Could official Beijing 2008 Olympics screensavers contain malware? (update)

(UPDATE: In two words, probably not. It appears that the files currently being served from the Olympics 2008 website likely do not contain malware. However, one aspect of the testimonial below still can't quite be explained. Detailed findings at the end of this post, from a security researcher who kindly looked into this for us. -- XJ)

Continuing in the thread of China/Tibet/malware-related posts, Boing Boing reader Bruce tells us:

I'm a Systems Administrator at a large university and I think I may of found something important, but not sure, but I think it is worth reporting. One of my friends said that it would be a good idea maybe to post this information somewhere that is popular, like boing boing.

I'm a big olympics fan so I often check the official Beijing 2008 olympics page.

One of the sections is called the "fun page."

This page has wallpapers and screensavers for your computer. I have reason to believe that the screensavers are keystroke logging programs hidden inside the Flash animation.

On my Windows XP workstation, I run Symantec Corporate Anti-virus, Zone Alarm Pro, as well as Spybot manually. I do many scans and security checks to make sure that my computer is never infected or compromised because of the type of work that I do.

Today I put on a wallpaper and installed one of the screensaver. The one I installed is called "The Spring of Beijing". It is a flash based screensaver.

I set my screensaver to autolock the console so when it is running, you have to type in a password to unlock the screen. I had left my workstation unattended to do some work on another computer and when I came back to my computer, the screensaver was active and running. Normally, I just hit a key or move my mouse and the screensaver stops and then the login prompt appears requesting for my password. However, this time the screensaver was still running, but I could not interrupt it. So I did a cntrl-alt-del to stop the screensaver and I noticed that my Zone Alarm had gone off. A message balloon came up saying that the FlashForge Screensaver has a keylogger type program running and it had blocked access to the internet.

Then I thought -- how clever. You have to type in your password to disable the screensaver, so basically it was sending the password and other information somewhere.

I did an anti-virus scan with the latest defs and a spybot scan with the latest updates, but it did not detect anything. I am not a Flash programmer so I really can't validate my findings. I figure there are probably thousands of people who have downloaded this screensaver, and if they are not running some type of security program such as Zone Alarm Pro, it would go completely unnoticed and undetected. I am hoping that you guys might know someone who could dissect the screensaver and validate my findings. I hope that I am wrong about this, but somehow I feel that my finding is correct. I just don't know enough about Flash programming to investigate it further.

Someone with some time might be able to setup a computer on an isolated network and to monitor packets coming from a Win XP pro computer with that screensaver installed to see what the heck it is doing. I normally don't get excited about things like this, but I thought it maybe too important to just ignore.

Regarding the broader trend of malware and trojans which are attached in some way to politically-charged memes or spoofed origins, Infowar Monitor editor Greg Walton (whose related account I just blogged here) adds:
Such tactics are not only political weapons. The start of the Beijing Olympics last week kicked off a slew of malicious internet activity. Some are relatively indiscriminate – using malicious software embedded in innocent websites, often of news organisations with audience numbers boosted by their sports coverage, which then infects the visitor's computer. Some are more sophisticated.

MessageLabs, a security company, detected a bogus email sent to at least 19 national sporting organisations that purported to be International Olympic Committee information on media plans for the Games, but was actually carrying a trojan which takes control of the PC and scans all files and networks to steal information.

See this related news story in the Independent.

Related: Update on China/Tibet cyberattacks (and Russia/Georgia), and call for testimonials.

UPDATE: Security researcher Maarten Van Horenbeeck, who is based in Belgium, looked at the file and website in question for us, and says:
Actually, after a Flash is converted with FlashForge, it is turned into a regular binary with SCR extension, so it's not really Flash anymore.

I downloaded the screensaver from the URL Bruce listed, and installed it on a test system. The file itself does not appear to contain anything malicious. What I believe has happened is that because the binaries themselves are packed (the installer with a really rare program, and the screensaver itself with Armadillo), the behavioral detection solution he used triggered "earlier" than usual on the key logging code. Generally, these solutions maintain a score per process, and if a minimum score is exceeded, alerts start getting triggered. Packed binaries generally increase the score quite a bit. The key logging code itself may as such have been relatively benign and consist of a typical screensaver function call.

