Sponsored by..

Friday, 21 August 2015

What the hell is event.swupdateservice.net?

So.. I saw some mysterious outbound traffic to event.swupdateservice.net/event ( / Microsoft, US). Googling around for the domain came up with some references to malware, but nothing very conclusive.

The WHOIS details for the domain are anonymised (never a good sign), and the IP address is also used by event.ezwebservices.net which uses similarly hidden details. Team Cymru have an analysis of what is being phoned home to this mystery server, and I found an existing Malwr analysis referencing the alternate domain.

I eventually found the mystery executable in C:\Users\[username]\AppData\Local\SoftUpdate\SoftUpdate.exe on the afflicted machine. Various analysis tools confirm that it generates this traffic [1] [2] [3].

The binary itself does not identify its creator. I found various references (such as in this report) linking this software and the domains to Emaze.com (a "free" presentation tool) and a look at the users traffic logs indicates that they visited this site, referred to it by VisualBee.com which is some sort of https://www.hybrid-analysis.com/sample/f479a3779efb6591c96355a55e910f6a20586f3101cd923128c764810604092f?environmentId=1PowerPoint plugin.

Neither domain identifies itself through the WHOIS details, not can I find any contact details on either site. A look through the historical WHOIS for VisualBee.com gives:

   Administrative Contact:
      info, info  info@visualbee.com
      visual software systems LTD.
      6 Hanechoshet st.
      Tel-Aviv, Israel 69710

And for Emaze.com:

   Administrative Contact:
      Rubenstein, Steven  rubenstein.steven@gmail.com
      504 224th PL SE
      Bothell, Washington 98021
      United States

This Crunchbase profile for Shai Schwartz links the two companies.

I don't like sharing data with commercial operations who are not prepared to fully reveal their identity, and I personally recommend blocking traffic to:


No comments: