Home / malwarePDF  

BrowserModifier:Win32/Spacekito


First posted on 01 March 2014.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Spacekito.

Explanation :

Threat behavior

BrowserModifier:Win32/Spacekito is downloads and installs plugins for Internet Explorer, Firefox, and Chrome.

Installation

Spacekito is usually installed with the file name %APPDATA%\okitspace\protect\pluginprotect.exe without your consent.

It's then registered as a service with the name Protect your browser's extensions:

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
Sets value: "Type"
With data: "dword:00000010"
Sets value: "Start"
With data: "dword:00000002"
Sets value: "ErrorControl"
With data: "dword:00000001"
Sets value: "ImagePath"
With data: "%AppData%\okitspace\protect\PluginProtect.exe"
Sets value: "DisplayName"
With data: "Protect your browser's extensions"
Sets value: "ObjectName"
With data: "LocalSystem"

It might also create the following registry subkey as part of its installation routine:

Subkey: HKLM\SOFTWARE\PluginProtect

Behavior

Once BrowserModifier:Win32/Spacekito is registered as a service, it gets information about your PC, including the following, and sends it to a server:

  • Operating system and version
  • Installed browsers
  • Default browser
  • Installed antivirus program
  • User ID
  • Current date


Then, it downloads a ZIP file called plugin.zip, which contains the plugins it installs.

Sample contents of plugin.zip are:

  • crxID - contains text (Chrome ID)
  • OKitSpace.crx - Chrome extension to be installed
  • OKitSpace.crx.zip - Chrome extension to be installed
  • OKitSpace.pem - Cert file needed to install the Chrome extension
  • OKitSpace.dll - BHO to be installed on Internet Explorer
  • OKitSpace.xpi - Firefox plugin to be installed
  • version - contains text (version of the plugin)


Once these plugins are installed, they can display pop-up ads when you go on the Internet using Internet Explorer, FireFox, or Chrome.

These plugins might look like:

  • In Internet Explorer:
  • In Firefox:
  • In Chrome:


Spacekito also monitors all the plugins it installs. If a plugin is disabled, Spacekito immediately enables or activates the plugin. If the plugin is removed, Spacekito downloads and reinstalls another copy of the plugin.

We've observed Spacekito connecting to the following servers to download files and send information:

  • okitspace.com
  • media.vitkvitk.com
  • media.vitjvitj.com




Analysis by Ricardo Robielos

Symptoms

The following could indicate that you have this program on your PC:

  • You have these files:
    %APPDATA%\okitspace\protect\pluginprotect.exe
  • You see these keys in your registry:
    HKLM\SYSTEM\CurrentControlSet\Services\srvPlgProtect
    HKLM\SOFTWARE\PluginProtect
  • You see these extensions/plug-ins:
    • In Internet Explorer:
    • In Firefox:
    • In Chrome:

Last update 01 March 2014

 

TOP

Malware :