FreeSmartSoft products still hiding an uninstallable 'back door'

FSS

It’s three weeks since we exposed freeware developer FreeSmartSoft for including an uninstallable adware-serving back door in some of its products.

The company had released some updated versions since then, so we checked out a copy of the popular FSS Google Book Downloader to see if any lessons had been learned.

There have been changes, too -- but not what we expected. The package includes the same back door, which still isn’t uninstalled along with the application, but the developer has just modified the setup to make this harder to spot.

The open source InnoUnp makes it easy to spot the trickery. Point the program at the FSS installer with a -X switch and it unpacks various setup files, including the install_script.iss file which controls exactly what happens.

Here are a couple of key lines from the [Files] section, which tell the installer what to save where.

[Files]
Source: "{app}\FSSGoogleBooksDownloader.exe"; DestDir: "{app}"; MinVersion: 0.0,5.01.2600; Flags: ignoreversion
Source: "{commonappdata}\UpdaterSrv\UpdaterSrv.exe"; DestDir: "{commonappdata}\UpdaterSrv"; MinVersion: 0.0,5.01.2600; Flags: uninsneveruninstall ignoreversion

The core application is saved to its standard folder, which is fine.

But, the installer is still equipping your PC with an "updater" component. It just happens to have a different name. Last time we told you to look out for "FSSUpdaterService", and coincidentally it’s now been renamed to "UpdaterSrv.exe".

The file location has also been changed, presumably to help avoid detection. In the last article we suggested you check C:\Users\<username>\AppData\Roaming\UpdaterService, now it’s at \ProgramData\UpdaterSrv\UpdaterSrv.exe.

Last time we showed how the "updater" ensured its persistence by creating a scheduled task called FSSUpdaterService in Task Scheduler (Local) > Task Scheduler Library.

The latest build extends its deception by burrowing deep to Task Scheduler (Local) > Task Scheduler Library > Microsoft > Windows > Software. The task is simply called UpdaterSrv, and as it’s stored in the very non-specific \ProgramData\UpdaterSrv folder, you’re much less likely to realize what it is.

It seemed quite clear what was happening here, but just to confirm, we ran the FSS Google Book Downloader uninstaller. Sure enough, while the core application was removed, UpdaterSrv.exe and its matching scheduled task remained untouched.

What would happen next? We’re unsure. UpdaterSrv.exe didn’t install any adware in our brief tests. But if it works like the previous version, it has that ability, and the fact that the developer makes it so difficult to find and remove seems like a good reason to be extremely suspicious.

Put it all together and it would seem wise to avoid installing or updating any FreeSmartSoft application in future.

If you’ve installed one before, or still have it now, then grab a copy of Autoruns and use it to check your Scheduled Tasks.

Scan down the list, and look for any tasks with a publisher other than "Microsoft Corporation". Our system had plenty by trusted developers -- Opera, Adobe, Piriform -- but the UpdaterService task had a blank Publisher field.

If you see anything similar, it isn’t necessarily suspicious, but check the file anyway to make sure you know what it is. Scheduled tasks are commonly used by a lot of PC pests, so even if you don’t find FreeSmartSoft’s "updater", it’s quite possible you’ll spot something else.

3 Responses to FreeSmartSoft products still hiding an uninstallable 'back door'

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.