I saw this on another mailing list and thought you-all might be interested. bjb ----- Forwarded message from Joseph Potvin <jpotvin [ at ] linuxmail [ dot ] org> ----- Date: Tue, 01 Jan 2008 13:01:52 -0500 From: Joseph Potvin <jpotvin [ at ] linuxmail [ dot ] org> Subject: [OTT-GOSLING] [Fwd: Is Bell Sympatico quietly using a rootkit?] To: GOSLING members in Ottawa <ottawa-gosling [ at ] list [ dot ] goslingcommunity [ dot ] org> FYI Cross-posting this to GOSLING, in case someone on this list might want to explore it. I acknowledge this is off-topic for GOSLING, so I suggest not to initiate a discussion here unless considering policy or goverment systems aspects. joseph -------- Original Message -------- Subject: Is Bell Sympatico quietly using a rootkit? Date: Tue, 01 Jan 2008 12:59:26 -0500 From: Joseph Potvin <jpotvin [ at ] linuxmail [ dot ] org> Reply-To: jpotvin [ at ] linuxmail [ dot ] org To: General Copyright Discussions (questions, organizing, etc) <discuss [ at ] list [ dot ] digital-copyright [ dot ] ca> CC: ahmed [ dot ] farah [ at ] bell [ dot ] ca References: <1198819927.17951.304.camel@localhost.localdomain> <47765F1A [ dot ] 6080309 [ at ] flora [ dot ] ca> This note is tangential to the topic of this particular list, however anyone following the Sony rootkit fiasco http://www.digital-copyright.ca/search/node/rootkit will probably have an interest in it... In the process of helping someone diagnose a highspeed connection issue with a WindowsXP client recently, I went to http://fix.sympatico.ca, which re-directs to http://service.sympatico.ca/index.cfm?method=home.internetcheckup At that site Bell Sympatico offers an "internet checkup" utility for download. (BTW, those pages won't display to anyone using a standards-based browser, only IE.) My friend's client has the Threatfire firewall http://www.threatfire.com/ running, which recognized part of what was being installed as a rootkit. When I phoned Sympatico to ask, neither the initial tech support nor a manager (who I am c.c.ing in this email) were able to confirm or deny whether a rootkit was part of the installation, though they assured me that everything was fine, and that the BellCanadaClientInstaller.exe check-up utility has been in use for several years without problems. Hmmm. Following are some details for anyone wishing to assess further. 1. Download page http://service.sympatico.ca/index.cfm?method=home.internetcheckup says: Diagnose and solve common security, e-mail, connection and software problems automatically. Internet Check-up is Sympatico's latest all-in-one tool to fix common Internet-related problems. Please click the Download now button to download the Internet Check-up installer. When the dialog box displays, click the Run (or Open) button.Once Internet Check-up is installed, all you need to do is provide your Sympatico user ID (b1 number) and password. Internet Check-up will then start automatically and scan your computer. If it cannot solve all the problems, it will collect your settings and safely send them to our representatives to help them find a solution that much faster! 2. Download identifies BellCanadaClientInstaller.exe "from pbctbc.bc.motive.com" although Threatfire reports that "This file does not have a valid digital signature that verifies its publisher. Also a Google search for "pbctbc.bc.motive.com" shows that the site did exist at some time, but now apparently does not. http://www.google.ca/search?hl=en&q=pbctbc.bc.motive.com&btnG=Search&meta= A check via netcraft.com lists no such site. During some later testing, I notice that each time BELLCANADACLIENTINSTALLER.EXE is installed, a number in a generated filename changes: eg BELLCANADACLIENTINSTALLER.EXE-2AFE8370.pf BELLCANADACLIENTINSTALLER.EXE-2F1785GE.pf BELLCANADACLIENTINSTALLER.EXE-071652FS.pf The .pf indicates a "password-protected file" 3. The Service Agreement includes the following elements: "Access, Your Responsibilities. You acknowledge and agree that in order to provide the Service to you Bell Canada or its third party service providers (including third party service providers who may be located outside of Canada) will access, take control of and make changes to your personal computer and/or software by remote control, including the installation and where applicable, de-installation of certain software and you hereby consent to such actions. ...Bell Canada is not responsible for any lack of privacy or security which may be experienced with respect to the provision of the Service to you, including as a consequence of your failure to adequately safeguard your system." 4. During install, a message across the top of the browser reads: This website wants to run the following ad-on: 'Control name not available' from 'Unknown publisher'. I continued the install but used Threadfire's quarantine option. After completing, the firewall also put up a warning box, which included the note: "No further rootkit scans can be run until you reboot." This is the only indication I have that a rootkit might be part of the package. Maybe it explains why those clauses are part of the Service Agreement. 5. An info link presented by Threatfire points to http://www.prevx.com/filenames/X1398489869454513983-0/BELLCANADACLIENTINSTALLER.EXE.html that lists the following security issues: The filename BELLCANADACLIENTINSTALLER.EXE was first seen on Nov 1 2007 in CANADA. ... These files have no vendor, product or version information specified in the file header. BELLCANADACLIENTINSTALLER.EXE has been seen to perform the following behavior(s): * This Process Deletes Other Processes From Disk * This Process Creates Other Processes On Disk * Executes a Process * Executes Processes stored in Temporary Folders * Can communicate with other computer systems using HTTP protocols BELLCANADACLIENTINSTALLER.EXE has been the subject of the following behavior(s): * Executed as a Process * Created as a process on disk * Executed from Temporary Folders * Deleted as a process from disk * Writes to another Process's Virtual Memory (Process Hijacking) ____ Please let me know if discussion of this curious download from Bell Sympatico is taken up somewhere else besides this digital copyright list. Joseph Potvin _______________________________________________ Ottawa-gosling mailing list Ottawa-gosling [ at ] list [ dot ] goslingcommunity [ dot ] org http://list.goslingcommunity.org/mailman/listinfo/ottawa-gosling ----- End forwarded message ----- _______________________________________________ regulars mailing list regulars [ at ] ovsage [ dot ] org http://www.ovsage.org/mailman/listinfo/regulars