Xunlei is a BitTorrent service primarily used in China and backed by Google. The service was recently caught spreading malware to thousands of both Windows PCs and Android devices.
An investigation was undertaken by security company Eset and has revealed that Xunlei has been spreading malware named “Win32/Kankan” to Windows and Android users, signed with the company’s security certificate. This form of malware is classed as a Trojan, and has only affected Chinese users, according to Eset. Joan Calvet from Eset said in a blog post: “The company officially admitted during a press conference that some of its employees have used company resources to create and distribute this program. The degree to which Xunlei Networking Technologies is implicated is hard to tell from the outside”.
The Xunlei software is extremely popular in China and claims about 30% of world BitTorrent users, thereby making it the most used BitTorrent client for the service. The BitTorrent client allows peer-to-peer file sharing. The BitTorrent protocol works by breaking each file to be shared into small chunks and sends them across the internet between computers. Parts of the complete file can be hosted on many different computers, and the whole file is reconstructed by pulling the parts from different machines.
It is unclear how this malware, which was specifically programmed to avoid detection by security software and analysts, was initially spread. A “dropper” program named “INPEnhSetup.exe” posed as a Windows installer, which once activated contacted a server across the internet (a domain owned and operated by Xunlei) and “dropped” or installed three further malicious programs onto the unsuspecting system. One of these programs, a plugin for the Microsoft Office applications, then installed itself within the Windows Registry, ensuring that it was loaded every time an Office application was run.
When the program was run, the Office plugin scanned the computer for analysis tools such as the Windows task manager, and quickly shut down if one was found to be running on the system, thereby evading detection by the computer user or a security analyst. Only if the program failed to detect any running computer analysis tools, would it begin sending user information such as the version of Windows to a remote server. The malware also included an updater, which automatically checked a server for new versions of the program and then installed updates when they became available.
Another application installed alongside the Office plugin silently installed applications onto an Android phone that was connected to the infected computer. Using the USB connection, the “installphoneapp” installed rogue applications, including three separate Chinese app stores, and a phone call app which claimed to offer cheap calls. “Overall, the motivation behind the installation of these particular mobile applications remains unknown,” said Calvet.
The applications were only installed if the Android phone connected had a security setting disabled, which enables developer actions over USB on the phone, something which is often required for Android software modifications and operating system customisation. (Mods, Rooting and Custom Roms)
Since August, Xunlei made available an uninstaller application, which users could download and try to remove the problem manually. Using the company owned and operated servers, which the malware automatically contacted, Xunlei also pushed out the installer to infected machines.
The daily number of infections has dropped dramatically, according to data from Eset.
According to Eset’s data, the daily number of infections has dropped significantly since Xunlei’s remedial actions.
[Image via: japandailypresss]