What I cannot explain, though, is the blocked connection. The binary which I received when downloading The Spring of Beijing at about 23h00 PST this evening, did not make a connection out at any point in time. Either this was caused by another process, or Bruce may have received another binary (for one or the other reason, which can include just about anything from the site having been compromised to DNS spoofing at his ISP or just a false positive of his anti virus, ...).

The screensaver as currently served from the site is not malicious.


  1. “I run Symantec Corporate Anti-virus, Zone Alarm Pro, as well as Spybot manually”

    sadly I know this kind, those people will scream IMA BEING HAXORED when zone alarm detects a ping from outside world. Just ignore this article :(.

  2. Re: not being able to explain the network connection block.

    I’m not a Zone Alarm user or expert, my professional computing work being done on a z/OS mainframe, but I’d like to offer what I feel is a rational explanation.

    Keyloggers want to send your keystrokes to a malicious entity. If a keylogger is detected, a rational response would be to shut down the means of doing so (the network connection) to try to prevent that from happening.

    In other words, my guess is that Zone Alarm closed the network connection to prevent the suspected keylogger from sending the keystrokes anywhere.

  3. Don’t you all see, it’s all true. The whole Beijing Olympics are a front to spread communism and bring about the fall of the west. It all starts with the triple jump and sporting humiliation. The third reich did it exactly the same way.

  4. Considering recent history, I don’t think this was an overly unwarrented reaction. Sometimes the internet really IS out to get you. But really, should any computer connected to the internet or left unguarded be considered truly secure?

  5. This is not only alarmist, bt bt xnphbc, myb rcst nd dfntly prnd. I’m sure other Flash-based screensavers results in the same Zone Alaram going all Chicken Little on you. But that’s not mentioned until the update.

    Rlly dsppntng. Let’s calm down a bit until this stuff can be proven and not feed the flames of B.S.

  6. Greetings

    Given the recent history of cyber attacks as war by other means commentors a bit too quick with dismissal of possible malware..

    And it really is 1936 all over again, so I guess mark me down as unimpressed by a terror regime painting the prison walls with flowers for the IOC.

  7. Bryan @5, puh-leeze. This is not in the Mall Ninja’s class. The author of the original article was reacting to real events, and tried to assess the actual threat level. By this time, the Mall Ninja would have sent the Chinese government a formal declaration of war.

    Absent @9, you left out the part about the former head of the Council on Foreign Relations being in bed with the Chinese.

    Jack @11, “alarmist” is arguable, but I don’t see any evidence of racism or xenophobia.

    Warlord @15, what is there about “please don’t use .sig lines” that you find so difficult to understand?

  8. @ #11 Jack, perhaps you — and any others who felt this was alarmist — would have reacted differently if I’d combined this and the immediate post which preceded it in this same topic, all into one post. I’d just blogged about very real in-the-wild (and innovative) uses of malware by do-no-gooders within China.

    There is absolutely a huge boom right now in malware related to the China/Tibet conflict, and also Russia/Georgia. Some may be linked to official sources, but a lot is not.

    These two posts were intended as a sober, non-hysterical evaluation of what some of the most recent examples are, and the questions some folks on the other end are asking when they experience anomalies during a time when greater caution in some situations is totally warranted.

    The headline is a question, it presents a user’s testimonial, and within about 30 minutes, a counter-analysis (which would have been posted at the same time, but I was waiting for permission to publicly identify the researcher).

    I know it’s fun to say “girls don’t know anything about this stuff,” or “you’re being hysterical” but I don’t feel like that would be a fair criticism here.

    A hysterical post from me typically starts with the headline ZOMGZOMG KOMUNIST CHINA IZ EATIN THA BABIES IN OUR LAPTOPS RUN FOR YR LIVES ZOMG!!!!111 DIEEE!!!.


    I don’t see any evidence of racism or xenophobia

    The xenophobia and possible racism I’m bringing up comes from the inherent fact that if this was not related to China, I do not think you’d be seeing the over-reaction and over-analysis of the supposed incident in question. BoingBoing is a U.S. based blog whose reporters are non-Chinese and mostly caucasian. Perhaps this is being oversensitive, but seriously would this be reported if it was a Flash screen saver for a U.S. baseball team?

