Second Life BCU Phishing Exploit

There are numerous exploits used in Second Life™. YouTube has a series of videos titled ‘What is Scond Life?’ or ‘This is Second Life.’ And links to download the program. Some of the videos are obvious crap and others are pretty good and look enticing. I suspect those are plays on the current popularity of VR and HMD as they are recent.

Lost Eden 2014

Lost Eden 2014

Many of these lead to pirate download links. I am betting the viewer one gets is a basic password/account stealer.

Today I see the United Content Creators of SL has issued a warning in Second Life™ about BCU.exe. I think this is also known as the Browser Configuration Utility. If so, it has been around since 2010 in a couple of forms and most anti-virus software is aware of it. But, run from inside the viewer, which you have given permissions to, it can circumvent your anti-virus software. 

BCU’s main purpose seems to be to allow pesky advertisers to take over your browser and set it to use their search engine and show their ads. There are probably worse uses of it. In SL it seems to be being used to steal passwords.

Links in people’s profiles are linking to the malware version of this program. Media on a Prim and streaming media also link to file. So, be careful what links you click in SL, as always.

A new unique method of contagion is bots wearing transparent streaming media links to the file. If you have auto-play for attachments turned on, they get you. So, turning off auto-play for attachments is a safety precaution. (Me->Preferences [or Ctrl-P]->Sound & Media – disable; Allow Media to auto-play and Play Media attached to other avatars.)

Apparently the viewer can become infected and take longer to open, forget your login information on infection, and the EULA or TOS agreement will come up. If you see this happen, open the Windows Task Manager and look for BCU.exe or BCUService.exe. Kill either or both of those processes.

If you had the problems described above, go to the site and in your dashboard change your password. Do that as quickly as you can. You probably should do that as soon as you find BCU on your computer and before doing anything else. Once you get things cleaned up, change your password again.

Whether to remove BCU or not is not a straight forward decision. Some motherboard manufactures bundle the program with their driver install software so they can configure your browser as an OEM type branding. So, it has legitimate uses. But, it is a risky program and can be abused. As it has legitimate uses it seems many anti-virus programs are bit soft on it.

Some malware appropriates the file name to get in under the radar. Check file sizes and digital signature. This will tell you if you have a Trojan or the risky but legitimate program. If you have legitimate one and no problems, I suggest leaving it in place. But, if you have problems or doubts, remove it as this is not an essential program.

To remove it first look in your Control Panel’s Programs section and see if it is listed. If so, do the uninstall from there. (Start > Control Panel > Add/Remove programs > Browser Configuration Utility) If not, search your hard drive and delete all files with those names. Run a virus scan.

One thought on “Second Life BCU Phishing Exploit

Leave a Reply

Your email address will not be published. Required fields are marked *