Mr. Angry Pants

Our good old friend, NSIS Media, comes back for a second ride. As you know, the first ride is always free. It’s good for business. Nothing like a good promotion to draw new customers. But when you come over for a second ride, it won’t be cheap.

Right after I finished writing the last post, I was greeted with a nice pop-up suggesting I should get a green card. I was quite surprised I was infected with NSIS Media, because I only opened the installers on a Virtual PC. After a little meditation, mainly to cool myself, but also to dig in my memories, I recalled I opened one of the installers to take a screenshot. Foolishly, I assumed it’d only install this malware along with the program itself. How deep was my mistake to think they’d actually be that nice. The malware installed itself even before the first wizard page showed up. All doubt was removed. This software is pure evil.

I’ve taken several routes to bring this internet atrocity to an end. So far, the most fruitful route was based on a friend’s advice. I contacted Software Freedom Law Center to get their help sending a cease and desist letter to NSIS Media. In the process, I found out a lot interesting facts about NSIS Media. Like Openwares, they are located in Vanuatu, a Melanesian island which is, of course, outside of the USA. This means a cease and desist won’t affect them and so further research is required. This also raises the intresting question of NSIS Media’s owner. Both companies are based in Vanuatu and are hosted with aplus.net. As clearly stated in Openwares’ RSS and many other places, Openwares is owned by Opensoft Corporation which is making the web more interesting since 2001. It won’t be too far fetched to assume NSIS Media is also a part of this corporation, if not at least its best partner.

This corporate deserves a lot of credit. It has ripped off many open source programs and has plauged the web with Cydoor and NSIS Media malwares. A very paritial list follows.

  • Openwares – distributing malware infected packages on download.com.
  • Turbo TorrentG3 Torrent rip off containing NSIS Media, but claiming to be adware free.
  • FoxieCCleaner rip off, Firefox look alike designed to fool people into thinking it’s the new Firefox everyone is talking about. There have also been reports of it packing NSIS Media, but I cannot confirm that. They claim to be based in Israel, however they are hosted on aplus.net, are linked from every Opensoft website and have Opensoft listed in their license as a contractor.

    U.S. Government Information Use, duplication, or disclosure by the U.S. Government of the computer and software documentation in this package shall be subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.277-7013 (Oct 1988) and FAR 52.227-19 (Jun 1987). The Contractor is Opensoft Corporation, Vanuatu.

  • MP3 Shield – another Opensoft venture which is currently offline. Probably packed with NSIS Media as well and most probably a rip off.
  • Startup Mechanic – calims to protect your PC but installs NSIS Media.

Now that we’ve gotten to know them, lets dig in and see how NSIS Media works. As I’ve previously said, NSIS Media “enhanced” installations include two DLL files installed into the system folder. The names vary, but the goal is always the same. The first, written using MSVC, leeches on just about every process in the system and loads the second. It is also responsible of installation and removal, according to strings that show up in it. The weird thing about this file is its PDB path which is always under c:Cydoor_shell_project. Cydoor are reportedly out of this evil business, so I don’t quite know what to make of this. All DLL files have timestamps dating back to 2001, so it might be an old Cydoor DLL used to wrap NSIS Media. On the other hand, Opensoft claims to have established on 2001, but I doubt they still use the same DLL files.

The second DLL is far more interesting. It’s built using VB6 and contains an HTML page with the title Advertisment (typo in source) as resource. But there are no references to the C:Program FilesCommon FilesNSIS directory, nsis.jar, HKLMSoftwareNSISMedia or NSIS Media at all. The third DLL, miraculously installed into Common FilesNSIS along with an uninstaller contains no code. It only contains a resource named IID_NSIS which holds an unknown GUID. The uninstaller, as you might have guessed, doesn’t do much. It creates a new value called OptOut in HKLMSoftwareNSISMedia, unregisters the third DLL and finally deletes it along with the uninstaller. It also deletes a shell hook, according to the GUID found in the clsid value under its registry key.