    Yes, malware is a plague. And malware should be brought to light, but I think it’s the job of anyone reporting on this to downplay risk until facts can be confirmed. The headline implying malware from the get-go is the real issue. Perhaps something more along the lines of “What’s Up With Beijing 2008 Screen Savers?” would be more appropriate. Pointing to the original blog post that inspired this post as the root of the confusion shuns responsibility. As a aggregator blog that filters through others and rises above the fray, BoingBoing should not fall prey to petty alarmism.

    1. BoingBoing should not fall prey to petty alarmism.

      I’ve always felt that it pays to call the Fire Department when you smell smoke rather than wait until you see flames. It’s a truth universally acknowledged that the Olympics are early Christmas for purveyors of malware. How many people log onto that site? How many of them assume that it couldn’t possible be anything but perfectly maintained? How many of them thought that that little girl was actually singing at the opening ceremonies?

      So it’s probably a false alarm. Better that than a million infected computers.

  10. you have no ground under your feet Jack, China warrants suspicion at this time for good and obvious reason.

  11. Jack, don’t you know the first rule of journalism: Bad = News, Good = Snooze. It’s better to grab people with a maybe-true headline that will drawn you in. And often people respond with more interest when the headline has some Bad in it. “Mal-ware” is a perfect example.

  12. The discussion of malware in this post and the one immediately preceding it is not racially motivated. There is ample factual evidence to support the notion that there is a high spike in China/Tibet related malware and other internet malfeasance right now, same goes for Russia/Georgia.

    I think you’re reaching for an argument that is not supported here.

  13. That’s the newest plan of the Pinky and the Brain to conquer the world.

    -¿Qué vamos a hacer esta noche Cerebro?-
    -Lo mismo que hacemos todas las noches Pinky, tratar de conquistar al mundo!-
    -Troz! ¿y cómo piensas hacerlo Cerebro? poink!-
    -Infectando todas las computadoras del mundo con un protector de pantalla descargado desde la web de las olimpiadas Pinky-

  14. “”I’m a Systems Administrator””….
    Followed closely by “”On my Windows XP workstation, I run Symantec Corporate Anti-virus, Zone Alarm Pro,””

    Oh Dear God. For the first time in my life I have been moved to fire up I.E, create a throw away email addy all just to sign up and say –

    “’nuff said”.

    Jeeezus wept, as did I… “”I’m a Systems Administrator”” err… no you ain’t my script kiddie friend.

    Not faulting him for his observations nor for reporing it (err to boing-boing though?) because “a friend said I should”. Err ok, maybe enough ragging on the kid.

    Seriously though – is this the level of “sys admins” that we have been reduced to? Maybe he should have called Mumbai first and gotten asked if “re-booting the router / printer / camera / i-Mac” etc helped.

    End of Rant.

    1. For the first time in my life I have been moved to fire up I.E, create a throw away email addy all just to sign up

      Well that certainly inclines me to gaze dewy-eyed on your prose. Perhaps you’d care to offer some credentials to go with that bowl of bile. I mean, you’ve gone to all the trouble to create a throw-away e-mail so that you could become an anonymous expert. Why stop there?

  15. Hagbard, it’s a great big heap o’ fail to call someone a luser, but neglect to specify who you have in mind.

    Jack @19, if you were a Warner cartoon character, you’d be standing on air. Don’t look down. Instead, go back and read Xeni’s comment @17, and her previous post on this subject. Chinese malware is real, and a problem.

    Anonymous @24, para el triunfo!

    ODG @25: You know, it’s kinda boring to watch computer guys whup out their respective expertise and compare sizes.

  16. Teresa

    Yes, sorry. I should have used quotes to indicate that I was satirizing the slashdot style of commenting, and not myself calling anyone a l-s-r.

    And I was, to clarify, replying to Jeff in regards to ODG’s comments.

    Teresa, I’ve never really had major issues with moderation on BoingBoing, but I think the behavior of you and Xeni in this thread highlights the worst aspects of overbearing moderation.

    The initial issue is basically, BoingBoing was caught with it’s pants down by practically posting verbatim a detailed—but zero depth report—of someone who barely understands the concept of malware when they state:

    On my Windows XP workstation, I run Symantec Corporate Anti-virus, Zone Alarm Pro, as well as Spybot manually.

