OpenCandy is an Adware module classified as malware by many anti-virus vendors. They flag OpenCandy due to its undesirable side-effects. It is designed to be installed on a personal computer during installation of other desired software. Produced by SweetLabs, it consists of a Microsoft Windows library incorporated in a Windows Installer. When a user installs an application that has bundled the OpenCandy library, an option appears to install software it recommends based on a scan of the user's system and geolocation. Both the option and offers it generates are selected by default if the user simply clicks "Next" through the installation.
OpenCandy's various undesirable side-effects include changing the user's homepage, desktop background or search provider, and inserting unwanted toolbars, plug-ins and extension add-ons in the browser. It also collects and transmits various information about the user and his/her Web usage without notification or consent.
Video OpenCandy
Development
The software was originally developed for the DivX installation, by CEO Darrius Thompson. When installing DivX, the user was prompted to optionally install the Yahoo! Toolbar. DivX received $15.7 million during the first nine months of 2008 from Yahoo and other software developers, after 250 million downloads.
Chester Ng, the former DivX business development director, is chief business officer and Mark Chweh, former DivX engineering director, is chief technology officer.
Maps OpenCandy
Windows components
Components of the program may have differing but similar names based on version.
Files dropped
Note that files dropped by this program usually have the 'hidden' and 'system' attributes set. In order to see or search for them, folder settings for "hide operating system files" will need to be unchecked, and "show hidden files and folders" will need to be checked.
- OCComSDK.dll
- OCSetupHlp.dll
Processes
Note: additional processes associated with any accepted offers may also run.
- spidentifier.exe
- rundll32.exe
Registry keys
Registry keys have varying names, so that a search of the registry for "*opencandy*" will need to be done to find and delete them.
DNS and HTTP queries
- tracking.opencandy.com.s3.amazonaws.com
- media.opencandy.com
- cdn.opencandy.com
- cdn.putono5.com
- tracking.opencandy.com
- api.opencandy.com
- www.arcadefrontier.com
Counter measures
- Select "Custom installation (advanced)" and uncheck all option boxes.
- Run the software installer offline, or from command line with option /NOCANDY.
- Block OpenCandy IP addresses in the Windows hosts file with entries like: 0.0.0.0 api.opencandy.com
- Run anti-malware such as Malwarebytes after the software installation to clean the system.
- Use an active anti-virus to detect and block adware/malware on-the-fly
Software known to have included OpenCandy
References
Source of the article : Wikipedia
0 Comments