So where does all the evil come from? I started digging in the second DLL, the VB6 DLL, looking for a URL. I found one string that raised my suspicion – @CDOQSAO:=ARB:ACPF:FQE@:QCE@=DSCBFR@. It was stored in Unicode and used in what seemed to be a key function in the code. However, it was not a URL. Notice how the colors repeat themselves and how many characters are in each block they separate. It’s a GUID. The distance between a colon and a hyphen is 13. Subtract 13 from each character and you get 367BDF4B-04E5-46C9-9D83-D68307F659E3. One Google search later and you see you’ve hit the jackpot. That GUID belongs to NSIS Media.

So I have a GUID, but what’s that good for? Lets try decoding the entire file and see if more shows up. That struck oil. In the decoded files, I found URLs, advertisement categories, registry paths, file paths, HTML and even JavaScript. There was also a list what seems to be potential hostile programs including Ewido, Grisoft, NOD32, Norman, Symantec, Panda and even Cydoor. Another list contained wildcards matching common advertisement servers like DoubleClick, probably so their ads can be replaced with NSIS Media ads.

But the most interesting list was the URL list. One URL in particular had most to tell. Its response contained my country code and another URL for a file located on msserv.net, another one of Opensoft’s websites. The name of the website and the content it tries to serve suggests it tries to make users believe it’s non other than Windows Update. Windows Update’s URL, by the way, is also listed in the second DLL. But it’s the file that’s hosted on msserv.com that I enjoyed the most. http://www.msserv.net/src/b3.bin is an installer, better described as an updater, containing two new NSIS Media DLL files. The two DLL files seem to share the same common pattern of the regular NSIS Media DLL files, but appear to be of a newer version, at least by examining the file sizes. Going to the original URL again, you get another installer name. I quickly saw the pattern is [ab][1-9].bin and downloaded them all.

Following is the complete list of NSIS Media’s new version DLL files along with their MD5 sum, for your malware removal needs. They are also available for download, but be careful with those.

04022272675cc56f1e68faa3fa2558b8 avtmskii.dll
0ff0930bb2ff743b212210471c725bc8 odbvgie.dll
15e63b822a0efede397ba9e7c8dbd02f usrwsh.dll
179164804cee71d62cd0f60d8f31735b kbdtdu2.dll
21e5ab0214714983584031e78c763aae wkcajax.dll
2c7b28b24cf717d8204b89a51a43c52d ftsash.dll
2dd9d642eb71eb541f51950c6ae0e5f5 nvritf.dll
2de5a9a086d0878abbd5259fe4f31787 rsvuaac.dll
2e3a6d1f71317faa094f2e7b427bb202 coltea.dll
2e7024c9f3dc91862e1b719d74e9f78f wshpwd32.dll
362b234f82ab4847ea14fcfe0bc07b33 nmmvti.dll
4322dbd9a120b0b6531a6d2c25bcbed3 mtxme2k.dll
5007f06b93defe72ff41c035cbaadc4a kbdrpo.dll
523a7424f94db5be34b33aecd2db32c5 nvredd.dll
59ecae29bdcccae85e8aff5718e55f2f dmubsi.dll
5aa56093a1e568c11a38264be0f4db7a wmiv3p.dll
5b850d909455d3062422f199c44445f2 mspksp2.dll
5fcbef5a137ee8ce3f5f615cb2e2d743 msjmme.dll
661f98df2ed0d7ba9997322248f01f46 ir4axb.dll
854b515f539f125fe4c9f4cdb01277f0 usrflx32.dll
8b4169f654be67be6f874a721c3919da avwmdm.dll
a27e788246ebb3fb59173594d314fd33 dsaoms.dll
a59bc64fb9f97934d20bccdbf346bce4 mswbst.dll
a8a1bb4bf6a67df2a2a24791b0605703 dspvfx.dll
a94db9a1ed0cfe9d807bec7407bef85a cfgsle.dll
aecc2a0fc2e9efa22f979f93ad3b5820 ieaean.dll
b1bbd68d3472ae8bb242f7fa6de00f76 ncxpri.dll
bd9cd45321c46cb7565553a1869ba19a wpdccmo.dll
c2e811707d1898d00a897802bea144ee atmkmsa.dll
c57b55771515280a8e93fabfea00928d adsusv32.dll
cac34a21c3957f118cff2fc4f43b555d lochsh32.dll
da4987053dc52f7ee9b1e70c62f7daa0 actsdr.dll
db69afb5e34af7aba15c2984bd582a31 mfctsa.dll
dd6ec5013c437ac0e86d17ab66e37854 audes2e.dll
e4b4747e461d39695722d07154dbdbb2 swpxa52u.dll
f3ee10c331a81188385e47e851ae3079 minsv32.dll

So what have we learned today?

