Tuesday, May 29, 2007

How to save a Showtime (MMS) video stream to disk

Microsoft IT's Showtime offers tons of useful videos. Yesterday I tried to watch Advanced Malware Cleaning, by Mark Russinovich, but got immediately upset by the glitches of the streamed content, even though I tried to watch the low-res 300 kbps version on my 400 kbps connection. Showtime's FAQ says you can download the video if logged through .NET Passport. I didn't find any link which would allow me to do that, however.

After a quick search I found an article explaining how to save any video stream with the excellent VLC player. Unfortunately, it assumes you can view the source code of the web page with the embedded video and copy the actual link to paste into VLC. That's not the case of Showtime's videos. They play on a Windows Media Player control inside the browser which hides the video address.

I found two ways to workaround this. The first is to use URL snooper, whose latest version (v2.18.01 Beta) has a simple mode which starts listing multimedia links as soon as you launch the executable. URL snooper uses WinPCap to analyze every packet transmitted across the network card.

Finding the hidden URL with Firebug
Figure 1

The second way is to use Firefox's Firebug to find the hidden object inside the HTML. Figure 1 shows the hidden link for the Advanced Malware Cleaning video, which, if appended to the domain name, yields:


That's not yet the real link, but just a metafile that will redirect the player later. You may open that link in Windows Media Player but you still can't view the actual address. To download the metafile paste that link into the address bar of Firefox and press Enter. It'll launch Windows Media Player. Just close it. Back to Firefox type Ctrl-S to save the page. Open the saved file in a text editor and look at the ref tag. That's what we're looking for. This is what I got:

<asx version="3.0">
<ref href="mms://a2.v148539.c14853.g.vm.akamaistream.net/5/2/14853/v003/1a1a1a72db3eb01f920167db4fb41745a9188ffd69d8399dcb2c97f865c62f5dc02f9ccbfc30689dd0ff6cdf44bc2c5bc83ba01888b7fc2c5c93c5/0369_w.asf" />

In my case, the URL is:


If you used URL snooper, at this point you already had the real link. Now just follow the standard procedures for VLC (mine is 0.8.6a):

  1. Go to File, Open network stream...


  3. In Advanced options, check Stream/save and click Settings.

  4. In the Outputs section, check File, choose a filename, specifying the appropriate extension (in the case above ASF) and, very important, check Dump raw input.

  5. When the download finishes just open the file in Windows Media Player.

When you have a time just check how great VLC is, despite the extremely simple interface. With the exception of Real, it is able to play any kind of input.

Monday, April 30, 2007

G-Buster Browser Defense, analysis and removal

Internet Banking is a primary target of phishing attacks. That's no wonder financial institutions have come up with a myriad of solutions to protect their customers. Nevertheless, some banks in Brazil force them to install a piece of software which I find at least questionable in the way it affects the operating system. The software under consideration is called G-Buster Browser Defense, developed by GAS Tecnologia, and is currently used by Banco do Brasil, Caixa Econômica Federal, Banco Real ABN AMRO, among others†. It offers protection against malicious programs, keyloggers, site forgery etc.

Here I'll describe how the component installs on your computer and how to remove it while still been able to use Internet Banking. Since all institutions use the same software I've just picked one, Caixa Econômica Federal, hoping the exact same procedures apply to the others.

Analysis of installation

So, let's put our hands on it. After opening the bank's home page and clicking on the top right button ("Acessar") we arrive at the first screen of Internet Banking (Figure 1), where we enter our username. If it's not been installed yet, we'll be asked now to install the security module ("Módulo de Segurança") (Figure 2). At this stage you might have already noticed how the window title is marred with punctuation characters as we move across pages (more on this later). We then allow the component to install, taking us to the second screen, which presents the virtual keyboard (Figure 3).

First login screen
Figure 1

ActiveX installation warning
Figure 2

Second login screen
Figure 3

The software is now installed. Whenever I install something on my computer I like to know whether anything has been configured to execute on system start-up, because that's what makes your computer slow. And that was what caused my first bad impression about G-Buster Browser Defense. If we launch Autoruns it shows us three new entries in the registry. Figure 4 and Figure 5 contains the non-Microsoft entries before and after installing G-Buster Browser Defense on my computer. The main component is Gbieh Module, or gbiehCef.dll‡, a file under "%WINDIR%\Downloaded Program Files".

Auto-run entries before G-Buster installation
Figure 4

Auto-run entries after G-Buster installation
Figure 5

What really frightened me the most was to discover that gbiehCef.dll is injected into the Winlogon process: Process Explorer comes to our help (Figure 6). Being loaded by Winlogon means the software survives logoffs, and will be running even when we don't need it, possibly eating valuable CPU cycles. It's even worse: if a computer has many users and only one needs the Internet Banking service every user must pay the price for it.

Process Explorer showing Winlogon with gbiehCef.dll loaded
Figure 6

Just to be sure my ranting isn't totally reasonless, let's take Process Monitor and see how G-Buster performs. If we leave it running for some seconds with no filters set we note that some kind of polling is screamingly taking place. And you should know that polling kills. Every 5 seconds a thread in Winlogon reads a number of registry entries, checking for its values. Figure 7 illustrates the polling of the PendingFileRenameOperations key. Process Explorer brings out the culprit (Figure 8), gbiehCef.dll, when we search it for the thread id shown in Process Monitor.

Process Monitor shows some thread polling the PendingFileRenameOperations key
Figure 7

Process Explorer says that gbiehCef.dll is the culprit
Figure 8

Observing the polled registry entries is enough to guess what the security component is doing: check any attempt of its removal. That's likely to prevent malicious programs from disabling it. But that leaves the average user with no option to uninstall it. Deleting the auto-run entries has no effect because they will be recreated. Trying to delete or move the file containing the component is impossible. Scheduling the removal to the next reboot is also not possible, as the results of Process Monitor already suggested us. Rebooting into safe mode doesn't help either. We are left with the Recovery Console, which lets us delete the offending file and, an easier way, Process Explorer.

G-Buster removal

In the same screen we found the polling thread we can kill it (the "Kill" button). Now that nothing is polling the registry anymore we may open Autoruns and delete all related entries (those three whose description reads "Gbieh Module"). We can't delete the file because it's still in use (we don't need to, as you'll see in a while). Now, since we have killed a thread from a System process, we'd better reboot the computer, otherwise we may leave the operating system unstable (the component might have left a lock open inside Winlogon before we killed it).

Upon rebooting we may inspect with Process Explorer and Autoruns and make sure G-Buster is not there anymore. However, the component will attempt to install itself again in the auto-run entries if we hit the Internet Banking site (we are safe if we just open the bank's home page) because the Internet Explorer component is still installed and the browser will not ask our permission to execute it. Now the cool part: if you have a Limited User Account, as I do, you'll be able to use the Internet Banking service without the hassle of installing G-Buster. The site will open and the component will be executed by Internet Explorer, but it will fail to change the start-up entries or inject the library into Winlogon (Figure 9). Fortunately, it doesn't attempt to modify the per-user start-up entries either. Logging on and off is enough to get rid of G-Buster, and we are back with a clean system (gbiehCef.dll will be kept loaded by Explorer until we log off).

It's possible to use Internet Banking without gbiehCef.dll injected into Winlogon
Figure 9

If, by accident, you visit the Internet Banking site under an account with administrator privileges, you'll need to repeat the steps to identify the Winlogon thread and the auto-run entries. You'll notice that on the second install an additional Windows service (gbpsv.exe, G-Buster Browser Defense - Service) will be registered: that could be to a bug in the install process. The same steps apply, though.


I understand the purpose of G-Buster Browser Defense. It monitors registry keys (hooking would be a better solution than polling, however) to prevent a specially crafted software to disable it. It scrambles characters on the Internet Baking page title maybe in an attempt to slip away from the eyes of a keylogger looking for a certain page. Perhaps it monitors your Internet usage trying to identity suspects of forgery. It's not clear whether it sends personal information or downloads anything. There's no agreement or consent dialog.

What I don't understand is how that solution is better than an "on demand" scanner. It could scan the system just before the customers enter their information, and not full time. Sure, a trojan can be built to hide itself from an outdated scanner but, as demonstrated here, it's as easy to disable an outdated real-time scanner and bypass any security checks. Changing the title is also pointless if the trojan looks for the window's content.

And there is still another problem: G-Buster Browser Defense is a component used by more than one bank. That makes it a more interesting target of hackers because a single trojan solution can defeat the defenses of many banks. By the way, what looks like a poor design issue: if the component is the same for many sites, why does it need a separate installation for each one? It scans and polls the system twice! Finally, what can bother much more users, even those not worried about performance, is the need for an ActiveX component, locking them into Internet Explorer.

Regarding anti-phishing solutions, I like the one adopted by the Brazilian HSBC bank. You're presented with a box containing 9 lines of 4 characters each. To enter the password you must locate the line which contains the first character of your password and click the arrow next to it. Repeat for the second character and so on. A spying program can't guess which character you thought about when you clicked the arrow. Heck, neither does a person sitting on your side! It's not the perfect solution, since the careful analysis of the clicks of many logins may reveal the password, but I find it a lot less obtrusive than G-Buster and as effective as. No ActiveX, cross-browser and cross-platform.

Note: I should say that I made many assumptions in the analysis here and thus could be totally wrong in some points. I had nothing at hand, though. As stated previously, it's not clear anywhere what the component does nor how it does it.


† The footnote below names some of the other banks.

Gbieh Module has a different filename depending on the bank:

Banco do Brasilgbieh.dll
Caixa Econômica FederalgbiehCef.dll
Banco Real ABN AMROgbiehabn.dll
Mercantil do Brasilgbiehbmb.dll

Monday, April 23, 2007

DomainKeys-verified spam

I got excited when I read about the Yahoo! DomainKeys technology the first time. That would make spammers' life much harder because message headers tracking the sender's origin would be signed, providing a more efficient way of blacklisting abused domains.

Currently both Yahoo! and GMail, two among the major mail services, sign their outgoing messages with DomainKeys, meaning a significant amount of legitimate messages circulating on the Internet now have a signature. Unfortunately, that might have already got the attention of at least one spammer. I've been receiving some suspicious messages (DomainKeys-verified) from different GMail accounts, all looking like this:

Subject: Re: kryw

sqh vsi cfhj.

(pharmacy related ad image)

I can only take one (obvious) conclusion: spammers are creating temporary GMail accounts — which, I hope, are terminated by Google as soon as they notice them — to take advantage of the fact that, currently, spam filters skip DomainKeys-verified messages (at least on my Yahoo! and GMail accounts).

I couldn't find any report of this happening with other people, although I'm sure I'm not the only victim. I wonder what will be the near future of spam and spam filters. Will all unsolicited messages be signed? Will the filters need to analyze the message content with heuristics much the same way they do now with unsigned messages?

Well, while we wait for the future, all we can do is make a report of the offending accounts. If you also receive a spam signed by Google, report it here. Messages from Yahoo! may be reported here. If the abused accounts don't get the chance to annoy too many users, the effort spammers take to create them will not be payed off. Don't let they circumvent the cost of answering the CAPTCHA's of account creation pages.