More Than a Toolbar

We received a sample recently from a customer. Its file name, ToolbarSetup.exe, implies it may be toolbar installer. Upon execution, it displays the eBay toolbar EULA and the installation interface. And this program does indeed install the eBay toolbar.

However, something grabbed my attention during the installation. Besides the 2ebaytoolbarsetup.exe process, the program also created the wscript.exe process and ran .vbs files–that is not common for the toolbar installation. So I looked into every file dropped by the installer. Then something caught my eye. Besides the dozens of legit eBay toolbar components, there was a file named startup.exe. Unlike the toolbar components, this file had no version information. So I ran it in my test environment, and it generated a few batch and Visual Basic script files. The image below shows one of the generated .vbs files.

This file silently opens TCP port 3389, which is by default the port for Terminal Services. It creates a new account–”eBayMember”–with Administrator privileges and enables this account to remotely access the infected machine. The created account is also hidden from login screen, to prevent the victim from noticing.

Then the remote access ability of the compromised machine was verified by using the user name and password defined in the malicious .vbs file, as illustrated below. A successful login suggests the infected machine could be completely controlled by a remote attacker.

Still feel safe downloading and installing toolbars from untrusted sources? Attackers can take advantage.