unregisters the third DLL and finally deletes it along with the uninstaller. It also deletes a shell hook, according to the GUID found in the clsid value under its registry key.
So where does all the evil come from? I started digging in the second DLL, the VB6 DLL, looking for a URL. I found one string that raised my suspicion – @CDOQSAO:=ARB:ACPF:FQE@:QCE@=DSCBFR@. It was stored in Unicode and used in what seemed to be a key function in the code. However, it was not a URL. Notice how the colors repeat themselves and how many characters are in each block they separate. It’s a GUID. The distance between a colon and a hyphen is 13. Subtract 13 from each character and you get 367BDF4B-04E5-46C9-9D83-D68307F659E3. One Google search later and you see you’ve hit the jackpot. That GUID belongs to NSIS Media.
But the most interesting list was the URL list. One URL in particular had most to tell. Its response contained my country code and another URL for a file located on msserv.net, another one of Opensoft’s websites. The name of the website and the content it tries to serve suggests it tries to make users believe it’s non other than Windows Update. Windows Update’s URL, by the way, is also listed in the second DLL. But it’s the file that’s hosted on msserv.com that I enjoyed the most. http://www.msserv.net/src/b3.bin is an installer, better described as an updater, containing two new NSIS Media DLL files. The two DLL files seem to share the same common pattern of the regular NSIS Media DLL files, but appear to be of a newer version, at least by examining the file sizes. Going to the original URL again, you get another installer name. I quickly saw the pattern is [ab][1-9].bin and downloaded them all.
Following is the complete list of NSIS Media’s new version DLL files along with their MD5 sum, for your malware removal needs. They are also available for download, but be careful with those.
So what have we learned today?
- NSIS Media and Opensoft are pure evil.
- Cydoor might still be up to no good.
- kichik still doesn’t make 1000$ a day