Could official Beijing 2008 Olympics screensavers contain malware? (update)

(UPDATE: In two words, probably not. It appears that the files currently being served from the Olympics 2008 website likely do not contain malware. However, one aspect of the testimonial below still can't quite be explained. Detailed findings at the end of this post, from a security researcher who kindly looked into this for us. — XJ)

Continuing in the thread of China/Tibet/malware-related posts, Boing Boing reader Bruce tells us:

I'm a Systems Administrator at a large university and I think I may of found something important, but not sure, but I think it is worth reporting. One of my friends said that it would be a good idea maybe to post this information somewhere that is popular, like boing boing.

I'm a big olympics fan so I often check the official Beijing 2008 olympics page.

One of the sections is called the "fun page."

This page has wallpapers and screensavers for your computer. I have reason to believe that the screensavers are keystroke logging programs hidden inside the Flash animation.

On my Windows XP workstation, I run Symantec Corporate Anti-virus, Zone Alarm Pro, as well as Spybot manually. I do many scans and security checks to make sure that my computer is never infected or compromised because of the type of work that I do.

Today I put on a wallpaper and installed one of the screensaver. The one I installed is called "The Spring of Beijing". It is a flash based screensaver.

I set my screensaver to autolock the console so when it is running, you have to type in a password to unlock the screen. I had left my workstation unattended to do some work on another computer and when I came back to my computer, the screensaver was active and running. Normally, I just hit a key or move my mouse and the screensaver stops and then the login prompt appears requesting for my password. However, this time the screensaver was still running, but I could not interrupt it. So I did a cntrl-alt-del to stop the screensaver and I noticed that my Zone Alarm had gone off. A message balloon came up saying that the FlashForge Screensaver has a keylogger type program running and it had blocked access to the internet.

Then I thought — how clever. You have to type in your password to disable the screensaver, so basically it was sending the password and other information somewhere.

I did an anti-virus scan with the latest defs and a spybot scan with the latest updates, but it did not detect anything. I am not a Flash programmer so I really can't validate my findings. I figure there are probably thousands of people who have downloaded this screensaver, and if they are not running some type of security program such as Zone Alarm Pro, it would go completely unnoticed and undetected. I am hoping that you guys might know someone who could dissect the screensaver and validate my findings. I hope that I am wrong about this, but somehow I feel that my finding is correct. I just don't know enough about Flash programming to investigate it further.

Someone with some time might be able to setup a computer on an isolated network and to monitor packets coming from a Win XP pro computer with that screensaver installed to see what the heck it is doing. I normally don't get excited about things like this, but I thought it maybe too important to just ignore.

Regarding the broader trend of malware and trojans which are attached in some way to politically-charged memes or spoofed origins, Infowar Monitor editor Greg Walton (whose related account I just blogged here) adds:

Such tactics are not only political weapons. The start of the Beijing Olympics last week kicked off a slew of malicious internet activity. Some are relatively indiscriminate – using malicious software embedded in innocent websites, often of news organisations with audience numbers boosted by their sports coverage, which then infects the visitor's computer. Some are more sophisticated.

MessageLabs, a security company, detected a bogus email sent to at least 19 national sporting organisations that purported to be International Olympic Committee information on media plans for the Games, but was actually carrying a trojan which takes control of the PC and scans all files and networks to steal information.

See this related news story in the Independent.

Related: Update on China/Tibet cyberattacks (and Russia/Georgia), and call for testimonials.

UPDATE: Security researcher Maarten Van Horenbeeck, who is based in Belgium, looked at the file and website in question for us, and says:

Actually, after a Flash is converted with FlashForge, it is turned
into a regular binary with SCR extension, so it's not really Flash anymore.

I downloaded the screensaver from the URL Bruce listed, and installed it on
a test system. The file itself does not appear to contain anything
malicious. What I believe has happened is that because the binaries
themselves are packed (the installer with a really rare program, and the
screensaver itself with Armadillo), the behavioral detection solution he
used triggered "earlier" than usual on the key logging code. Generally,
these solutions maintain a score per process, and if a minimum score is
exceeded, alerts start getting triggered. Packed binaries generally increase
the score quite a bit. The key logging code itself may as such have been
relatively benign and consist of a typical screensaver function call.

What I cannot explain, though, is the blocked connection. The binary which I
received when downloading The Spring of Beijing at about 23h00 PST this
evening, did not make a connection out at any point in time. Either this was
caused by another process, or Bruce may have received another binary (for
one or the other reason, which can include just about anything from the site
having been compromised to DNS spoofing at his ISP or just a false positive
of his anti virus, …).

The screensaver as currently served from the site is not malicious.