Authors: YAG KOHHA (skyhole@xxxxxxxxx), Lame Title: Backdoor in RelevantKnowledge adware (What are we fighting for?) Vendor: TMRG, Inc. Description: RelevantKnowledge is an adware distributed with different shareware projects, e.g. Artisian Burner. RelevantKnowledge was found to contain backdoor proxy component rlvknlg.exe (Marketscore OSSProxy), which is configured to allow incoming network connections on TCP/8254, probably acts as open proxy and also performs keylogging and monitoring for active windows content. Component can not be disabled by user. Details (by YAG KOHHA, Lame): Recently I download freeware CD burner software to create some absolutely legal copies from ISO image. Of cause where is adware in installer which promise to "boost your internet Connection" and "free coupons". After I finished my works I uninstall burner and adware via add/remove programs and reboot the computer. After reboot I check Windows Firewall rules. In exception tab I found RelevantKnowledge application. I map'ed my host and found strange HTTP server on port 8254 which answers as OSSProxy. I check netstat and found that this port used by %windir%\system32\rlvknlg.exe process which also referred in Software\Mircosoft\Windows\CurrentVersion\Run\ key. I check this file and found that this programs hooks keyboard, mouse, current window and post info to the http://www.relevantknowledge.com/upgraderesult.aspx site via locally installed proxy. I check this site and found that "privacy procedures are regularly audited and certified by the nationally-recognized firm, Ernst & Young, who assure that we conform with the international trust services and privacy principles developed and managed by the American Institute of Certified Public Accountants" (http://www.relevantknowledge.com/RKPrivacy.aspx). So guys, may be I miss something. If I see software which doesn't get removed via Add/Remove Programs, breaks my firewall settings, hook my keyboard and mouse, and has remote management capabilities, I call it Remote Access Trojan. What should I do to be "conform with the international trust Services" and Ernst & Young say: "This is good code, Joe, well done!" when I write new all-in-one client for my botnet? Or this is part of anti piracy program? And MPAA want to know which films I burn on DVD? Or this is Uncle Sam's hand? I don't understand. YAG KOHHA, Lame File with binary and disassembly can be found here: http://www.secyrity.nnov.ru/files/ossproxybd.zip Archive password is "backdoor". -- /3APA3A http://www.security.nnov.ru/
