Friday, July 31, 2009

Windows System Suite

Windows System Suite is a new fake rogue from the same family as Windows Security Suite, Malware Destructor 2009, FastAntivirus,
MalwareCatcher, VirusShield, Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Windows System Suite comes from fake online scanners and detects nonexistent malwares to scare users pushing them to buy a license.

Thursday, July 30, 2009

Smart Protector

Smart Protector is a new rogue. The scanner database is 0Kb. Even after a full update, database remains empty.



smartprotectorpro.com (195.95.151.180)
gosmrtprt.com (195.95.151.181)
dlsmrtprt.com (195.95.151.182)
195.95.151.184 <- Update IP

Windows Antivirus Pro

Windows Antivirus Pro is a Fake Security Software (Rogue). It displays fake alerts and modify desktop background. It also prevent execution of binaries to scare users.



The new Desktop background is a transparent picture with a "Danger!!! Your computer is INFECTED!" message. It is superposed on the original background

Tuesday, July 28, 2009

Privacy Center, Safety Center

Safety Center and Privacy Center are the new version of Secret Service.





While running a scan, the tool creates files to detect fake infections and scare users.

Thursday, July 23, 2009

imageshack.us hosts koobface files

For a few weeks now, a new command has been added in Koobface's C&C.

STARTONCEIMG|http://img119.imageshack.us/img119/116/p22157446.jpg|193854730d993dfgdfjkng345



This small picture has a size of 19.439 Bytes (Bitmap is only 999 Bytes). The command decrypts extra data with the key (193854730d993dfgdfjkng345). This is the decrypt routine:



The malware is known as Trojan-PSW.Win32.LdPinch, a password stealer.
MD5: 4EB90BA3A88369A12DD48ED276778228
virustotal.com

Edit: imageshack.us was contacted, the picture has been removed

Tuesday, July 21, 2009

How to hide a known Malware code...

...and remains undetected.

Malware creators have to bypass antivirus protections to infect users. To be undetectable, the executable binary must not have a recognizable pattern.

Packing the file is one of the method used. It was a good trick to hide the code and reduce the size of the binary. But antivirus softwares can detect home made packers, entropy, and most of them can unpack known packers routines to scan the original file.

So, another protection was added to cypher the packed file:



On the picture, the work done in memory:
The executable contains a cyphered UPX binary that contains the malware itself. The first stub uncypher the binary (green arrow).
Let's have a look at the code: in red, the uncypher routine doing the job.



Once done, the code appears in clear. Simple, but effective:



Then the UPX stub unpack the Malware code (blue arrow) and run it.
A well known malware file can be undetectable (until an antivirus detects the first shell).

To remain undetected, the uncypher routine must be often changed:
- Some "junk code" is inserted before and after it (jumps, calls, various real and unnecessary routines),
- Some various protections can slow the analyst work,
- Modification of the file every time it is downloaded. A few bytes are changed (one is enough) to generate a new hash.

Then, every day, a file that contain a well known infection, is released. The file looks new (different size, no recognizable patterns) and malware analysts have to work on it to detect what seems to be new but is NOT. Virus Total returns a poor detection (or 0 detection sometimes).

Monday, July 20, 2009

Home Antivirus 2010

Home Antivirus 2010 is a fake security software (rogue) from the family of PC Security 2009, Home Antivirus 2009. It displays alerts messages and creates files on the system to simulate an infection (fake PE or VB Script filled with junk).

Home Antivirus 2010 also replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.



Thanks to Bharath

Friday, July 17, 2009

is Paretologic a rogue creator ?

Paretologic creates many cleaners (Malware, Registry, Privacy...). XoftSpySE and RegCure are the most known. Recently, MalwareURL flag them as rogue. It's not a surprise, ParetoLogic is considered as rogue by a lot of security analysts.

Why ? ParetoLogix products are not automatically installed by trojan or fake codec. There is no DesktopHijack, constant alert messages, or such well known rogue symptoms. Where is the problem then ?

