A few days ago we started getting messages from users saying that their antivirus software had started detecting Trojans in the Flashget directory.
Analysis showed that the problem was affecting Flashget users all over the world. Files called inapp4.exe, inapp5.exe, and inapp6.exe (which are detected by Kaspersky Anti-Virus as Trojan-Dropper.Win32.Agent.exo, Dropper.Win32.Agent.ezxo, and Trojan-Dowloader.Win32.Agent.kht) appeared on the victim machines.
The strangest thing was the fact that no other Trojans were detected that could have been used for the files shown above to get onto the system. Some affected users had fully patched operating systems and browsers. So how did the malicious programs penetrate their computers?
The first thing that was noticed was the location of the Trojans – the FlashGet directory. Taking a closer look, it became clear that in addition to the Trojans, the date the FGUpdate3.ini file had been created/modified was very recent (the difference from the original file is highlighted in blue):
Strangely enough, the link to inapp4.exe (a Trojan file) leads to the FlashGet site, which is where the Trojan was downloaded from as appA.cab.
The FlashGet site didn't have any information about the incident, but the users’ forum was full of messages on the topic, even though the developers hadn’t said anything about it.
According to information we managed to find on the web, the first infection was detected on 29 February. The last case we know of occurred on 9 March. For 10 days a perfectly legitimate program acted as a Trojan-Downloader, installing and launching Trojans from the developer’s site onto users’ computers!
The Trojans have now been removed from the site, and FGUpdate3.ini (which also downloads to the user's machine via the Internet) is in its original condition.
So how was FlashGet turned into a Trojan-Downloader? There's one obvious answer – the developer’s site was hacked and someone managed to substitute the standard configuration file and link it to a Trojan located on the site. Why the hacker didn't use a different site isn't clear. Maybe this was deliberate stealthing, as a link to FlashGet in the configuration file isn't likely to arouse suspicion). We decided to check whether it would be possible to use this technique to download any file from any site. The answer? Yes, it is.
All you need to do is add a link (which can point to any file you want) to the FGUpdate3.ini file and it will be automatically downloaded to your computer every time you launch FlashGet. Even if you don’t press “Refresh”, FlashGet uses the information from the .ini file. This “vulnerability” is present in all versions of FlashGet 1.9.xx.
So, in spite of the fact that the site is no longer “hacked”, users are still vulnerable. Any Trojan program could modify the local .ini FlashGet file, causing it to function like a Trojan-Downloader. And it's worth noting here that FlashGet is usually treated as a trusted application, consequently, network activity caused by the application or requests to sites won't be flagged as suspicious, and users won't be alerted.
There has, as yet, been no official reaction from the Chinese developers of FlashGet. The reason for the incident remains unclear and there is no guarantee that it will not happen again. Users should feel free to draw their own conclusions… and take whatever measures they feel to be appropriate.