Windows System Suite is a new fake rogue from the same family as Windows Security Suite, Malware Destructor 2009, FastAntivirus,
MalwareCatcher, VirusShield, Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Windows System Suite comes from fake online scanners and detects nonexistent malwares to scare users pushing them to buy a license.
Friday, July 31, 2009
Thursday, July 30, 2009
Smart Protector
Smart Protector is a new rogue. The scanner database is 0Kb. Even after a full update, database remains empty.
smartprotectorpro.com (195.95.151.180)
gosmrtprt.com (195.95.151.181)
dlsmrtprt.com (195.95.151.182)
195.95.151.184 <- Update IP
smartprotectorpro.com (195.95.151.180)
gosmrtprt.com (195.95.151.181)
dlsmrtprt.com (195.95.151.182)
195.95.151.184 <- Update IP
Libellés :
Rogues,
ScreenShots
Windows Antivirus Pro
Windows Antivirus Pro is a Fake Security Software (Rogue). It displays fake alerts and modify desktop background. It also prevent execution of binaries to scare users.
The new Desktop background is a transparent picture with a "Danger!!! Your computer is INFECTED!" message. It is superposed on the original background
The new Desktop background is a transparent picture with a "Danger!!! Your computer is INFECTED!" message. It is superposed on the original background
Libellés :
DesktopHijack,
Rogues,
ScreenShots
Tuesday, July 28, 2009
Privacy Center, Safety Center
Safety Center and Privacy Center are the new version of Secret Service.
While running a scan, the tool creates files to detect fake infections and scare users.
While running a scan, the tool creates files to detect fake infections and scare users.
Libellés :
Rogues,
ScreenShots,
Tritax
Thursday, July 23, 2009
imageshack.us hosts koobface files
For a few weeks now, a new command has been added in Koobface's C&C.
STARTONCEIMG|http://img119.imageshack.us/img119/116/p22157446.jpg|193854730d993dfgdfjkng345
This small picture has a size of 19.439 Bytes (Bitmap is only 999 Bytes). The command decrypts extra data with the key (193854730d993dfgdfjkng345). This is the decrypt routine:
The malware is known as Trojan-PSW.Win32.LdPinch, a password stealer.
MD5: 4EB90BA3A88369A12DD48ED276778228
virustotal.com
Edit: imageshack.us was contacted, the picture has been removed
STARTONCEIMG|http://img119.imageshack.us/img119/116/p22157446.jpg|193854730d993dfgdfjkng345
This small picture has a size of 19.439 Bytes (Bitmap is only 999 Bytes). The command decrypts extra data with the key (193854730d993dfgdfjkng345). This is the decrypt routine:
The malware is known as Trojan-PSW.Win32.LdPinch, a password stealer.
MD5: 4EB90BA3A88369A12DD48ED276778228
virustotal.com
Edit: imageshack.us was contacted, the picture has been removed
Libellés :
Koobface
Tuesday, July 21, 2009
How to hide a known Malware code...
...and remains undetected.
Malware creators have to bypass antivirus protections to infect users. To be undetectable, the executable binary must not have a recognizable pattern.
Packing the file is one of the method used. It was a good trick to hide the code and reduce the size of the binary. But antivirus softwares can detect home made packers, entropy, and most of them can unpack known packers routines to scan the original file.
So, another protection was added to cypher the packed file:
On the picture, the work done in memory:
The executable contains a cyphered UPX binary that contains the malware itself. The first stub uncypher the binary (green arrow).
Let's have a look at the code: in red, the uncypher routine doing the job.
Once done, the code appears in clear. Simple, but effective:
Then the UPX stub unpack the Malware code (blue arrow) and run it.
A well known malware file can be undetectable (until an antivirus detects the first shell).
To remain undetected, the uncypher routine must be often changed:
- Some "junk code" is inserted before and after it (jumps, calls, various real and unnecessary routines),
- Some various protections can slow the analyst work,
- Modification of the file every time it is downloaded. A few bytes are changed (one is enough) to generate a new hash.
Then, every day, a file that contain a well known infection, is released. The file looks new (different size, no recognizable patterns) and malware analysts have to work on it to detect what seems to be new but is NOT. Virus Total returns a poor detection (or 0 detection sometimes).
Malware creators have to bypass antivirus protections to infect users. To be undetectable, the executable binary must not have a recognizable pattern.