    As someone who works on machines daily, I can honestly say this qualification is hilarious. Desktop based scanners are notoriously paranoid and notoriously throw up red flags based on not much. Anyone doing any level of tech work for at least a month knows that the second a red flag is raised isn’t the second to claim there’s an issue.

    I’d like to think the tech-savvy BoingBoing know better than to echo statements based on that, but hey. We’re human right?

    And as far as admin/mod issues go, this echos a very similar issue many folks had with the high-profile “incident that shall not be named” that happened previously on BoingBoing earlier this summer. An issue in verifiability and honesty comes up, instead of coming clean, admins point fingers while silently “massaging” content and in the end attempt to get away with not simply admitting their errors.

    Specific to this post, the comment #17 left by Xeni was edited after the fact at least once. The very last line that begins “A hysterical post…” was not their in the first version I saw of her response. It was edited after the fact. And it’s a tad disturbing.

    Anyone writing for BoingBoing has the ability to correct/edit their main post. That’s cool and acceptable netiquette. I accept the fact I am but a lowly commenter. But when the author of the post then edits their own personal comments connected to the thread… That’s taking advantage of abilities regular commenters don’t have.

    C’mon folks. You are an alpha blog and have great content. Why not just engage in the same kind of transparency that BoingBoing seems to demand of others. It’s really disappointing to see folks who are bastions of freeness and openness not act the way they demand of others.

    And we can agree to disagree about the Chinese malware issue, but my stance is simple: China is not the only country engaged in this kind of stuff and most people already know about China’s questionable tech culture. So in my mind, the issue of Chinese malware is not news unless it can be verified; anyone visiting a Chinese site knows to watch out for falling malware. Why not sit and wait and then post when it can be verified?

  18. Jack, you miss the point. I even feel it possible that you are constitutionally incapable of seeing the point. No one can change your mind but you. All well and good, we all are who and what we are. I do clearly say though that you are verging on trespass against the honour of others here.

  19. It’s really disappointing to see folks who are bastions of freeness and openness not act the way they demand of others.

    Sure Jack, but (No offense intended) it’s also disappointing to see intelligent people be pendantic toolbags.

    You see what I did there?

  20. ..anyone visiting a Chinese site knows..

    Which is, of course, why we’ve completely irradicated malware and viruses in 2008.

    Go Team!

  21. @#35 POSTED BY TAKUAN:

    Jack, you miss the point. I even feel it possible that you are constitutionally incapable of seeing the point.

    It’s hard to balance your ironic posts from non-ironic posts and to understand what your actually saying of if you’re just trying to stir the pot.

    The point is simple: If somehow this same panic existed on another blog, others would call it out for what it is. As it stands, “…the mob has spoken.”

  22. panic? Dismissing most around you as “the mob”? Have I impressed you in the past with my slavish following of the herd? Reconsider, Jack, reconsider.

  23. To state there should be no panic is irrelevant. It is not xenophobic, or racist, or alarmist.

    No one stated that China is the only country that produces malware. In fact there is nothing in that article that is racist or xenophobic against china. Only the comment posters claimed that.

    The reality is that China has long been accused and proven to have developed malicious websites, spread malware, as well as direct hacking into government departments like the pentagon. People have forgotten that last June 2007, the US defense department was hacked by the Chinese and the Pentagon had to shut down the defense secretary Robert Gates’ network. Just recently the US secret service has uncovered a huge global credit card theft ring that leads from Miami to eastern Europe and China. So, when software created in China exhibits strange behaviors, it is normal to question that behavior.

    The number of malicious websites are increasing. Some websites are using the same malicious code as defense mechanisms. Whether this is legal is not to be debated here, but there is this trend.

    For example, this particular website uses a very obscene (age 18+ years only), very graphic, yet effective means to prevent users from snooping around their website
    Such code can be easily replicated, and modified, and utilized in other ways.

    At Defcon 16, Radware presented “Jinx” which is javascript based, OS independent and can take over machines using Mozilla firefox browser pre-release 3. They are currently investigating MSIE.

    Regarding the article, Was it racist? No. Was it Xenophobic? No. Was it alarmist? No. Was it panic driven? No.

    Was the article a way to show the world the pedantic comments generated by over reacting self proclaimed computer experts who don’t believe in the existance of viruses, firewalls, malware, and malicious websites? Yes.

Comments are closed.