Showing posts with label adware. Show all posts
Showing posts with label adware. Show all posts

Thursday, February 4, 2016

SmartDraw installs adware as part of demo program

When I'm not writing about computers for free on the internet, I actually work with computers (for money). Most of what I do involves doing stuff with computers directly, but sometimes I have to talk to people before I can start with the computer-stuff. That can involve convincing people that my colleagues and I actually know what we are doing or planning projects with other people. With both of these tasks I've found that drawing pictures can be very helpful.

These are special types of pictures - called work flows or network typologies. Here's a really basic example:
Tree Topology, by Tsingha02
The idea is taking some very complicated ideas about the relationships between computers and applications and putting them into very basic visual representations. Particularly for projects involving large numbers of servers, this sort of visualization is critical to understand what is going on.

Despite how critical this sort of thing is to working with computers, there is a fairly short list of applications that are available to produce these sorts of images. The big name in the market is Visio, which has been part of Microsoft's Office utility suite for years now. The problem with Visio is its price. These sorts of programs don't require anything advanced - they are just a specialized clip-art program that lets you copy & paste little pictures of computers with lines in between them. It seems a bit much to pay $300 for a few icons and a limited version of Paint, but lots of people do.

Among the other options is a program called SmartDraw, which starts off at around the same $200-$300 price range as Visio. I recently tried the software out by downloading a demo version from their site. For the most part, I liked it - although the demo software attempts to make it impossible to export images by embedding watermarks, a less-than-ethical user of the demo software could take a screen-shot of a SmartDraw image to replicate the export function without the watermarks.

The watermarks are lame, but pretty standard. What I was surprised to find was SmartDraw installing an adware application on my computer that randomly launches windows advertising SmartDraw -when the imaging software is not running. This results in this unsightly window popping up for what seems like absolutely no reason:



This behavior was encountered with the 1/31/2016 64 bit version of SmartDraw for Windows, using the installer package smartdraw_XG_13IGGR_setup.exe from the SmartDraw website. By default, this package installs into the directory C:\SmartDraw CI\ while this adware window is run from this application: C:\SmartDraw CI\Messages\SDNotify.exe. The adware contains several configuration files inside of that \Messages\ folder. It looks like this:

As you can see, the files other than the SDNotify.exe adware executable include several configuration files, some HTML files, an image and a log file. The image file is used for a notification bubble that appears in the bottom-left-hand corner of a users screen. Here's what it looks like:


The text that goes into that screen is based on the content of SDNI.ini, which also determines the location the window appears in a user's screen. The contents of that file are fairly self-evident:

[Global]
DisplaySize=635x525
DisplayOffset=1x1
PromptBack=msg.bmp
PromptArea=4 32 220 47
PromptClose=206 7 12 12

ActivateEXE=..\SmartDraw.exe
ActivateEXEParams=-a

[2]
local=2.html
prompt=Need Help? Give us a call. Really... we mean it!
[3]
local=3.html
prompt=You're Using the Best Diagramming Software There Is. Period.
[4]
local=4.html
prompt=Three More Ways SmartDraw Can Help You Go Home Earlier Today.
[5]
local=5.html
prompt=Don't Let Your SmartDraw Trial Expire

The adware script is executed with the following syntax:


Take note of the remote connection that is being established to www.smartdraw.com - this sort of behavior is specifically reprehensible when users are not notified. I tried to scrape the file, messagecheck.aspx, that is referenced by the adware notification, but attempts to retrieve the file with wget simply cause a ErrorMsg=NoParamsPassed response and nothing else. Getting a better idea of the server-side of this script will require a bit of effort - I will update this post with further information as it becomes available.

What about the local HTML files? They handle the more complex formatting of the advertisement. There are five of them - 1.html, 2.html, etc. There is some basic logic in SDNotify.exe to keep track of SmartDraw demo's license, so the advertisement is based on how much longer there is to go until the demo license key expires.

How does SmartDraw run this delightful little script? Variables such as the installation time used to determine the veracity of the license key are stored in the registry at:  HKEY_CURRENT_USER\Software\SmartDraw.com\ (The installation time variable is HKEY_CURRENT_USER\Software\SmartDraw.com\Messaging\Local\InstallTime - you could probably extend a demo license key forever but futzing with this registry key). The registry also contains data on the last time the adware established a connection with SmartDraw's remote server.

The script is executed as a pair of Scheduled Tasks - SDMsgUpdate (TE) and SDMsgUpdate (Local). The arguments for each of the task is slightly different. Each task runs the adware script, but the TE task uses the arguments "-PTE -V22000000 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X" whereas the Local task uses the arguments "-PLocal -V22000000 -SSDNI.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -L". Disabling the scheduled tasks should prevent further instances of the adware from running on your computer. However, I haven't checked if there is any logic outside of the SmartDraw installer that enables these tasks. SmartDraw does not install a service or run any startup scripts at boot time, but running the regular SmartDraw program might re-enable the adware.

I hope this is helpful to those interested in making network topologies without having their computer become a free advertising platform for SmartDraw. If SmartDraw is reading this, there is nothing wrong with telling users that their license is running out or provide sales information, but you should do so within the confines of your own program. Remind them when they boot your program, not when they are checking their email or looking at cat pictures. Don't install stuff on people's computers that they didn't ask for.

RAT Bastard

Earlier this week, several servers I maintain were targeted by automated attempts to upload a remote access trojan (RAT). The RAT is a simpl...