Xunlei download manager is used to hide Android applications
In this post, we publish information about potentially unwanted software ( Potentially Unwanted Application , PUA), the components of which are found by ESET as Win32 / Kankan . These components are implemented in the Xunlei download manager. We noticed this software because of the following interesting features:
Story
')
The history of Win32 / Kankan began in June of last year, when several Chinese forums complained about a suspicious program signed by Xunlei Networking Technologies. The company in question is developing Xunlei software, which is used to speed up the download of files (download manager). Xunlei is similar to the Orbit Downloader download manager, the story with which we published earlier.
The popularity of Xunlei is explained by the fact that this program, besides the possibility of accelerated downloading of files, allows the user to search for the necessary files on the network and then download them in an optimized way (torrent client). The program has a generated database of addresses of various files. When you need to download a particular file, Xunlei uses a browser or torrent client in such a way that it takes the shortest possible time to download. To realize this possibility, Xunlei Networking Technologies has built in the software a search engine for files, a torrent client with support for various protocols, its own p2p protocol, as well as other tools. A more detailed description of Xunlei can be found here .
This download manager is very popular with Chinese users. A TorrentFreak study published in 2009 shows that Xunlei is the most popular torrent client in the world with more than one hundred million user IDs. While for uTorrent the maximum number of users was 92 million. It should be noted that Xunlei is a local product for the Chinese market, since there is no other language on the official site except Chinese, and the translation of the software interface itself into other languages is done by third-party companies or the users themselves.
Analysis
Above, we mentioned that some Chinese users found suspicious files on their computers, signed by the certificate of Xunlei Networking Technologies. The certificate is shown below.
Fig. Certificate that signed the malicious files.
These files belonged to the installer (Windows installer), whose name was INPEnhSetup.exe. It is based on the Nullsoft Scriptable Install System distribution system. During the installation process, the installer contacts the kkyouxi.stat.kankan.com domain, which is hardwired in its code, in order to inform the server about the start of a new installation. Then the installation of three files into the system: INPEn.dll , INPEnhUD.exe and INPEnhSvc.exe . After this, the INPEn.dll library is loaded into memory and the DllRegisterServer function is called . Next, the installer again contacts kkyouxi.stat.kankan.com and announces the end of their work.
Execution of the code in INPEn.dll begins with registering the dll as a plugin with the name InputEnhance for Word, Excel and PowerPoint. To perform this operation, it creates registry keys in the appropriate location, which allows the INPEnh.dll library to later act as a plug-in for Office applications. Below are some of these registry keys.
Fig. The registry key through which the malicious DLL performs its loading.
The screenshot shows that the parameter LoadBehavior is set to 3. Thus, the plugin will load every time you start the application. Thus, the authors of the malicious code ensure its survival after a reboot and subsequent launch. Each time an application is launched from Microsoft Office (for example, Word, Excel or PowerPoint), this library is loaded into memory as a plugin. For the user, this action is absolutely transparent, that is, he does not see it. INPEn.dll imperceptibly for the user performs the following actions:
The INPEnhUD.exe application can be described as an updater (updater). It extracts from its code the hard-wired address of the xml file update.kklm.n0808.com/officeaddinupdate.xml, which is presented below.
Fig. Part of the “update file” that is used to download new executables with the Xunlei code.
You can see that this xml file contains a list of URLs pointing to various executable files and their MD5 hashes. Files from this list will be downloaded by the updater to the computer and executed after MD5 verification. When these actions are executed, the update code runs the executable INPEnhSvc.exe , which we call the service.
This INPEnhSvc.exe (“service”) is actually the core of the hidden Xunlei code and can execute various remote commands. After performing the same checks for debugging and analysis tools that we saw in the previous module, it downloads an XML configuration file, which may contain various commands. They can be divided into two groups.
As the name implies, local commands are implemented by the service code itself without using network downloads: scanreg searches for a specific registry key and reports its presence or absence to StatServer, scandesktop and scanf Press looking for special .lnk and .url shortcut files in the desktop directories and “Favorites” respectively.
