11

Update: today I found some decisive evidence on its misbehaviour. Sandbox analysis from VirusTotal on its installer reports video capturing capability using webcam.

See the link to its analysis here.

I recently found that a proxy program (Clash for Windows) that I installed on my Windows PC always links to DLLs that are unrelated to its function.

It has DLLs of FFmpeg, DirectX, OpenGL, and Vulkan in its installation directory. And through Process Explorer, I confirmed that it indeed loads such DLLs (Always FFmpeg, but not always all of the other three).

enter image description here

As I mentioned, it should only serve as a proxy program, and the only legitimate reason (that I can think of) why it loads the DLLs of low-level graphics APIs is for hardware acceleration of its UI -- but I have not found related settings in it. Most importantly, I cannot think of a reason to justify its loading FFmpeg.

FFmpeg is known to be able to stream videos to a remote client, and I suspect that the program is spyware -- that it uses the low-level Graphics APIs to capture the screen and stream it via FFmpeg.

That of course is my speculation. So my questions are,

  1. Can the DLLs it loaded be used in other legitimate ways that I have not thought of?
  2. Is there any way to investigate it further to obtain decisive evidence on its being spyware?
  3. The program has only run as a Normal User on my PC. If it was indeed spyware, how much damage could it have caused, and how could I possibly mitigate from the damage (e.g. What kinds of backdoors could it have left as a Normal User)?

I sincerely appreciate any insight you provide and your time in advance.

Improve this question
8
  • Since anti-virus programs usually do not protest against screen capturing, I want to ask about potential ways to investigate it further.
    – Guanyuming He
    Commented Jan 29 at 3:43
  • Check the file and/or the URL from where it was downloaded on VirusTotal.com, which checks against 70 or so anti-malware engines. It also evaluates PUP's, i.e., probably unwanted programs that might be adware, that might install undesired apps, etc.
    – DrMoishe Pippik
    Commented Jan 29 at 4:09
  • @DrMoishePippik I already submitted its hash through Process Explorer to VirusTotal, and got (see the screenshot) 1/74 positive (which one basically said heuristics decided that the program could be a trojan). That's useful, but isn't decisive enough.
    – Guanyuming He
    Commented Jan 29 at 8:08
  • 3
    Clash is NOT OPEN SOURCE, and nobody knows who its developers are! I would be extremely wary, as it could send your network traffic anywhere. Better choose an alternative which is open source. Here is a list: github.com/danoctavian/awesome-anti-censorship
    – 1NN
    Commented Jan 29 at 8:58
  • 4
    Clash for Windows is currently definitely not open source. The Ts&Cs on their web site has a section on "Use of software" which prevents redistribution and commercial use, which would not be valid in an open source licence. Moreover, there doesn't seem to be source code available, so even if it were mere "source available" code, there wouldn't be the option to audit it and build a known-clean version yourself.
    – James_pic
    Commented Jan 29 at 12:22

1 Answer 1

Reset to default
29

From the app's overall appearance in its official screenshots as well as the presence of en-US.pak and GPUCache in your DLL list (that is, not just "GPU cache" generally but that specific name), I am going to guess that the program's interface has been written in something that uses CEF (possibly Electron) – the former is "Chrome Embedded Framework", which is essentially just the Chrome web browser packaged into something that looks like an app, while Electron is CEF+NodeJS.

(It's an extremely popular option these days. For example, Discord uses CEF via Electron; VSCode and Steam use CEF directly; Dropbox uses CEF via QtWebEngine... that's why you run out of RAM.)

CEF being literally Chrome-in-a-box, the whole app interface is a HTML/CSS/JS "webpage" and it still has the same features that Chrome would normally have: the GPU-accelerated HTML rendering (with CSS shaders and other fancy stuff), the video playback support (Chrome uses FFMPEG for <video> tags), and so on.

It might not necessarily be the entire UI, however; there are also apps that just need to embed a web-view for some specific purpose (like a sign-in screen or a help document), and those will almost always end up using CEF through QtWebEngine or Microsoft's WebView2.

You can recognize CEF from the various .pak archive files that it uses for its internal assets; the folder named GPUCache is also a symptom of CEF usage. (At the moment, my user directory on Linux has twenty-four separate 'GPUCache' directories, each belonging to a different app that is either wholly CEF-based or just uses CEF for some specific purpose.)

Improve this answer
7
  • 1
    This intelligence is really valuable to me. Thank you. In fact, I would rather hope this program is not spyware --- For some reasons I cannot say publicly, I have to use proxy programs to normally browse the Internet. This one was open source but got its repository deleted under intervention by some force. So I have to be careful lest its official website be tampered and malicious code be added to its binary.
    – Guanyuming He
    Commented Jan 29 at 8:13
  • 4
    @GuanyumingHe: If it were spyware, you could not determine that just from the DLL list. The issue is that it's already a VPN app, i.e. privileged by its nature; it has access to your network traffic as part of its function – meaning that it can already monitor and divert that traffic without any additional DLLs, just with small updates to its "core" tunneling code. (Not to mention, you're already allowing it to install its copy of the TAP driver, which is even more risky if you don't know where that came from – hopefully it's the official OpenVPN driver, at least.)
    – grawity_u1686
    Commented Jan 29 at 8:26
  • It can be used as a VPN, but I have been careful by never running it as Administrator (and used its installer to install only for me, which does not require Administrator privileges). This way it cannot install a virtual network adapter and cannot monitor all my traffic. I have only used it as a proxy relay. Considering this, I have been more sensitive to things that a normal user can also do --- so I asked this question when I found out it loaded FFmpeg libs.
    – Guanyuming He
    Commented Jan 29 at 8:43
  • 3
    Right, but even being a proxy relay still gives it direct access to traffic that you're sending through it...
    – grawity_u1686
    Commented Jan 29 at 8:46
  • 8
    Minor pedant note: VSCode still uses Electron, and as far as I can tell there are no current plans to move away from it. Meanwhile MSTeams did shift over to Edge WebView2 recently.
    – Bob
    Commented Jan 29 at 10:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .