Wednesday, August 17, 2011

A little analysis on that Zugo toolbar

Related names: StartNow, Whitesmoke, Babylon, HyperBar, Zugo, toolbar
Threat: low
Main artifacts: Browser toolbar installed and home page set
Main install vector: Surreptitious install by affiliate with little or no notice to user.
Company behind all this: Zugo Services Ltd of London
How to remove: See this link.

Introduction

The Zugo toolbar for web browsers, a Zugo Services Ltd product, is an annoying adware product that often gets installed on users computers in a surreptitious manner. The product is included within other software and during install the user may only be given limited information on the toolbar installation or, worse, no information at all. According to GFI Software, Zugo Services Ltd has a large affiliate network with affiliates being payed up to $1.50 per install. There is little oversight of affiliates by Zugo which have every incentive to obtain the largest possible number of installs by whatever means necessary.

Zugo's default toolbar is StartNow though Zugo has also created toolbar products for other companies, including Whitesmoke and Babylon. Once installed, the software will change the user's home page and relay search information to the Zugo infrastructure to allow the placement of targeted advertising. An earlier version of this product was known as the StartNow HyperBar.

An example is provided by the website adlsoft.net which hosts a number of free download utilities, all of which install the toolbar. Interestingly adlsoft.net resolves to the same IP address as zcode.biz, a host that the toolbar installer contacts suggesting that the adlsoft site was established to drive installs of the toolbar.

Intro paragraph on adlsoft.net
Incidentally this site has taken the free download version of Systweak's Advanced System Protector and re-packaged it to include the StartNow Toolbar.
adlsoft.net with Systweak software for download

Here is the install screen of one of the products, in this case a decompression utility.
Uncompressor install screen
Though the screen does mention that another product will be installed, the language could very easily be missed. Liberal use is made of the “Bing” name rather than the StartNow name. It looks almost as though it was designed to be overlooked.

Interestingly, when you install the software without an Internet connection, a different install screen appears(see below). There is now a reference to the Babylon toolbar which is a different Zugo toolbar product.
Uncompressor install screen showing Babylon toolbar

In contrast, below is an example of best practice in toolbar installation. This is the screen an Adobe installer will give you before installing the Google toolbar. Nice and clear.
Adobe Googler toolbar install

Tracking the install
z-silent starts!
 Once the utility installer is executed two files are downloaded via HTTP on port 80, a tiny token file and an executable named z-silent.exe(why name this silent Zugo folks, a little spooky no?). Z-silent.exe is a Nullsoft NSIS installer for Zugo products signed by Zugo Ltd. The HTTP GET commands are as follows.

HTTP GET sent to 204.232.212.106

GET /getCountry/ HTTP/1.0
Host: zcode.biz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 02 Aug 2011 14:23:12 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Length: 2
Connection: close
Content-Type: text/plain; charset=UTF-8
US

HTTP GET sent to 184.25.108.35

GET /z-silent-2804.exe HTTP/1.0
Host: c194738.r38.cf1.rackcdn.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

z-silent is then started with the following command.

z-silent.exe /S /CHANNEL="2_6" /TOOLBAR /DEFAULTSTART /DEFAULTSEARCH

z-silent now does a number of things including the following.
  1. Disables proxy use and Internet connection auto configuration scripts.
  2. Calculates a unique user globally unique id(guid) and machine id.
  3. Installs the StartNow toolbar software to Program Files/Startnow Toolbar
  4. Registers StartNow as a Browser Helper Object, Internet Explorer will now run with Toolbar32.dll
  5. Spawns the toolbarupdateservice process
  6. Registers the install with remote infrastructure via HTTP GET.
Most registry and file activity is routine,however, the following keys are deleted. This disables proxy use and auto configuration scripts.

HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyServer
HKCU/Software/Windows/CurrentVersion/Internet Settings/ProxyOverride
HKCU/Software/Windows/CurrentVersion/Internet Settings/AutoConfigUrl

z-silent and most of the various files it generates in the Temp directory during install are now deleted.

Interestingly registry activity includes a check for the existence of the key shown below. This is the first of three ties between Zugo Services Ltd and the company AfterDownload.com

HKLM/Software/AfterDownload

The second is that if the properties details tab of z-silent is examined it can be seen that both the File description and Product name fields have the value AfterDownload.

The following Internet traffic is generated during the z-silent install.

HTTP GET sent to 209.159.151.3

GET /getcountry?
pid=628
channel=2_6
bdate=20110802T091233
bversion=1.7
client=installer
action=tb_installed,sp_installed,ds_installed
user_guid=<removed>
Host: installer.zugo.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*

HTTP GET sent to 209.159.151.3

GET /ztb/update?
partner_id=249
product_id=628
affiliate_id=
channel=2%5F6
toolbar_id=200
toolbar_version=2.0
install_country=US
install_date=20110802
user_guid=<removed>
machine_id=<removed>
browser=IE
os=Win
os_version=5.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: tbupdate.zugo.com
Connection: Keep-Alive

Once the toolbar is installed information will be stored in cookies beginning with the following strings.

\Documents and Settings\Owner\Cookies\owner@www.startnow
Searches using the toolbar will send information to the Zugo infrastructure via HTTP GET requests as the following search for “football” shows. This information includes the operating system version, country of install and a globally unique machine id.

HTTP GET sent to 64.20.54.67

GET /s/?q=football
category=web
dummy_pn=Bing
partner_id=249
product_id=628
affiliate_id=
channel=2_6
toolbar_id=200
toolbar_version=2.0
install_country=US
install_date=20110802
user_guid=<removed>
machine_id=<removed>
browser=IE
os=win
os_version=5.1-x86-SP3
provider=bing
provider_name=bing
provider_code=Z082
src=startpage HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.startnow.com/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: www.startnow.com
Connection: Keep-Alive
Cookie:
sp_query_string=src startpage
provider Bing
provider_code Z082
partner_id 249
product_id 628
affiliate_id
channel 2_6
toolbar_id 200
toolbar_version 2.0
install_country US
install_date 20110802
user_guid <removed>
machine_id <removed>
browser IE
os win
os_version 5.1-x86-SP3

In contrast this is the information the real Bing toolbar sends back to Bing infrastructure.

GET /search?q=football
FORM=BB07LB
PC=BB07
QS=n HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, */*
X-SearchRewards: brcv=18.0.2066.0[mi=4ef64220-fc5d-4894-9972-3dfef868b86f,HID=0,IID=781940d98b126d94fc80273927bd9c20,tc=1]
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; BRI/2)
Accept-Encoding: gzip, deflate
Host: www.bing.com
Connection: Keep-Alive
Cookie:
SRCHUID=V=2
GUID=<removed>
_SS=SID=<removed>
CW=555
CH=0
bIm=147; RMS=F=GgAg
A=AAAAAAAAAAAQAAAk; SRCHD=D=1896158
SM=1MS=1896158
AF=MSN005; SRCHUSR=AUTOREDIR=0
GEOVAR=
DOB=20110730; MUID=<removed>; _UR=OMW=1

Whitesmoke and Zugo

An example of how using Zugo's services can help a company comes from the public SEC filings of Whitesmoke. Whitesmoke offers a spelling and grammar correction software product and entered into an agreement with Zugo which resulted in significant benefits for Whitesmoke. From the SEC filing we have
the following.

"A significant portion of our revenues arise when end-users download a custom third-party toolbar for use with third-party websites, such as bing.com. In the United States, Zugo powers and operates this toolbar download process under a letter of intent with us, dated February 25, 2010. Under the binding letter of intent, Zugo agrees to perform at a specified service level to ensure, among other things, 99.9% uptime. Zugo pays us either a portion of the revenues or a per-download amount from toolbar downloads. Our letter of intent with Zugo may be terminated by either party with 24 hours notice. In November 2010 we entered into an amendment to the letter of intent with Zugo which amended certain payment terms."

Whois information and related entities

A whois search of zugo.com previously revealed that it is held by Zugo Ltd with a Jersey, Channel Island PO Box address. However, this recently changed to an anonymous entry.

Old zugo.com Whois record
Interestingly when the code signing certificate for z-silent is examed the subject field reveals a slightly different Channel Island address.

CN = Zugo Ltd
O = Zugo Ltd
STREET = PO Box 36
STREET = 1st Floor
STREET = 37 Broad St.
L = St Helier
S = Jersey
PostalCode = JE4 9NU
C = JE


Whois record updated Aug-2011, now anonymous


The domain zcode.biz from which z-silent downloads the GetCountry token is registered to an Omer Kaplan with a Tagore St,Tel Aviv, Israel. This person also founded the company AfterDownload.com and note that z-silent checks for the existence of an AfterDownload registry key. AfterDownload.com used to list the same name and Israeli address as zcode.biz in the whois database however this has recently changed to an anonymous entry. According their website, AfterDownload is “the first and largest CPC platform to provide effective display monetization for the entire download funnel.” It is likely that Omer and AfterDownload are acting as an affiliate of Zugo and being payed for each install.

The domain startnow.com is registered anonymously via Moniker Privacy Services and is hosted at IP address 64.20.54.67. The hosts installer.zugo.com, tbupdate.zugo.com and utrack.zugo.com resolve to IP addresses 209.159.151.2-4.

The domain adlsoft.net is registered anonymously via Domains by Proxy but interestingly it is hosted on the same IP address as zcode.biz, 204.232.212.106.
 
More on Zugo and a possible connection to porn company Inxio Ltd

Zugo Services Ltd is a registered UK company and a search of public UK records reveals that the company's physical address is

UNIT 5 UTOPIA VILLAGE,
7 CHALCOT ROAD PRIMROSE HILL
LONDON
NW1 8LH

The current CEO is Jeronen Seghers(see http://about.me/jeroenseghers) and a named director is a Mark Simon Hirschfield. Mr Seghers founded StartNow International (now dissolved).

Referral whois information reveals a connection between the IP addresses used by Zugo and the porn company Inxio Ltd. The IP address Zugo sends search query information to is 64.20.54.67 and the referral whois record below shows that the block 64.20.54.64/29 is registered to Inxio Ltd.


Referral whois record showing block registered to Inxio Ltd


Further the IP addresses utrack.zugo.com etc resolves to e.g 209.159.151.4 is also a member of a block registered to Inxio Ltd as the below record shows.
Referral whois record showing block registered to Inxio Ltd
In addition a simple Google search on the phone number Zugo Ltd supplied for it's whois record reveals that this number is also used as a registration contact for a large number Inxio porn websites(see below).


People

Jeronen Seghers, CEO Zugo Services Ltd, http://about.me/jeroenseghers
Mark Simon Hirschfield, Director Zugo Services Ltd.
Omer Kaplan, Founder of AfterDownload, http://il.linkedin.com/in/omerkaplan1

IP addresses, hosts and domains

IP address Hosts
204.232.212.106zcode.biz,adlsoft.net
209.159.151.2-4installer.zugo.com,tbupdate.com,utrack.zugo.com
64.20.54.67startnow.com
66.45.232.178zugo.com
184.25.108.35c194738.r38.cf1.rackcdn.com

Further information

1 comment:

  1. I received Zugo , unbelievably, as a result of a Vuze "required" upgrade.
    I remember when Vuze was a trusted entity. Very sad.

    ReplyDelete