If the service receives a remote command, then it interacts with the Office plugin (described above), which is responsible for the execution of this feature. This interaction occurs through a configuration file called tasklist.ini and contains three different sections: Doing , Done , DoneByData . Both executable files contain a list of GUIDs, each of which is associated with a specific task. The process of interaction between these modules is as follows:
Below is an illustrative diagram of this work process. Blue boxes represent processes, and yellow boxes represent files.
Remote commands do not need additional explanations, since their names speak for themselves. The exception is the installphoneapp command, which we will consider in more detail.
Mobile Applications
The installphoneapp command, as the name suggests, is used to download a mobile application from a remote server and then install it on an Android mobile device (APK file). To accomplish this task, the service downloads the Android Debug Bridge (ADB) application, which is part of the Android SDK. Next, the plugin downloads APK files whose addresses are listed in the command XML file (config.xml) and lists Android devices that are connected to a computer using ADB. After these operations, the code installs each application on the device.
It should be noted that the application will be installed only if the device running Android is connected to the computer via USB, and it includes the ability to debug, which is activated through the device settings. Officially, it is provided only for application development, but is also used by some types of applications, including for updating the firmware on the device. In this interaction mode, the application on the device will be installed in the hidden mode and the user will not notice this.
Screenshots of downloadable applications are shown below.
Fig. Screenshots of applications installed by Xunlei.
According to our analysis, all these applications provide real opportunities for the user. Three of them are available for download in app stores. We did not find any malicious functions in these applications, however, it should be noted that the code of these applications is strongly obfuscated to complicate the analysis.
At the moment, the fourth application is still available on Google Play and allows users to make phone calls at so-called special low rates. However, the application has some suspicious features, for example, regular interaction with various URL addresses, which are known as distributors of adware for Android. This application is detected by ESET as Android / SMSreg.BT and is also potentially undesirable (Potentially Unwanted Application, PUA).
The motivation for installing these applications through the hidden Xunlei code remains unknown. However, the role of the developer company Xunlei Networking Technologies is not entirely clear. The fact is that the files containing this unwanted code are signed with the digital certificate of this company. In addition, the child domain kankan.com, which is used as a data collection server (StatServer) is also used as another service of this company. There is no doubt that company employees knew about the unwanted hidden features of their software.
Last August, company representatives responded to user complaints by saying that some employees used company resources to create and distribute this code. In particular, it was stated that the responsibility for this is borne by one of the departments of the company, which, without the approval of the management, has built such possibilities in the software.
Note that the Xunlei Uninstaller is signed with the same digital certificate. It is downloaded to the user's computer thanks to the update component, which we wrote about above. According to our analysis, the uninstaller works correctly and removes all elements of the program. The start and end of the campaign to distribute this version of Kankan coincides with the detection indicators of this PUA software in August and September of this year.
It can be seen that the level of distribution of this software has greatly decreased after the peak of August 8th (the uninstaller was signed on August 9th). Below is the Win32 / Kankan activity map, according to ESET VirusRadar , which shows that China has been the most active.
Conclusion
Using one of the Xunlei libraries as an Office plug-in for hiding and subsequent implementation of its unwanted features, the hidden installation mechanism for Android applications, and the backdoor functionality confirm that Xunlei is dangerous for users. Thus, this software was added to the ESET database as Win32 / Kankan .
- To ensure its secrecy and survival in the system, this software registers one of its components as a plugin for Microsoft Office.
- The detected malicious code installs applications for Android devices that are connected to the computer via USB, without the user's knowledge.
- Win32 / Kankan contains code for detecting special system tools that analyze its behavior in the system.
- The Xunlei files that contain this malicious code are digitally signed by a Chinese company, Xunlei Networking Technologies (developed by Xunlei).
Story
')
The history of Win32 / Kankan began in June of last year, when several Chinese forums complained about a suspicious program signed by Xunlei Networking Technologies. The company in question is developing Xunlei software, which is used to speed up the download of files (download manager). Xunlei is similar to the Orbit Downloader download manager, the story with which we published earlier.
The popularity of Xunlei is explained by the fact that this program, besides the possibility of accelerated downloading of files, allows the user to search for the necessary files on the network and then download them in an optimized way (torrent client). The program has a generated database of addresses of various files. When you need to download a particular file, Xunlei uses a browser or torrent client in such a way that it takes the shortest possible time to download. To realize this possibility, Xunlei Networking Technologies has built in the software a search engine for files, a torrent client with support for various protocols, its own p2p protocol, as well as other tools. A more detailed description of Xunlei can be found here .