Affiliates communication. There is an intense communication made by third persons on blogs, google ads, twitter, ...
When ParetoLogic cares about reputation for not being classified as rogue, the company has no control on communication made by affiliates:

Few years ago, SmitfraudFix was spotted by a ParetoLogic Google ad:

Remove SmitfraudFix for good - Free SmitfraudFix scan & Fix

Unethical communication and false information. On some sites, XoftSpySE is proposed with known rogues products:



Another problem is the license. When the free scanner detects an infection. It proposes acquiring (buying) a license from the infected system. This is a very bad idea: the malware may stole identity and credit card informations.

The limit between rogue, PUP and non-ethic is poor. I won't consider it as rogue because of the missing rogue symptoms, but ParetoLogic is certainly not ethical.

hpHosts blog: http://hphosts.blogspot.com/2009/07/paretologic-vs-malwareurl.html
MalwareDiaries blog: http://blogs.paretologic.com/malwarediaries/index.php/2009/07/16/false-allegations-about-paretologic

Edit: Forum thread about this post.

Saturday, July 11, 2009

Trojan-Downloader.Win32.FraudLoad

There's not a day I don't read a blog article about FraudLoad "is a new infection", "is DNS.Changer" or wrong informations...

This malware is not new. I've started collecting DNS since April 2009. It have started months before. Here is some of them (forgive me for not listing 'em all. I was a little bored sometimes...)

tubeportalsoftware2008.com,
k-softportal.com,
dbs-softportal.com,
sim-softportal.com,
fhg-softportal.com,
del-softportal.com,
kxc-softwaresportal.com,
kol-development.com,
zaq-softwares.com,
frg-softwares.com,
dec-software.com,
dia-software.com,
knr-softwares.com,
lxl-softportal.com,
kvm-softwares.com,
xxx-softwares.com,
kxc-softwaresportal.com,
cls-softwares.com,
sim-softportal.com,
down-softportal.com,
slk-softwareportal.com,
sdfv-programs.com,
sgh-topprograms.com,
rol-programms.com,
kor-programms.com,
hex-programmers.com,
kir-fileplanet.com,
arch-grandsoftarchive.com,
grandfilesstore.com,
zxc-sofftwares.com,
exe-soft-portal.com,
file-exe-2009.com,
streaming-united.com,
wile-exe.com,
exe-load-area.com,
exe-web-development.com,
groufertation.com,
exe-soft-files.com,
my-exe-profile.com,
exe-file-boom.com,
fast-exe-load.com,
go-exe-go.com,
last-exe-portal.com,
exe-xxx-file.com,
exe-box.com,
hot-exe-area.com,
zone-exe-files.com,
exe-profile.com,
load-exe-soft.com,
let-exe-2009.com,
exe-4free.com,
red-exe.com,
exe-cosmos.com,
exe-online-world.com,
zone-exe-files.com,
hot-exe-area.com,
exe-direct.com,
era-exe.com
...

Contacted hosts are also old. But changing much slower. It was first PE binaries hidden under a picture filename. Then it change to a real pic with extra data (the crypted PE added after the picture data).

imagesaudi.com,
imagesopel.com,
images-humanity.com,
imagescopyleft.com,
texasimages2009.com,
imagesmazda.com,
imagesferrar.com,
caninejoker.com,
imageempires.com,
picturesoffline.com,
imagesmonitor.com,
pictureswall.com,
coolimagepro.com,
portalpics.com,
imagescolor.com,
picturehappiness.com,
picturephotoweb.com,
thenewpic.com,
images-smile.com,
picturephotoweb.com,
theimagesstudio.com,
imageheadphones.com,
pixphotos.com,
imgesinstudioonline.com,
yourimagesstudio.com,
isyouimageshere.com

It is not a DNS.Changer infection (can't remember the blog where I read this). It's a Trojan Downloader. See the previous post about it here.

System Tuner

SystemTuner is a fake tool made to speed up PC's performance.



There's nothing (logfile) to control what the tool is removing:



The website is hosted on 209.44.126.16 IP (Netelligent Hosting Services Inc.). This IP is also used for well known rogue: System Security

system-tuner.net (209.44.126.16)
systemsecurityonline.com (209.44.126.16)
systemsecuritytool.com (209.44.126.16)
systemsecuritysite.com (209.44.126.16)

Friday, July 10, 2009

Secret Service Rogue

TRITAX has released a new version of Secret Service (previous post).
The rogue is still using a part of the Privacy Center sample (Russian female voice).
Like the previous version, the rogue drops many fake executables files to simulate an infection.



Once registered, all the tool options are available. Like the antimalware engine, these options are fake. The software never contacts any host, network activity stays null while database update progress bars are filled.

Thursday, July 9, 2009

PC Security 2009

PC Security 2009 is a fake security software (rogue) from the family of Home Antivirus 2009. It displays alerts messages and creates files on the system to simulate an infection (fake PE or VB Script filled with junk).

PC Security 2009 replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.



Thanks to Bharath

Trojan-Downloader.Win32.FraudLoad

Trojan-Downloader.Win32.FraudLoad (exe-site.com/streamviewer.#.exe) is an "old" infection but I read many times as it is new. It looks new because of the bad AV detections, and because of some tips used by creators.

- The DNS is changing quickly (aroud every 24 hours):
exe-profile.com
load-exe-soft.com
exe-xxx-file.com
exe-box.com
exe-box.com
let-exe-2009.com
exe-4free.com
...
Filenames are composed like necessary software to watch streaming videos: streamviewer.#.exe, flashplayer.v10.#.exe, TubeViewer.ver.6.#.exe (where # is a number of 4/5 caracters).

- File used to be an UPX packed infection and was easy to detect. For some weeks, it is using a stub to bypass Antivirus detection. File is still UPX packed but creators add the stub to cypher it (stub -> UPX -> infection code). The stub code is also quickly modified. This is why a lot of AV are late to detect it.

- At the end of the file there is 8 bytes:
4 bytes for a key (again, quickly modified),
4 bytes for the affiliate ID.
Last 4 bytes is an XOR operation based on # numbers in the filename/webpage and the 4 bytes key. The same file downloaded from a different affiliate website has a different hash...

- Downloaded files used to be executables hidden behind a picture filename. They are now real GIF pictures but the size is too heavy for simple pictures. The infection is cyphered behind the picture data (remember tibs infection ? Where tibs was using a simple XOR encryption routine, this trojan-downloader uses a more sophisticated rout.). Extracted executables are using the same Trojan-Downloader stub method to cypher their code.

WiniFighter

WiniFighter is a clone of WiniBlueSoft rogue.



winbluesoft.com (194.54.81.18)
winifighter.com (194.54.81.18)

Thanks to remixed

Wednesday, July 8, 2009

Security Central

Security Central Rogue is a clone of Barracuda Antivirus, Antivirus System Pro, Spyware Protect 2009.
It displays fake infections and fake alerts to scare users pushing them into buying a license.



Thanks to Malekal Morte

Windows Security Suite

Windows Security Suite is a new fake security scanner (rogue). It belongs to the same family as Malware Destructor 2009, FastAntivirus,
MalwareCatcher, VirusShield, Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Windows Security Suite comes from fake online scanners and detects nonexistent malwares to scare users pushing them to buy a license.



Thanks to Bharath
BleepingComputer Windows Security Suite removal guide.

Barracuda Antivirus

Barracuda Antivirus Rogue is a clone of Antivirus System Pro, Spyware Protect 2009.
It displays fake infections to incite users into buying a license.



Thanks to Malekal Morte

Tuesday, July 7, 2009

Friday, July 3, 2009

Desktop Hijack

System Security 2009, a known rogue, is hijacking Desktop Background. It also displays fake message about trojan infections to scare users.



Previous Post here.