Slingshot downloader ?spyware

Discussion in 'privacy problems' started by dvk01, Jan 9, 2004.

Thread Status:
Not open for further replies.
  1. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    A slight problem has occurred with a downloader called slingshot from Tenebril software, the makers of Ghostsurf, a supposed spyware free product and allegedly an anti spyware company

    the brief details are explained at these 2 links

    http://66.246.16.46/forums/viewthread.php?tid=12603

    and
    http://www.karlsforums.com/forums/viewthread.php?tid=12826&page=1


    Now not believing that a respected company could include spywares in it products, and disbelieving the other forumm users. I tried it out myself

    This is a copy from the spybot log
    7FaSSt: IE toolbar (Registry value, nothing done)
    HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

    7FaSSt: Class (Registry key, nothing done)
    HKEY_CLASSES_ROOT\KBBar.KBBarBand.1

    7FaSSt: Class (Registry key, nothing done)
    HKEY_CLASSES_ROOT\KBBar.KBBarBand

    7FaSSt: Class ID (Registry key, nothing done)
    HKEY_CLASSES_ROOT\CLSID\{669695BC-A811-4A9D-8CDF-BA8C795F261C}

    7FaSSt: Interface (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Interface\{38493F7F-2922-4C6C-9A9A-8DA2C940D0EE}

    7FaSSt: Type lib (Registry key, nothing done)
    HKEY_CLASSES_ROOT\TypeLib\{3277CD27-4001-4EF8-9D96-C6CA745AC2F9}

    7FaSSt: Typelib (Registry key, nothing done)
    HKEY_CLASSES_ROOT\Typelib\{37686C62-D497-42E3-BAAB-78D89A74E151}

    in the links above are adaware logs showing the same.

    All I did is download the slingshot to a completely clean computer so I can guarantee that any entries came from this program

    Either spybot & adaware along with every other source on the net are wrong in their ID of this 7search hijacker or Tenebril have used a clsid that is used by 7search


    Tenebril insist that no spyware is in any of their products

    are they doing a GAtor and redefining spyware or are all the antispyware companies wrong

    Would one of the more expert users on this forum like to look into it and let me know if tenebril are wrong in their statement about spyware free products or are all the anti spyware companies wrong
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Derek,

    I just installed Slingshot (downloaded from the Tenebril site) and scanned with AdAware and Spybot S&D and came up clean on both counts.

    Can you confirm that you used the same download location?

    I attached the Total Uninstall log from the changes made to the registry during the install.

    Regards,

    Pieter
     

    Attached Files:

  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Pieter

    Yes can confirm I downloaded slingshot direct from Tenebril site
    immediately I downloaded I rebooted and did a search for a file using slingshot to check it out. Didn't download anything just searched for moviemaker from M$. and then ran a HJt log (attached) which clearly shows
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\Program Files\Slingshot\ties\dlIE.dll

    O3 - Toolbar: Slingshot - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Program Files\Slingshot\ties\

    the O2 clsid comes up as ghostsurf IETIE.dll in all searches a goodie

    teh O3 comes up as powerstrip.dll a known baddie

    perhaps this is why adaware & spybot find 7search


    I know the computer was completey clean of all spywares etc before downloading slingshot

    I hope it is because the clsid's are wrong in slingshot that this problem is occuring
     
  4. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Pieter I do not understand this

    I just installed slingshot again but this time used total uninstall to monitor.

    On install nothing bad showed and total uninstall doesn't show any baddies
    I ran a hjt log & adaware scan and clean

    then I started slingshot and initialised it as they said and ran a hjt log & adaware and all the 7search baddies appeared in the logs

    What the hell is going on
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Derek,

    Can you get a MD5 for your slingshot-install.exe ?
    Mine has: 30D46A1469C25C0AAA99F20B2ADDC320

    If they are the same I will try install it again, reboot and use it.

    Regards,

    Pieter
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    30D46A1469C25C0AAA99F20B2ADDC320 according to filealyzer
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    OK. BRB.

    Pieter
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Derek,

    Indeed you need to start the application before the toolbar and the BHO get added

    The odd thing is no files get detected. Only registry keys.

    Another thing I observed. It only asks access when you fill out a search it contacts cnet (download.com) and tucows.

    The chances of getting a duplicate CLSID are too slim to ignore.

    I'll do some more investigating.