Packing the file is one of the method used. It was a good trick to hide the code and reduce the size of the binary. But antivirus softwares can detect home made packers, entropy, and most of them can unpack known packers routines to scan the original file.
So, another protection was added to cypher the packed file:
On the picture, the work done in memory:
The executable contains a cyphered UPX binary that contains the malware itself. The first stub uncypher the binary (green arrow).
Let's have a look at the code: in red, the uncypher routine doing the job.
Once done, the code appears in clear. Simple, but effective:
Then the UPX stub unpack the Malware code (blue arrow) and run it.
A well known malware file can be undetectable (until an antivirus detects the first shell).
To remain undetected, the uncypher routine must be often changed:
- Some "junk code" is inserted before and after it (jumps, calls, various real and unnecessary routines),
- Some various protections can slow the analyst work,
- Modification of the file every time it is downloaded. A few bytes are changed (one is enough) to generate a new hash.
Then, every day, a file that contain a well known infection, is released. The file looks new (different size, no recognizable patterns) and malware analysts have to work on it to detect what seems to be new but is NOT. Virus Total returns a poor detection (or 0 detection sometimes).
Libellés :
misc
Monday, July 20, 2009
Home Antivirus 2010
Home Antivirus 2010 is a fake security software (rogue) from the family of PC Security 2009, Home Antivirus 2009. It displays alerts messages and creates files on the system to simulate an infection (fake PE or VB Script filled with junk).
Home Antivirus 2010 also replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.
Thanks to Bharath
Home Antivirus 2010 also replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.
Thanks to Bharath
Libellés :
Braviax,
Rogues,
ScreenShots
Friday, July 17, 2009
is Paretologic a rogue creator ?
Paretologic creates many cleaners (Malware, Registry, Privacy...). XoftSpySE and RegCure are the most known. Recently, MalwareURL flag them as rogue. It's not a surprise, ParetoLogic is considered as rogue by a lot of security analysts.
Why ? ParetoLogix products are not automatically installed by trojan or fake codec. There is no DesktopHijack, constant alert messages, or such well known rogue symptoms. Where is the problem then ?
Affiliates communication. There is an intense communication made by third persons on blogs, google ads, twitter, ...
When ParetoLogic cares about reputation for not being classified as rogue, the company has no control on communication made by affiliates:
Few years ago, SmitfraudFix was spotted by a ParetoLogic Google ad:
Remove SmitfraudFix for good - Free SmitfraudFix scan & Fix
Unethical communication and false information. On some sites, XoftSpySE is proposed with known rogues products:
Another problem is the license. When the free scanner detects an infection. It proposes acquiring (buying) a license from the infected system. This is a very bad idea: the malware may stole identity and credit card informations.
The limit between rogue, PUP and non-ethic is poor. I won't consider it as rogue because of the missing rogue symptoms, but ParetoLogic is certainly not ethical.
hpHosts blog: http://hphosts.blogspot.com/2009/07/paretologic-vs-malwareurl.html
MalwareDiaries blog: http://blogs.paretologic.com/malwarediaries/index.php/2009/07/16/false-allegations-about-paretologic
Edit: Forum thread about this post.
Why ? ParetoLogix products are not automatically installed by trojan or fake codec. There is no DesktopHijack, constant alert messages, or such well known rogue symptoms. Where is the problem then ?
Affiliates communication. There is an intense communication made by third persons on blogs, google ads, twitter, ...
When ParetoLogic cares about reputation for not being classified as rogue, the company has no control on communication made by affiliates:
Few years ago, SmitfraudFix was spotted by a ParetoLogic Google ad:
Remove SmitfraudFix for good - Free SmitfraudFix scan & Fix
Unethical communication and false information. On some sites, XoftSpySE is proposed with known rogues products:
Another problem is the license. When the free scanner detects an infection. It proposes acquiring (buying) a license from the infected system. This is a very bad idea: the malware may stole identity and credit card informations.
The limit between rogue, PUP and non-ethic is poor. I won't consider it as rogue because of the missing rogue symptoms, but ParetoLogic is certainly not ethical.
hpHosts blog: http://hphosts.blogspot.com/2009/07/paretologic-vs-malwareurl.html
MalwareDiaries blog: http://blogs.paretologic.com/malwarediaries/index.php/2009/07/16/false-allegations-about-paretologic
Edit: Forum thread about this post.
