I haven't done much research on the company itself, but a Google search for "conduit toolbar" will show you just how many people search for this crapware, and how many people have created a "how-to" in order to uninstall the application. The company (Conduit) has a very plain page without offering much detail and appears to be affiliated with a company called Como, which helps businesses create smart phone apps. Whatever, I don't care. I just want the network indicators.
The main reason why I created this post was to, obviously, show you some network indicators for this toolbar. I had a hard time finding any kind of information about indicators for the toolbar; almost all of the sites that I found had information on how to uninstall the toolbar. What does the toolbar do? Well it is pretty malicious and transmits sensitive data to a remote server. File analysis shows that it will attempt to see if a virtual machine is running (anti-forensics), will steal private information from your web browser, fingerprint your system (BIOS, MachineGUID), and even modify your proxy settings. Yeah, this is a nice piece of software. On to the network indicators!
Domains Contacted / HTTP URI Paths:
The following domains are contacted after installation and for application updates. The HTTP URI paths below each domain have been observed for those specific domains.
HTTP User-agent String:
- Starts with: "SearchProtect"
- Users a semi-colon as a field separator
- Breakdown of user-agent string values:
- SearchProtect;<Application Version>;<OS type and version>;<Unique identifier>
- SearchProtect;18.104.22.168;Microsoft Windows 7 Professional;SP1A9B0A2A-43A1-4D4B-C21B-4CAEDF6B9192
- Regex to find the unique identifier on the user-agent string:
An associated file that is downloaded for updating is retrived from the following sites:
Download activity is accomplished thorugh an HTTP GET request over port 80 for the file name "autoupdate.zip."
- autoupdate.zip file analysis: