Indicators: Conduit Toolbar

Conduit Toolbar. The name alone is enough to make me wince. The name should ring a bell if you have ever been in any kind of support position or if one of your relatives started to complain about a slow internet browser and asks you to remove "this weird toolbar." So what is Conduit and what is this toolbar?

I haven't done much research on the company itself, but a Google search for "conduit toolbar" will show you just how many people search for this crapware, and how many people have created a "how-to" in order to uninstall the application. The company (Conduit) has a very plain page without offering much detail and appears to be affiliated with a company called Como, which helps businesses create smart phone apps. Whatever, I don't care. I just want the network indicators.

The main reason why I created this post was to, obviously, show you some network indicators for this toolbar. I had a hard time finding any kind of information about indicators for the toolbar; almost all of the sites that I found had information on how to uninstall the toolbar. What does the toolbar do? Well it is pretty malicious and transmits sensitive data to a remote server. File analysis shows that it will attempt to see if a virtual machine is running (anti-forensics), will steal private information from your web browser, fingerprint your system (BIOS, MachineGUID), and even modify your proxy settings. Yeah, this is a nice piece of software. On to the network indicators!

Domains Contacted / HTTP URI Paths:
The following domains are contacted after installation and for application updates. The HTTP URI paths below each domain have been observed for those specific domains.

• sp-storage.conduit-services.com
• /autoupdate/
• sp-storage.spccinta.com
• /autoupdate/
• sp-storage.spccint.com
• /autoupdate/
• servicemap.conduit-services.com
• /sp/
• /sptray/
• servicemap.spccint.com
• /sp/
• /sptray/
• sp.api.search.conduit.com
• /up/settings/?ctid=
• sp-alive-msg.conduit-data.com
• sp-alive-msg.databssint.com
• sp-autoupdate.conduit-services.com
• /autoupdate/
• /update/
• sp-autoupdate.spccint.com
• /autoupdate/
• /update/
• sp-ip2location.conduit-services.com
• /ip/?client=sp
• sp-ip2location.spccint.com
• /ip/?client=sp
• sp-settings.conduit-services.com
• /searchprotectorsettings/
• /carrier/
• /plugins/
• sp-settings.spccint.com
• /searchprotectorsettings/
• /carrier/
• /plugins/
• sp-translation.conduit-services.com
• /?locale=
• sp-usage.databssint.com

HTTP User-agent String:

• Starts with: "SearchProtect"
• Users a semi-colon as a field separator
• Breakdown of user-agent string values:
• SearchProtect;<Application Version>;<OS type and version>;<Unique identifier>
• Example:
• SearchProtect;1.7.1.50;Microsoft Windows 7 Professional;SP1A9B0A2A-43A1-4D4B-C21B-4CAEDF6B9192
• Regex to find the unique identifier on the user-agent string:
• ([a-zA-Z0-9]{10}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{4}\-[a-zA-Z0-9]{12})

File Downloaded:

An associated file that is downloaded for updating is retrived from the following sites:

• sp-storage.conduit-services.com
• sp-storage.spccinta.com
• sp-storage.spccint.com

Download activity is accomplished thorugh an HTTP GET request over port 80 for the file name "autoupdate.zip."

Further Reading:

• autoupdate.zip file analysis:
• https://www.virustotal.com/en/file/f78da944c348e7f9df99c1c9073f47b25c95f9d44567c6c48d3ab4746237b03b/analysis/
• https://malwr.com/analysis/MjBmZjYwZDg2ZmNjNDJlYzgyZWU1NmQ3YmQwYTViMTc/
• https://www.hybrid-analysis.com/sample/49ef551698fe7b2530991d5436b54284f722ab5e4ea951802677c3a6a8e5489b?environmentId=5

User-agent Sting Indicator Page Updated

I updated the user-agent string indicator page to include Wireshark display filters using regex to find specific user-agents. I am by no means a regex pro, so if anyone finds any discrepancies or can figure out a cleaner way to search with regex, then please let me know.

A few things I noticed when using regex in Wireshark display filters. I was not able to figure out how to escape an open and close parenthesis (if I did escape those characters normally, it would not find the user-agent), so I had to do a logical AND plus another display filter in order to locate the right value (please see the Dyre user-agent string). Also, I had to be more explicit with the query with a shorted user-agent string value; meaning I had to add a Start of Line and End of Line character to the query.

I hope you all find this information useful, feel free to ask questions or leave comments. Thank you.

New User-agent Indicators Page

I made a post a few months back about malicious user-agent string values. It appears to be a pretty popular post, so I decided to create a page dedicated to malicious user-agent strings.

I added several more strings to the list as well as updating some regex. Speaking of which, I still need to add more regex values to that page and I will also add some Wireshark display filters that you can use to find user-agent strings in PCAP files.

I also added a new list on the right side of the page dedicated to just indicators. You can find the new page here. Enjoy!

User-agent Strings

A user-agent string is a value used by an application that identifies itself to the server. There are many sites that go into this a bit deeper, so I won't harp on it here. The purpose here is to identify malware that uses unique user-agent string values, which makes it terribly easy to find malicious traffic being generated by certain malware.

The best place to find these values are proxy logs, so you will need to know the field name that your proxy server uses to identify the user-agent string: I believe the field in BlueCoat proxy logs is cs(User-Agent) but yours may be different. Below is a list of user-agent strings that I have seen in our logs and have confirmed that they have been used by malware; there are many other out there, but I will not include those. I have also included a line that you can use to dig through old logs in order to locate past infections.

Malware: Houdini / Iniduoh / njRAT
This one should pop right out in your logs. It uses the below characters as a field separator, so there will be several of these in the user-agent field.

• User-agent contains: <|>
• Regex: <\|>
• Regex: ((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))((\w+)|(\W+))((<\|>)|(\\))[^<|\\]+((<\|>)|(\\))((\w+)|(\W+))[^<|\\]+((<\|>)|(\\))[^<|\\]+((\w+)|(\W+))((\w+)|(\W+))+
• I did not write the above regex for this one and I cannot remember where I found it, so I am unable to give credit. If it's yours then please let me know.

Malware: Zero Access

• User-agent: nsis_inetc (mozilla)
• Regex: nsis_inetc\s\(mozilla\)

Malware: Generic Trojan

• User-agent: Mozilla/5.0 WinInet
• Regex: Mozilla\/5\.0\sWinInet

Malware: Dyre / Upatre

The following string was found on a Windows machine.

• User-agent: Wget/1.9+cvs-stable (Red Hat modified)
• Regex: Wget\/1\.9\+cvs-stable\s\(Red\sHat\smodified\)

Malware: Generic password stealing Trojan

• User-agent: RookIE/1.0
• Regex: RookIE\/1\.0

The following two user-agent strings will require the use of Log Parser. Attempting to do a regex search with these will return a large amount of results.

Malware: Tupym

Although AutoIt is legitemate, finding this user-agent may be malicious. Make sure you investigate this a bit further if you find it in your log files.

• User-agent: AutoIt
• SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'AutoIt'

Malware: HkMain

Yes, this was actually found in proxy logs.

• User-agent: M
• SQL: SELECT [user-agent column name] FROM [file path] WHERE [user-agent column name] = 'M'

The agents listed below have a high certainty of being malicious, but investigate further as they are very close to being legitimate user-agent values.

Malware: Egamipload

• User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
• Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s8\.0;\sWindows\sNT\s5\.1;\sTrident\/4\.0\)

Malware: Botnet / Adware

This was found in a known botnet as well as some adware.

• User-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
• Regex: Mozilla\/4\.0\s\(compatible;\sMSIE\s6\.0;\sWindows\sNT\s5\.1;\sSV1\)

Malware: Yakes

Notice the lack of spacing within the parantheses.

• User-agent: Mozilla/4.0 (compatible;MSIE 7.0;Windows NT 6.0)
• Regex: Mozilla\/4\.0\s\(compatible;MSIE\s7\.0;Windows\sNT\s6\.0\)

That is it for now. I will add a separate page for these in the future as I continue to find more malicious user-agent strings.

Further reading:

• Deepend Security - great repository of malicious traffic values.
• Malware Traffic Patterns - more indicators and analysis than you can handle.
• 2013 User-agent Blacklist - old but it still contains useful data.