  1. NSIS Media and Opensoft are pure evil.
  2. Cydoor might still be up to no good.
  3. kichik still doesn’t make 1000$ a day 😦

Mr. Smarty Pants

PestImagine you had an application that gets over 1,000 downloads a day. Imagine that this application’s soul purpose is to create other applications. Imagine those applications are distributed by you users, some bigger some smaller. Imagine those derived applications get downloaded over 1,000,000 times a day. Feeling good yet?

Now imagine someone would offer you 0.001$ for each user that opens one of those derived applications. That’s over 1,000$ a day. 30,000$ a month. 360,000$ a year. Perfect, ain’t that right? You’re sitting on your porch, a beer in your hand, music in the background and the skies are raining green bills. Does it get any better?

Sounds too good to be true? How about we dig in a little? Say, mister money pants… What exactly do I have to do for this money? “Nothing really”, he responds. “All you have to do is include our little library in every derived application your application creates”, he adds. Move a little uncomfortably in your chair and he’ll satisfy you, “it just gives the user nice and unobtrusive advertisements specifically targeted at him”. Sold yet? I sure am!

So you decide to wrap it up. But you still feel a little bit uncomfortable with it. Maybe because you don’t want people to know you’re making money of your free software, or maybe because you still don’t trust this guy too much. What do you do? You move his library a bit further. Assuming your application is called XYZ, you pack money pants’ library into XYZ Media which will be silently installed by your application’s derived applications. No one will know it’s you now. It’s ingenious!

Best deal ever? Right? You dig? Well? No? Why? Come on… You with me or what? Of course not. Why would I ever want to do something like that?

  1. My software is not only free, it’s open-source and is freely hosted on SourceForge. It costs me nothing but time. I’ve got no bills to cover.
  2. I’ve got a job, I don’t need an additional income. I’ve also had my share of incomes from the free software, without the need for deals like that.
  3. It’s completely evil. Besides forfeiting my ever-elusive seat in heaven, it’d also send my software right down the drain. Even if I remove XYZ Media later, no one will ever want to use it again. 1,000 downloads a day? Try one closed project.

As you’ve probably already guessed, I’m talking about NSIS and NSIS Media. NSIS Media is an extremely annoying adware package, or so reports say. It installs itself on both Internet Explorer and Firefox. On Firefox, it installs an extension with a file named NSIS.jar. These browser extensions pop-up advertisements titled “NSIS Media Advertisement” for the user at what appears to be random times. It shows an uninstaller in the Add/Remove control panel, but as long as the carrier program is installed, it’ll just come back.

According to reports online, it comes with eMule++ and every download from Openwares. The eMule++ installer and each installer I have downloaded from Openwares install two DLLs to the Windows directory. DLL names include wmidext.dll winsdrv.dll, msxmlu.dll and even nvrssid.dll pretending to be shell extension of nVidia. As you can see, it doesn’t really smell too good. But as can be seen in the picture below, it does ask the user for permission, at least with the original eMule++ installer.
eMule++ NSIS Media page
In Openwares installers, on the other hand, there is no such page. So what is this Openwares? It’s a company that would, at least according to their front page, freely repackage your installer with NSIS, publish it on their website and on CNet’s Download.com. The latter seems to be most fertile ground for their deployment.

So is it evil or not? The eMule++ installer page might suggest it’s not. So does NSIS Media’s website, especially the uninstall page. But do they enforce this installer page on all of their partners? It doesn’t seem like they care too much for Openwares’ installers which seem to be pretty wide spread. Add the weird DLL naming and the very peculiar company name choice; and one thing you won’t get is positive credit. More specimens, outside of Openwares, or a direct contact at NSIS Media are required to determine the true nature of the beast.

But we’re not here to discuss the business affairs of this advertisement company. We have gathered here today to discuss my righteousness. Some people actually think I’m responsible for this mess. Probably some just Google up “NSIS” and find my e-mail address as the first result. But some people actually believe I’m behind this abomination. I got everything from polite requests for removal instructions to death threats. My favorites follow.

“As you can see, I am an IBM employee. Somehow the NSIS Media Trojan Horse has invaded my system. Please promptly send me instructions on how to remove it so that I don’t have to report this issue to IBM Legal.”

“CUT THE CRAP (read: spy-ware) !!!” (this one is actually longer, I trimmed it a bit…)

Some even plot a NSIS-Firefox grand conspiracy in their heads.

“Why there is no info on the Firefox / NSIS spyware scandal? Some malicious code installs into Firefox browsers and Thunderbird mail clients via JAR files by abusing a yet unpatched NSIS security hole and the bombards the user with many pop-up windows and downloads further spyware. The Net is up in arms about it, especially in Europe, where Firefox has 20% share in browsing. Firefox developers accuse NSIS developers of indifference and lazyness in fixing.”

All of the above and many more like those, got the appropriate response in the lines of “NSIS is not NSIS Media, go away”. Poor saps, fooled three times in a row. The first time, they’ve downloaded their application of choice from a bad source. Next, they miss the warning signs in the installer or all of those privacy statements. And finally, when reality pops-up in their faces, they miss the word “media” and blame yours truly.

So what have we learned today?

  1. NSIS Media is in no way related to NSIS.
  2. Download only from trusted sources and read carefully what the installer tells you.
  3. kichik doesn’t make 1000$ a day 😦

Logical extensions

While working on a new NSIS header file to properly handle Windows versions, I thought of something really cool. The LogicLib is a cool library dselkirk and eccles wrote a long time ago. It allows you to avoid using labels, Goto, StrCmp, IntCmp, relative jumps and other cool beans. Instead, you get a bunch of macros wrapped in defines that make your life so much easier.

${If} $0 == "good"
  DetailPrint "it's not evil"
${EndIf}

It struck me while I was thinking of the interface I want to use for the new version checking stuff, I originally started with a function taking an argument. However, functions and header files don’t work too well together. A warning is spewed, if the function isn’t used. The code was also meant to be short, as there isn’t too much to do. So, combine those two together and of course you get macros. But what will the macro get? Labels to jump to? What if the user passes relative jumps? What if the user wants to skip a label definition and just jump to the next line? Why can’t it be like LogicLib? Because these checks don’t fit into LogicLib.nsh? So what? Why can’t I define more tests for LogicLib? Who said I can’t? I can.

And it turns out adding more tests to LogicLib is quite easy as well. Just define a macro with a name prefixed with an underscore and give it four parameters. Two operands and jump labels for true and false. The LogicLib will handle creating the labels and all that is left for this little macro is the actual test.

!macro _= _a _b _t _f
  IntCmp `${_a}` `${_b}` `${_t}` `${_f}` `${_f}`
!macroend

The end result is quite cool. Instead of yet another new interface for another functionality, there are just a few new operators for LogicLib.

${If} ${AtLeastWin2000}
  DetailPrint "2000 or better. Fun!"
${EndIf}

The new code is available on CVS for your eager browsing. Crave code. Craving is good.

Cowardly new world

The new Windows Vista, filled with shiny new features, hyped on security, and runs dead slow and with no sound on Virtual PC. I should have installed it on a real computer, but that’s a different story. This post is all about Vista’s love towards NSIS. Vista loves NSIS so much, it mentions it in no less than kernel32.dll. Well, I might be reading too much into it. It also has Gentee, InstallShield, Raphael Install Builder (what’s that?), Astrum, Inno Setup and even WinRAR.