This download manager is very popular with Chinese users. A TorrentFreak study published in 2009 shows that Xunlei is the most popular torrent client in the world with more than one hundred million user IDs. While for uTorrent the maximum number of users was 92 million. It should be noted that Xunlei is a local product for the Chinese market, since there is no other language on the official site except Chinese, and the translation of the software interface itself into other languages is done by third-party companies or the users themselves.
Analysis
Above, we mentioned that some Chinese users found suspicious files on their computers, signed by the certificate of Xunlei Networking Technologies. The certificate is shown below.
Fig. Certificate that signed the malicious files.
These files belonged to the installer (Windows installer), whose name was INPEnhSetup.exe. It is based on the Nullsoft Scriptable Install System distribution system. During the installation process, the installer contacts the kkyouxi.stat.kankan.com domain, which is hardwired in its code, in order to inform the server about the start of a new installation. Then the installation of three files into the system: INPEn.dll , INPEnhUD.exe and INPEnhSvc.exe . After this, the INPEn.dll library is loaded into memory and the DllRegisterServer function is called . Next, the installer again contacts kkyouxi.stat.kankan.com and announces the end of their work.
Execution of the code in INPEn.dll begins with registering the dll as a plugin with the name InputEnhance for Word, Excel and PowerPoint. To perform this operation, it creates registry keys in the appropriate location, which allows the INPEnh.dll library to later act as a plug-in for Office applications. Below are some of these registry keys.
Fig. The registry key through which the malicious DLL performs its loading.
The screenshot shows that the parameter LoadBehavior is set to 3. Thus, the plugin will load every time you start the application. Thus, the authors of the malicious code ensure its survival after a reboot and subsequent launch. Each time an application is launched from Microsoft Office (for example, Word, Excel or PowerPoint), this library is loaded into memory as a plugin. For the user, this action is absolutely transparent, that is, he does not see it. INPEn.dll imperceptibly for the user performs the following actions:
- Downloads the tools.ini configuration file from the remote server (conf.kklm.n0808.com/tools.ini). The file contains various parameters, for example, a list of names of various system tools, which is encoded by the base64 algorithm. Below is this file.
- Checks if a process is running from the list shown in the configuration file. If running, the library stops working. The list of applications from one of the configuration files is given below. You can see that it contains the names of the processes of the analysis and debugging tools (Windows task manager, Olly Debugger, MS Process Monitor, Wireshark, etc.), and not the names of the processes of anti-virus products. Thus, it is obvious that the authors have embedded code in the library, which helps to avoid analyzing the behavior of the program or detecting its activity in the system.
- Checks whether Internet connection is active, trying to connect with well-known Chinese resources, for example, baidu.com and qq.com. If there is no connection to the network, the code goes into a loop waiting for such a connection.
- If all previous checks are successfully passed, the plugin sends various information to the StatServer server (see the configuration file), in particular, the Windows version and the name of the application in the context of which the dll was launched. Then INPEnhUD.exe is launched.
- Further, the code is included in the processing cycle of various tasks, which we describe below.
The INPEnhUD.exe application can be described as an updater (updater). It extracts from its code the hard-wired address of the xml file update.kklm.n0808.com/officeaddinupdate.xml, which is presented below.
Fig. Part of the “update file” that is used to download new executables with the Xunlei code.
You can see that this xml file contains a list of URLs pointing to various executable files and their MD5 hashes. Files from this list will be downloaded by the updater to the computer and executed after MD5 verification. When these actions are executed, the update code runs the executable INPEnhSvc.exe , which we call the service.
This INPEnhSvc.exe (“service”) is actually the core of the hidden Xunlei code and can execute various remote commands. After performing the same checks for debugging and analysis tools that we saw in the previous module, it downloads an XML configuration file, which may contain various commands. They can be divided into two groups.
