Beware of VPN GUIs with embedded rootkits

Yesterday as I go searching the web of free VPN services, I came across an article post advertising HSS VPN at AskHideki website. I downloaded HotSpotShield (HSS) VPN GUI out of curiosity because the blog owner mainly advertises this VPN for his own use and he says that the software was easy to use and above all, free. The one thing I noticed is that the download file itself is being monetized because its anonymized using anonym and redirected to adfly url shortener and hosted at mediafire 😛

As quoted from Hideki, the blogger:

I am currently using this now. 😀 I like it more. XD Yeah it’s simple and easy to use. I envy those who can code these kind of stuffs. I wish I can be just like them. LOL.

You can also add ExpatShield configs on this GUI, or even other VPN‘s! 😀

The software was created by a certain Filipino Dennis Llena with forum handle “sinned0326“, at symb.ph.

I immediately installed it on my computer, but no luck in getting a free internet connection. I then tried to use the Server 40 on the list, and changed the port into 137.

Yes, it worked.

But I can’t load a thing! the browser just show me the dreaded “Cannot find server” error. Then, my computer became sluggish.

I tinkered around the files of HSS GUI to find out if I can do something about it, like with TsunamiVPN where one can just edit the .ovpn files. I found nothing but those images and “backup” images on the config folder.

Then I found a log file.

Fri Oct 28 17:36:13 2011 OpenVPN 2.1_rc19 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Jul 1 2011
Fri Oct 28 17:36:13 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Oct 28 17:36:13 2011 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Fri Oct 28 17:36:13 2011 NOTE: –script-security method=’system’ is deprecated due to the fact that passed parameters will be subject to shell expansion
Fri Oct 28 17:36:13 2011 UDPv4 link local (bound): [undef]:53
Fri Oct 28 17:36:13 2011 UDPv4 link remote: 0.0.0.0:0
Fri Oct 28 17:36:14 2011 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
Fri Oct 28 17:36:17 2011 [www.cnfza32ncwk2e3dsixoq.net] Peer Connection Initiated with 0.0.0.0:0
Fri Oct 28 17:36:19 2011 TAP-WIN32 device [{590F1A3E-052A-482E-974B-07FF3117B020}] opened: .Global{590F1A3E-052A-482E-974B-07FF3117B020}.tap
Fri Oct 28 17:36:19 2011 Set TAP-Win32 TUN subnet mode network/local/netmask = 10.39.40.0/10.39.40.22/255.255.248.0 [SUCCEEDED]
Fri Oct 28 17:36:19 2011 Notified TAP-Win32 driver to set a DHCP IP/netmask of 10.39.40.22/255.255.248.0 on interface {590F1A3E-052A-482E-974B-07FF3117B020} [DHCP-serv: 10.39.47.254, lease-time: 31536000]
Fri Oct 28 17:36:19 2011 Successful ARP Flush on interface [5] {590F1A3E-052A-482E-974B-07FF3117B020}
Fri Oct 28 17:36:19 2011 TLS Error: local/remote TLS keys are out of sync: 0.0.0.0:0 [0]
Fri Oct 28 17:36:25 2011 Initialization Sequence Completed

The weird thing was, it initiates a connection to www.cnfza32ncwk2e3dsixoq.net.

I decided to buy a 1-day internet package instead. As I begin browsing, I noticed that my computer was really slow. The pages are somewhat “delayed”. When I uploaded something on my webhost, the FileZilla program throws an error about the connection, but on second try it will connect successfully.

Well, I thought its just about the “bad” internet connection.

Today, while using my computer, I noticed that the mouse moved on its own. The firefox window closed — and on the second time it closed, the system displayed an error box stating that there was a Delayed Write failure and my harddisk was corrupted. I was offered a “Scan and Fix” window, but to my dismay, just removed all the desktop icons and folders on my C: drive.

I tried to reboot, but still with the same error. I launched Startup Repair, but the PC froze to death.

I then used VistaPE LiveCD. I discovered that my files and folders were intact — only hidden. And on the start-up configuration, a file named AMFucJFMaVdteYf.exe was loaded thru the Windows Registry.

The fix.

I have no choice, but to clean-format the computer. I done a quick backup of my files and wiped out the entire disk. I used Windows 7 SP1 and immediately installed Avast! antivirus. The bad thing about the incident was I deliberately turned off the antivirus when I tried the HSS vpn — the thing I usually do when I go online. I forgot that I havent yet tried HSS firsthand, unlike TsunamiVPN and PDProxy which I already “trust”.

I also changed my passwords to my e-mail, ftp, and secure accounts. The spyware may have my log-in data since yesterday.

So guys if you use HSS vpn and it came from Hideki website, I’m pretty sure you are already infected. It may not yet produce symptoms, but I urge you to not use it anymore. Please check your HSS connection log; In my case, on C:WINDOWSDesktopCopy of MY HSSdataloglog.txt and see for the same or variant of that website. You can try to disinfect your computer using your favorite antivirii, but in the event your antivirus cannot detect it, try to download the Rootkit Revealer from Sysinternals to check your computer for the vulnerabilities. You last hope is a clean install of your computer.

More info about these nasty rootkits here.

Author’s note: Some angry users are commenting that I accuse the creator of the GUI creator for embedding the Trojan. While it is true that I posted his name here, it is for the mere identification of the software and it is clearly shown in the graphic anyway. Some even posted my blog link to the forums so they could get an attention to this. Some article comments were purposely edited here because of their objections to me. My answer: I was infected when I used this particular software. I posted my experience and what my actions were to remove the spyware. I don’t know if these people cant understand what I wrote, or its just they don’t want to understand what did i post.

Leave a Reply

Your email address will not be published. Required fields are marked *