Monday, August 3, 2015

Indicators: Conduit Toolbar

Conduit Toolbar. The name alone is enough to make me wince. The name should ring a bell if you have ever been in any kind of support position or if one of your relatives started to complain about a slow internet browser and asks you to remove "this weird toolbar." So what is Conduit and what is this toolbar?

I haven't done much research on the company itself, but a Google search for "conduit toolbar" will show you just how many people search for this crapware, and how many people have created a "how-to" in order to uninstall the application. The company (Conduit) has a very plain page without offering much detail and appears to be affiliated with a company called Como, which helps businesses create smart phone apps. Whatever, I don't care. I just want the network indicators.

The main reason why I created this post was to, obviously, show you some network indicators for this toolbar. I had a hard time finding any kind of information about indicators for the toolbar; almost all of the sites that I found had information on how to uninstall the toolbar. What does the toolbar do? Well it is pretty malicious and transmits sensitive data to a remote server. File analysis shows that it will attempt to see if a virtual machine is running (anti-forensics), will steal private information from your web browser, fingerprint your system (BIOS, MachineGUID), and even modify your proxy settings. Yeah, this is a nice piece of software. On to the network indicators!

Domains Contacted / HTTP URI Paths:
The following domains are contacted after installation and for application updates. The HTTP URI paths below each domain have been observed for those specific domains.
  • sp-storage.conduit-services.com
    • /autoupdate/
  • sp-storage.spccinta.com
    • /autoupdate/
  • sp-storage.spccint.com
    • /autoupdate/
  • servicemap.conduit-services.com
    • /sp/
    • /sptray/
  • servicemap.spccint.com
    • /sp/
    • /sptray/
  • sp.api.search.conduit.com
    • /up/settings/?ctid=
  • sp-alive-msg.conduit-data.com
  • sp-alive-msg.databssint.com
  • sp-autoupdate.conduit-services.com
    • /autoupdate/
    • /update/
  • sp-autoupdate.spccint.com
    • /autoupdate/
    • /update/
  • sp-ip2location.conduit-services.com
    • /ip/?client=sp
  • sp-ip2location.spccint.com
    • /ip/?client=sp
  • sp-settings.conduit-services.com
    • /searchprotectorsettings/
    • /carrier/
    • /plugins/
  • sp-settings.spccint.com
    • /searchprotectorsettings/
    • /carrier/
    • /plugins/
  • sp-translation.conduit-services.com
    • /?locale=
  • sp-usage.databssint.com

HTTP User-agent String:
  • Starts with: "SearchProtect"
  • Users a semi-colon as a field separator
  • Breakdown of user-agent string values:
    • SearchProtect;<Application Version>;<OS type and version>;<Unique identifier>
  • Example:
    • SearchProtect;1.7.1.50;Microsoft Windows 7 Professional;SP1A9B0A2A-43A1-4D4B-C21B-4CAEDF6B9192
  • Regex to find the unique identifier on the user-agent string:
    • ([a-zA-Z0-9]{10}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{12})
File Downloaded:
An associated file that is downloaded for updating is retrived from the following sites:
  • sp-storage.conduit-services.com
  • sp-storage.spccinta.com
  • sp-storage.spccint.com
Download activity is accomplished thorugh an HTTP GET request over port 80 for the file name "autoupdate.zip."

Further Reading:

1 comment:

Please feel free to leave a comment that is relevant to the post.