home | list info | list archive | date index | thread index

[ovSAGE Regulars] [Fwd: Is Bell Sympatico quietly using a rootkit?]

  • Subject: [ovSAGE Regulars] [Fwd: Is Bell Sympatico quietly using a rootkit?]
  • From: "Brenda J. Butler" <bjb [ at ] linuxbutler [ dot ] ca>
  • Date: Tue, 1 Jan 2008 18:39:19 -0500

I saw this on another mailing list and thought you-all might be


----- Forwarded message from Joseph Potvin <jpotvin [ at ] linuxmail [ dot ] org> -----

Date: Tue, 01 Jan 2008 13:01:52 -0500
From: Joseph Potvin <jpotvin [ at ] linuxmail [ dot ] org>
Subject: [OTT-GOSLING] [Fwd: Is Bell Sympatico quietly using a rootkit?]
To: GOSLING members in Ottawa <ottawa-gosling [ at ] list [ dot ] goslingcommunity [ dot ] org>

FYI Cross-posting this to GOSLING, in case someone on this list might 
want to explore it.  I acknowledge this is off-topic for GOSLING, so I 
suggest not to initiate a discussion here unless considering policy or 
goverment systems aspects.


-------- Original Message --------
Subject: Is Bell Sympatico quietly using a rootkit?
Date: Tue, 01 Jan 2008 12:59:26 -0500
From: Joseph Potvin <jpotvin [ at ] linuxmail [ dot ] org>
Reply-To: jpotvin [ at ] linuxmail [ dot ] org
To: General Copyright Discussions (questions, organizing, etc) 
<discuss [ at ] list [ dot ] digital-copyright [ dot ] ca>
CC: ahmed [ dot ] farah [ at ] bell [ dot ] ca
References: <1198819927.17951.304.camel@localhost.localdomain> 
<47765F1A [ dot ] 6080309 [ at ] flora [ dot ] ca>

This note is tangential to the topic of this particular list, however
anyone following the Sony rootkit fiasco
http://www.digital-copyright.ca/search/node/rootkit will probably have
an interest in it...

In the process of helping someone diagnose a highspeed connection issue
with a WindowsXP client recently, I went to http://fix.sympatico.ca,
which re-directs to
http://service.sympatico.ca/index.cfm?method=home.internetcheckup  At
that site Bell Sympatico offers an "internet checkup" utility for
download. (BTW, those pages won't display to anyone using a
standards-based browser, only IE.)  My friend's client has the
Threatfire firewall http://www.threatfire.com/ running, which recognized
part of what was being installed as a rootkit. When I phoned Sympatico
to ask, neither the initial tech support nor a manager (who I am c.c.ing
in this email) were able to confirm or deny whether a rootkit was part
of the installation, though they assured me that everything was fine,
and that the BellCanadaClientInstaller.exe check-up utility has been in
use for several years without problems.


Following are some details for anyone wishing to assess further.

1. Download page
http://service.sympatico.ca/index.cfm?method=home.internetcheckup  says:

Diagnose and solve common security, e-mail, connection and software
problems automatically. Internet Check-up is Sympatico's latest
all-in-one tool to fix common Internet-related problems. Please click
the Download now button to download the Internet Check-up
installer.  When the dialog box displays, click the Run (or Open)
button.Once Internet Check-up is installed, all you need to do is
provide your Sympatico user ID (b1 number) and password.
Internet Check-up will then start automatically and scan your computer.
If it cannot solve all the problems, it will collect your settings and
safely send them to our representatives to help them find a solution
that much faster!

2. Download identifies BellCanadaClientInstaller.exe "from
pbctbc.bc.motive.com" although Threatfire reports that "This file does
not have a valid digital signature that verifies its publisher. Also a
Google search for "pbctbc.bc.motive.com" shows that the site did exist
at some time, but now apparently does not.
A check via netcraft.com lists no such site.  During some later testing,
I notice that each time BELLCANADACLIENTINSTALLER.EXE is installed, a
number in a generated filename changes: eg
The .pf indicates a "password-protected file"

3. The Service Agreement includes the following elements:
"Access, Your Responsibilities.  You acknowledge and agree that in order
to provide the Service to you Bell Canada or its third party service
providers (including third party service providers who may be located
outside of Canada) will access, take control of and make changes to your
personal computer and/or software by remote control, including the
installation and where applicable, de-installation of certain software
and you hereby consent to such actions.  ...Bell Canada is not
responsible for any lack of privacy or security which may be experienced
with respect to the provision of the Service to you, including as a
consequence of your failure to adequately safeguard your system."

4. During install, a message across the top of the browser reads: This
website wants to run the following ad-on: 'Control name not available'
from 'Unknown publisher'. I continued the install but used Threadfire's
quarantine option. After completing, the firewall also put up a warning
box, which included the note: "No further rootkit scans can be run until
you reboot."  This is the only indication I have that a rootkit might be
  part of the package. Maybe it explains why those clauses are part of
the Service Agreement.

5. An info link presented by Threatfire points to

  that lists the following security issues:

The filename BELLCANADACLIENTINSTALLER.EXE was first seen on Nov 1 2007
in CANADA. ... These files have no vendor, product or version
information specified in the file header.

BELLCANADACLIENTINSTALLER.EXE has been seen to perform the following
     * This Process Deletes Other Processes From Disk
     * This Process Creates Other Processes On Disk
     * Executes a Process
     * Executes Processes stored in Temporary Folders
     * Can communicate with other computer systems using HTTP protocols

BELLCANADACLIENTINSTALLER.EXE has been the subject of the following
     * Executed as a Process
     * Created as a process on disk
     * Executed from Temporary Folders
     * Deleted as a process from disk
     * Writes to another Process's Virtual Memory (Process Hijacking)


Please let me know if discussion of this curious download from Bell
Sympatico is taken up somewhere else besides this digital copyright list.

Joseph Potvin

Ottawa-gosling mailing list
Ottawa-gosling [ at ] list [ dot ] goslingcommunity [ dot ] org

----- End forwarded message -----
regulars mailing list
regulars [ at ] ovsage [ dot ] org