    Regards,

    Pieter
     
  9. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thsanks Pieter

    then it isn't just me and the 2 users on the other forum having problems

    do you think it's spyware or just false positives with the same clsid numbers

    as you say, it's only registry entries no files seem to be added
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Derek,

    I am not a firm believer in coincidence. The BHO being the same as GhostSurf by the same company, that is easy to explain.

    But the 7FaSST CLSID´s (mind you, four of them) are remarkable to say the least.

    I have added both the BHO and the Toolbar as O to the lists, pending investigation.

    Regards,

    Pieter
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Thanks Pieter, keep me posted


    Normally I prefer to submit info like this by email or Private message in case I have the info wrong, but in this case, it seemed so strange that an "anti spyware" company should have any sort of possible spyware entries within it's products and warranted a wider audience for discusion at least.

    as you say it's a remarkable coincidence at the least if all 4 clsid entries correspond to known spywares, 3 fast search and one as gator/gain

    I understand that one of the forum users mentioned contacted the company who responded by email and that has been posted in the forum links above and said that there definitely is no spyware in the application, but couldn't or wouldn't explain where the entries come from.

    Thanks for the work you have put in on this for me

    Regards

    Derek
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    My pleasure Derek,

    I like digging into this sort of thing. You always come out having learned something. :)

    Regards,

    Pieter
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Pieter

    This is a paste of an email received by one of the users who had problems with slingshot

    it comes from the developers of slinghshot and seems to explain the reason why the spware is detected



    Thanks so much for getting back to me, and thanks for posting my message to the forum. I have some good news for you (which I hope you will post as well) -- from reading the forum, it's clear to me why Slingshot is being detected by these anti-spyware systems.

    In order to intercept downloads (i.e. when the user clicks on a link in Internet Explorer) Slingshot installs a Browser Helper Object (BHO), which is a DLL that Internet Explorer loads each time it starts. The BHO architecture is one way to extend Internet Explorer, and it's used by many software products (including spyware, since it gives software a window into your surfing).

    Each BHO registers itself with IE using a unique identifier called a CLSID, which is mentioned in the thread. Because this CLSID is unique, anti-spyware software can search for CLSID's which are known to be associated with spyware BHO's.

    Unfortunately for us, the Slingshot BHO was created from a demo BHO which shows how to connect to Internet Explorer for accelerating downloads. This same demo has been used by the authors of the spyware you mentioned, and so its CLSID is now recognized as spyware. This will cause alerts for other download accelerators as well which share this CLSID; I believe ReGet will trigger it, although I haven't checked myself.

    Ultimately this is our fault for not changing the CLSID when we published Slingshot. I'll look into getting it changed for the next release, and in the mean time I'll put an article in our Knowledge Base which describes this problem. I'm sorry for all the concern this has caused in the forum. I can definitely appreciate the concerns of the people there, as I definitely like to keep an eye on my own system and would hate to have software spying on me.

    Best wishes for your weekend. Please let me know if I can be of any further assistance.

    Sincerely,
    Christian Carrillo
    Tenebril Inc.


    So perhaps we can assume that it's sorted now.

    Looks like they did a Microsoft and released it without proper testing
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi Derek,

    I'm not quite satisfied. It's not the BHO setting of the alarms, but the toolbar.

    And as for Reget: http://www.sysinfo.org/bholist.php?filter=reget&count=&type=

    I'll see if I can get my hands on the Powerstrip file.

    Regards,

    Pieter
     
  15. jonwscott

    jonwscott Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    2
    Location:
    Prosser, WA
    This may be the wrong forum, but I have encountered GhostSurf on our network, and I am trying to find a way to prevent it from working. I am the Tech Director for a small school district, and some students have figured out how to use GS to look at porn on campus...

    We have a proxy server, and force all port 80 traffic to validate through it first via the Pix firewall. Somehow GS changes the proxy address to <local>, and bypasses this rule. We have most all other ports blocked, and I am stumped.

    Any help would be much appreciated.
    Thanks - Jon
     
  16. jonwscott

    jonwscott Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    2
    Location:
    Prosser, WA
    Answering my own question...

    This may be the solution - looks like GhostSurf operates on 127.0.0.1:7212

    Thought we had that one blocked, but I will check in the morning... If you answer your own posts, aren't you just talking to yourselfo_O
     
Thread Status:
Not open for further replies.