Would you knowingly install a Trojan?
A friend of mine recently had a “lot of fun” trying to uninstall a gambling blocker from a friend’s laptop. He’d done most of the job identifying how it worked and with a little prompting from me used Sysinternals’ Process Manager [http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx] and Process Explorer [http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx] to finish the job. Our discussions made me think of the problems Mark Russinovitch [http://blogs.technet.com/MarkRussinovich/] had with the Sony Rootkit last year [http://blogs.technet.com/markrussinovich/archive/2005/11/09/sony-you-don-t-reeeeaaaally-want-to-uninstall-do-you.aspx] and although it’s not quite as well written as that, I asked my friend to write up his investigation for everyone to see. He hasn’t got a blog so I’ve posted it here. What strikes me is that the company has written a program that acts like a virus - it has no installer, it tries to prevent being detected and uninstalled, and it does who knows what while in operation. And the creators ask why you’d want to uninstall it? Sheesh. Over to my friend.
Would you knowingly install a virus on your machine?
This is a question I’ve been pondering after a friend had a Trojan horse [http://en.wikipedia.org/wiki/Trojan_horse_program] installed on his laptop by a friend of his, a so-called “computer expert”. All is not what it seems though, as the Trojan horse in question was a gambling blocker from a notorious Australian company whose name is a truncated form of the type of software it sells. The “expert” claimed that it blocked viruses and Trojans from various gambling sites. The reality was rather more drastic, it blocked access to any and all gambling sites, it blocked all articles about gambling, even gambling self-help sites! I asked my friend, was his friend trying to tell him something – in a non-too subtle way, he thought not, as he most certainly didn’t have a gambling problem, and the expert in question actually worked for a gambling site! So perhaps the truth is that developers from gambling sites think that the public need protecting from their wares? Anyway the task was to remove this piece of software completely.
Posted on April 17, 2007 #Geek Stuff
At first glimpse it wasn’t evident this was Trojan horse, but it quickly became evident that this software was something that was designed not to be removed. It didn’t appear in the Add/Remove Programs list, nor the list of Program Files. Deleting the blockers only two apparent executables made no difference. The task manager revealed a normal looking set of processes, and the services manager a normal set of services, none of them in any way linked to gambling. First stop Google, where I was amazed to find an evangelical and sanctimonious zeal had infected many forum participants – you want to uninstall a gambling blocker? You must need help with a gambling problem, so I’m not going to tell you. A couple of forums either offered to sell their solution, or made outrageous claims for deleting one or other process and it all working, but it looked like a blind DIY job. My first port of call was to attempt to identify the processes involved, so I fired up Task Manager, ordered the processes in CPU usage and watched it, as I opened up a gambling site. Strangely enough this made little difference as there were three processes already taking up more CPU usage than is normal anyway. The three in question were CSRSS.exe ( a second copy), arqkerd.exe and evyiey.exe. An updated Norton was running and helpfully ignoring it which surprised me somewhat, so it was going to need some co-ercion. You can’t stop CSRSS.exe via Process Manager, and it’s not a good idea to close it down either as it’s an essential system process which spawns all other threads. Attempting to kill the other two processes, led to the laptop shutting itself down, as did trying to delete the exes. A little more Googling showed up that one of the modus operandi of the blocker was to spawn a second copy of an essential system process, which then spawned two randomly named processes which between 4 and 8 letter names- which corresponded to arqkerd and evyiey. Next stop was to install HijackThis! [http://www.spywareinfo.com/~merijn/programs.php] and examine the log in detail. Under the O23 section were revealed two suspicious looking entries where the Program.exe was marked as (missing). These corresponded to services Machine4 Refresh and PinerSoft Version checker services. Looking on Google showed that these products and software houses didn’t exist. The services involved were “unstoppable”, so I was going to have to look somewhere else. I located the second version of CSRSS.exe under Windows/System32/mon36, and this was similarly undeletable. I looked up MSCONFIG and the start up menu and found references to arqkerd.exe and evyiey.exe, but unchecking these made no difference, they merely restarted on startup anyway. The final and successful stop was to install Process Explorer. As a former Comp Sci graduate, I’ve always been away on the theoretical purity of the UNIX operating system, that processes are self contained, and how kill -9, can forcibly remove any process. The Process Manager of Windows is of course sandboxed, it tells you which processes you can and can’t remove, and of course an error such as an infinite loop on a classic ASP page would bring down older versions of IIS and then your PC eventually. Fortunately newer versions of windows seem to be moving towards this, and the Process Explorer from SysInternals allows you to ignore these sandboxed niceties. So having identified the spurious processes, I killed arqkerd.exe, evyiey.exe and csrss.exe in mon36 and deleted their corresponding executable files. They all came quietly. Next I went to the services and disabled them. Finally I went to msconfig and removed the references at start up. Then I opened IE and hit bet365.com and what do you know? It was visible once more, and the machine was performing noticeably faster, and has continued to do so on restart and ever since. There is a coda to this, before outraged social workers besiege this blog about collapsed families and huge debts. This is a poorly written piece of software, it is a Trojan horse, it takes up excessive amounts your CPU’s capacity the whole time it’s operating, presumably much of this used up on trying to be undeletable and undetectable. Like chain letters for terminally ill children, while the cause is laudable, the means of achieving its object is morally questionable and highly dubious. I just don’t see how blocking gambling on your CPU will stop you going down the road to place a bet, or phoning up a new betting company and opening a betting account. Addicts are very resourceful and blocking the point of origin, just isn’t a proven practice. It might be one part of a many pronged strategy, but I’d suggest not possessing credit cards in the first place, would be far more beneficial. You have to admit you have a problem, you have to be willing to address it first. Installing a piece of software that screws your computer, that the company who produce it won’t uninstall or even help you to, that runs as a Trojan horse, that potentially opens your machine up to other Trojan horses is not the way forward.