- local commands: scanreg , scandesktop , scanflicit
- remote commands: installpcapp , installphoneapp , setdesktopshortcut , addfinds , setiestartpage
As the name implies, local commands are implemented by the service code itself without using network downloads: scanreg searches for a specific registry key and reports its presence or absence to StatServer, scandesktop and scanf Press looking for special .lnk and .url shortcut files in the desktop directories and “Favorites” respectively.
If the service receives a remote command, then it interacts with the Office plugin (described above), which is responsible for the execution of this feature. This interaction occurs through a configuration file called tasklist.ini and contains three different sections: Doing , Done , DoneByData . Both executable files contain a list of GUIDs, each of which is associated with a specific task. The process of interaction between these modules is as follows:
- When a service receives a remote command, it writes the desired GUID to the Doing section with the necessary parameters (for example, the URL address).
- A library that has been registered as an Office plugin reads this GUID. It then checks for the presence of such a GUID in the Done and DoneByDate sections of the tasklist.ini file. If the command has not yet been executed, i.e. is absent in both sections, then it is subject to execution.
- As soon as the command is executed, the plugin writes the GUID value to the Done section. In addition, the GUID values for the installpcapp and installphoneapp commands are also recorded in the DoneByDate section. This is probably done for the subsequent re-execution of these commands.
Below is an illustrative diagram of this work process. Blue boxes represent processes, and yellow boxes represent files.
Remote commands do not need additional explanations, since their names speak for themselves. The exception is the installphoneapp command, which we will consider in more detail.
Mobile Applications
The installphoneapp command, as the name suggests, is used to download a mobile application from a remote server and then install it on an Android mobile device (APK file). To accomplish this task, the service downloads the Android Debug Bridge (ADB) application, which is part of the Android SDK. Next, the plugin downloads APK files whose addresses are listed in the command XML file (config.xml) and lists Android devices that are connected to a computer using ADB. After these operations, the code installs each application on the device.
It should be noted that the application will be installed only if the device running Android is connected to the computer via USB, and it includes the ability to debug, which is activated through the device settings. Officially, it is provided only for application development, but is also used by some types of applications, including for updating the firmware on the device. In this interaction mode, the application on the device will be installed in the hidden mode and the user will not notice this.
Screenshots of downloadable applications are shown below.
Fig. Screenshots of applications installed by Xunlei.
According to our analysis, all these applications provide real opportunities for the user. Three of them are available for download in app stores. We did not find any malicious functions in these applications, however, it should be noted that the code of these applications is strongly obfuscated to complicate the analysis.
At the moment, the fourth application is still available on Google Play and allows users to make phone calls at so-called special low rates. However, the application has some suspicious features, for example, regular interaction with various URL addresses, which are known as distributors of adware for Android. This application is detected by ESET as Android / SMSreg.BT and is also potentially undesirable (Potentially Unwanted Application, PUA).
The motivation for installing these applications through the hidden Xunlei code remains unknown. However, the role of the developer company Xunlei Networking Technologies is not entirely clear. The fact is that the files containing this unwanted code are signed with the digital certificate of this company. In addition, the child domain kankan.com, which is used as a data collection server (StatServer) is also used as another service of this company. There is no doubt that company employees knew about the unwanted hidden features of their software.
Last August, company representatives responded to user complaints by saying that some employees used company resources to create and distribute this code. In particular, it was stated that the responsibility for this is borne by one of the departments of the company, which, without the approval of the management, has built such possibilities in the software.
Note that the Xunlei Uninstaller is signed with the same digital certificate. It is downloaded to the user's computer thanks to the update component, which we wrote about above. According to our analysis, the uninstaller works correctly and removes all elements of the program. The start and end of the campaign to distribute this version of Kankan coincides with the detection indicators of this PUA software in August and September of this year.
It can be seen that the level of distribution of this software has greatly decreased after the peak of August 8th (the uninstaller was signed on August 9th). Below is the Win32 / Kankan activity map, according to ESET VirusRadar , which shows that China has been the most active.
Conclusion
Using one of the Xunlei libraries as an Office plug-in for hiding and subsequent implementation of its unwanted features, the hidden installation mechanism for Android applications, and the backdoor functionality confirm that Xunlei is dangerous for users. Thus, this software was added to the ESET database as Win32 / Kankan .
Source: https://habr.com/ru/post/197610/
All Articles