2

Although lots of surveys and reports have been done on iLivid by lots of malware analyzers, I decided to inspect iLivid independent of previous research.

I have read lots of reports about iLivid but when I proceed to survey I download iLivid from iLivid.com its official domain. So, I have the following questions from my observation:

1)I did not observe any malicious behavior from what I have read from reports e.g: browser hijacking , changing DNS setting , changing homepage , installing additional add-ons,.... and mainly I can say I didn't see any malicious behavior. So, I guessed maybe there is a difference between the version of iLivid from its official domain and the version which users get infected through tricky invented links. Maybe the former is safe and the latter is the malicious one. Is this possible and a reasonable guess?

main question: if there are safe and unsafe versions of iLivid, how can I infect my system with iLivid???!!

2) Is it natural for malware to behave differently depending on the context? Because when I observed report, a wide variety of bad job were reported.

3) iLivid introduces itself as a product of Banadoo media inc. There are some other apps that introduce themselves as product of this company. I have not found anything about this company. All apps from this company are ill-reputed and suspicious in the reports. I think it is just nominal company and do you know something about this company?

4) When I run Babylon and IDM.exe while iLivid is running iLivid two unrelated .dll module one from Babylon which is Captlib.dll and another from IDM.exe which is dmmkb.dll. I don't know how to analyse this behaviour. Please help if you can!

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
Mohammadreza
  • 21
  • 1

1 Answers1

1

Several sites classify iLivid as a PUP rather than outright malware. The definition in part reads:

Such software may use an implementation that can compromise privacy or weaken the computer's security. Companies often bundle a wanted program download with a wrapper application and may offer to install an unwanted application, and in some cases without providing a clear opt-out method.

Your statement of "I can say I didn't see any malicious behavior." seems unusual - I found a number of reports from late 2016 that indicates a homepage redirect and toolbar install were to be expected.

The reports also suggest a keylogger has been known to be dropped with iLivid, and your mentioning finding Captlib.dll would, prima facies, seem suggestive this happened on your system - it may be at the time you installed, iLivid was focused on stealth (although given their ad-related income model, that seems a little unusual).

If I was you, I think I would consider running a packet capture looking for automated activity, and notably, for C&C/exfiltration activity. You may find it easiest to do a first run with something like Cuckoo Sandbox, as a means of testing whether you can replicate the reports that got you curious in the first place.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24