But why? Security, what else. Vista’s new UAC asks the user to enter an administrator’s password for administrative operations, such as installing an application. Back in the old days (last Monday), one had to use runas or logout and login as an administrator in order to install an application, assuming he was running a non-administrator account. As you probably know, that’s quite annoying. Users usually use an administrator account all the time and skip this annoyance. UAC allows creating standard users with no administrative privileges and still using them comfortably, even for administrative tasks. Just like sudo for Linux or that new lock icon on Mac OS X. This way, a standard user can be used and all sorts of harm can be avoided. Malicious code accidentally executed or intentionally injected using an unpatched vulnerability will not have access to the entire computer, but rather only the user’s space.

To make it easy on the transition, Microsoft has stuffed kernel32.dll with detection code for all sorts of installers, including NSIS. When it detects an installer is being executed, it’ll automatically jump into administrative execution level, not before asking for the administrator password. A similar thing is already done older versions of Windows where an option to run as administrator is automatically presented for applications that have setup in their name.

The execution level Windows will ask from the user can be controlled by the application manifest. I started digging into this when I was adding a new command to NSIS, RequestExecutionLevel, that specifies the execution level in the manifest. I was surprised to see that even without the manifest, it still requested an administrator password. Naturally, I got curious and embarked on reckon mission to find out the nature of this newly formed relationship between NSIS and Vista. I saw most of the stuff I’ve already read about in action and those new things I just mentioned above.

However, there is one thing I couldn’t find mentioned anywhere and for which I certainly couldn’t find any logical explanation. It identifies MakeNSISw.exe, zip2exe.exe and MakeLangId.exe as something that requires administrative execution level. It also identifies the uninstaller, but that makes sense because it’s actually an installer with different strings and pages. At first, I thought it identifies every application created by another application that requires administrative execution level. I also tried installing Inno Setup and got similar results where its compiler and uninstaller were identified. But it turns out I was wrong. If, for example, I created an installer that just extracts makensis.exe (no w, the command line compiler), it’s not identified. I also downloaded MakeNSISw.exe separately and it was still identified and marked with that little Windows shield icon. I was finally convinced this is some funky bug when I saw nsisconf.nsh also comes up with that little shield icon and that’s just a text file which is not even associated with MakeNSISw.exe. Then I realized NSH files take their icon from MakeNSISw.exe and that was indeed why it’s marked with the shield.

If something as harmless as MakeLangId.exe gets labeled, I wonder what else does… I hope they fix it until RC2. Not the nicest of features. Too much on the paranoiac side…

Update: seems like MakeLangId.exe and MakeNSISw.exe are labeled because they contain the phrase “Nullsoft.NSIS” in its manifest. I don’t see why they’d want to do that. That’s just a prefix we use. Installers are marked with “Nullsoft.NSIS.exehead”, there’s no need to catch the entire package. That’s definitely enough information for a bug report.

One million

I just had a quick look at the statistics and noticed NSIS downloads on SourceForge surpassed 1,000,000. That’s one and a half terabyte of NSIS downloads. Add a couple million page views a month taking around 17GB of bandwidth and you’ll get quite some bandwidth. So, before I sit back, relax and step on cloud nine, I’d like to thank SourceForge for their hosting for the last 4 years. I don’t even want to think about having to handle that just as a side dish to the big-shot projects that have over one million downloads a day.

I’ll sit back now. See you in 1 more million downloads 😀

Welcome

Welcome to my blog. I’m Amir Szekely, also known as kichik. I’m a programmer living in Israel. Most of my computer time, when not at my workplace, I spend on NSIS, an open-source installer for Windows. I’ve been working on it for over 4 years and it has been quite fun.

I don’t know what type of posts you can expect to find here, only time will tell. I guess it’d include the occasional NSIS techy post, maybe some tips & tricks, some rants of a perfect world, movies, games, who knows… Just in case, I’ve setup a syntax highlighting extension, so I can share some NSIS codes here and there.

Name test
OutFile test.exe
Section
SetOutPath $TEMP
File /oname=test.nsi "${__FILE__}"
Delete $TEMPtest.nsi
SectionEnd

Installing this extension and the entire blog was a piece of cake. WordPress is very easy to use, with lots of DHTML and a smooth user-interface. I’m quite impressed. Took me a while to find a nice theme, but MistyLook saved the day.