Forensic Analysis of:
Snort alert “ET Malware VPP Technologies Spyware” fired 6/23/2009 11:17:30 AM
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”ET MALWARE VPP Technologies Spyware”; flow:established,to_server; uricontent:”/DittoIA.jsh?pid=”; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:3;)
http://doc.emergingthreats.net/bin/view/Main/2002348
Snort Rule fired while attempting to GET a jsp page on the machine a72-246-30-33.deploy.akamaitechnologies.com (72.246.30.33)
“Coupon Printer for Windows” found installed on computer.
Remediation Steps:
Uninstalled “Coupon Printer for Windows” using Add/Remove and ran SpyBot:
SpyBot Results:
Company: Coupons, Inc.
Product: Coupon Bar
Threat: Adaware
Company product URL: http://www.coupons.com/
Company privacy URL: www.coupons.com/corp/source/u_privacypolicy.asp?vf=y
Functionality:
Install a tool which provides “Over $100 in printable coupons right from your browser. Keep informed of the latest offers. Contains no adware or spyware. Coupons from companies like General Mills, Kimberly Clark, Nestle, and Johnson & Johnson.”
Description:
The downloaded file installs a toolbar and a Browser helper object (BHO). The BHO connects to coupons.com at every Internet Explorer startup in order to download latest updates. The toolbar displays bonus vouchers which can be printed or used online. When uninstalled, nearly all the files and registry entries remain on the system
Privacy Statement:
Coupons, Inc. uses the information that we collect to operate, maintain, and provide to you all of the coupons and promotional offerings found on the Sites and for other non-marketing or administrative purposes such as notifying you of major service updates or for customer service purposes.
Coupons, Inc. uses all of the information that we collect from our Consumers to understand the usage trends and preferences, to improve the way the Sites work and look, to improve our marketing and promotional efforts, and to create new features and functionality.
Coupons, Inc. uses “automatically collected” data to (a) process and record coupon printing and redemption activity; (b) store information so that you will not have to re-enter it during your visit or the next time you use the Sites; (c) provide custom, personalized coupon promotions, advertisements, content, and information; (d) monitor the effectiveness of marketing campaigns; and (e) monitor aggregate usage metrics such as total number of visitors and pages viewed. [...]
Coupons, Inc. discloses “automatically collected” data (such as coupon print and redeem activity) to its Clients and third-party ad servers and advertisers. These third parties may match this data with information that they have previously collected about you under their own privacy policies, which you should consult on a regular basis..
CouponBar: [SBI $EFE6495E] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
CouponBar: [SBI $CB95FB49] Class ID (Registry key, nothing done)
HKEY_CLASSES_ROOT\CLSID\{A85A5E6A-DE2C-4F4E-99DC-F469DF5A0EEC}
CouponBar: [SBI $51FE8B2E] Root class (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cpbrkpie.Coupon6Ctrl.1
CouponBar: [SBI $51FE8B2E] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9522B3FB-7A2B-4646-8AF6-36E7F593073C}
CouponBar: [SBI $7A5ACBCB] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{6E780F0B-BCD6-40CB-B2DB-7AF47AB4D4A4}
CouponBar: [SBI $7B15781E] Interface (Registry key, nothing done)
HKEY_CLASSES_ROOT\Interface\{A138BE8B-F051-4802-9A3F-A750A6D862D4}
CouponBar: [SBI $E3788A7B] Type library (Registry key, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{87255C51-CD7D-4506-B9AD-97606DAF53F3}
— Spybot – Search & Destroy version: 1.6.2 (build: 20090126) —
