This family of threats get onto your PC through a Nullsoft Scriptable Install System (NSIS) compiled installer. They are installed with the file name %APPDATA%\okitspace\protect\pluginprotect.exe without your consent.
They are then registered as a service with the name "Protect your browser's extensions" and modify these registry entries:
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "%AppData%\okitspace\protect\PluginProtect.exe"
Sets value: "DisplayName"
With data: "Protect your browser's extensions"
Sets value: "ObjectName"
With data: "LocalSystem"
They might also create the following registry subkey as part of their installation routine:
Steals your information
After the threats are registered as a service, they get the following information about your PC:
- Current date
- Default browser
- Installed antivirus program
- Installed browsers
- Operating system and version
- User ID
They send this information to a remote server.
We've seen them connecting to the following servers to send information and download files:
Installs plugins and displays ads in your browser
These threats download a .zip file called plugin.zip, which contains the plugins they install.
Sample contents of plugin.zip are:
crxID - Contains text (Chrome ID)
OKitSpace.crx - Chrome extension to be installed
OKitSpace.crx.zip - Chrome extension to be installed
OKitSpace.pem - Cert file needed to install the Chrome extension
OKitSpace.dll - BHO to be installed on Internet Explorer
OKitSpace.xpi - Firefox plugin to be installed
version - Contains text (version of the plugin)
When these plugins are installed, they can display unwanted pop-up ads in Internet Explorer, Firefox, or Chrome browsers.
Here are some screenshots of what these plugins might look like:
- In Internet Explorer:
- In Firefox:
- In Chrome:
These threats monitor all the plugins they install. If the plugin is disabled, they immediately re-enable or activate the plugin. If the plugin is removed, the threats download and install another copy of the plugin.
Analysis by Ricardo Robielos