Libellés :
misc,
Rogues,
ScreenShots,
SmitfraudFix
Saturday, July 11, 2009
Trojan-Downloader.Win32.FraudLoad
There's not a day I don't read a blog article about FraudLoad "is a new infection", "is DNS.Changer" or wrong informations...
This malware is not new. I've started collecting DNS since April 2009. It have started months before. Here is some of them (forgive me for not listing 'em all. I was a little bored sometimes...)
tubeportalsoftware2008.com,
k-softportal.com,
dbs-softportal.com,
sim-softportal.com,
fhg-softportal.com,
del-softportal.com,
kxc-softwaresportal.com,
kol-development.com,
zaq-softwares.com,
frg-softwares.com,
dec-software.com,
dia-software.com,
knr-softwares.com,
lxl-softportal.com,
kvm-softwares.com,
xxx-softwares.com,
kxc-softwaresportal.com,
cls-softwares.com,
sim-softportal.com,
down-softportal.com,
slk-softwareportal.com,
sdfv-programs.com,
sgh-topprograms.com,
rol-programms.com,
kor-programms.com,
hex-programmers.com,
kir-fileplanet.com,
arch-grandsoftarchive.com,
grandfilesstore.com,
zxc-sofftwares.com,
exe-soft-portal.com,
file-exe-2009.com,
streaming-united.com,
wile-exe.com,
exe-load-area.com,
exe-web-development.com,
groufertation.com,
exe-soft-files.com,
my-exe-profile.com,
exe-file-boom.com,
fast-exe-load.com,
go-exe-go.com,
last-exe-portal.com,
exe-xxx-file.com,
exe-box.com,
hot-exe-area.com,
zone-exe-files.com,
exe-profile.com,
load-exe-soft.com,
let-exe-2009.com,
exe-4free.com,
red-exe.com,
exe-cosmos.com,
exe-online-world.com,
zone-exe-files.com,
hot-exe-area.com,
exe-direct.com,
era-exe.com
...
Contacted hosts are also old. But changing much slower. It was first PE binaries hidden under a picture filename. Then it change to a real pic with extra data (the crypted PE added after the picture data).
imagesaudi.com,
imagesopel.com,
images-humanity.com,
imagescopyleft.com,
texasimages2009.com,
imagesmazda.com,
imagesferrar.com,
caninejoker.com,
imageempires.com,
picturesoffline.com,
imagesmonitor.com,
pictureswall.com,
coolimagepro.com,
portalpics.com,
imagescolor.com,
picturehappiness.com,
picturephotoweb.com,
thenewpic.com,
images-smile.com,
picturephotoweb.com,
theimagesstudio.com,
imageheadphones.com,
pixphotos.com,
imgesinstudioonline.com,
yourimagesstudio.com,
isyouimageshere.com
It is not a DNS.Changer infection (can't remember the blog where I read this). It's a Trojan Downloader. See the previous post about it here.
This malware is not new. I've started collecting DNS since April 2009. It have started months before. Here is some of them (forgive me for not listing 'em all. I was a little bored sometimes...)
tubeportalsoftware2008.com,
k-softportal.com,
dbs-softportal.com,
sim-softportal.com,
fhg-softportal.com,
del-softportal.com,
kxc-softwaresportal.com,
kol-development.com,
zaq-softwares.com,
frg-softwares.com,
dec-software.com,
dia-software.com,
knr-softwares.com,
lxl-softportal.com,
kvm-softwares.com,
xxx-softwares.com,
kxc-softwaresportal.com,
cls-softwares.com,
sim-softportal.com,
down-softportal.com,
slk-softwareportal.com,
sdfv-programs.com,
sgh-topprograms.com,
rol-programms.com,
kor-programms.com,
hex-programmers.com,
kir-fileplanet.com,
arch-grandsoftarchive.com,
grandfilesstore.com,
zxc-sofftwares.com,
exe-soft-portal.com,
file-exe-2009.com,
streaming-united.com,
wile-exe.com,
exe-load-area.com,
exe-web-development.com,
groufertation.com,
exe-soft-files.com,
my-exe-profile.com,
exe-file-boom.com,
fast-exe-load.com,
go-exe-go.com,
last-exe-portal.com,
exe-xxx-file.com,
exe-box.com,
hot-exe-area.com,
zone-exe-files.com,
exe-profile.com,
load-exe-soft.com,
let-exe-2009.com,
exe-4free.com,
red-exe.com,
exe-cosmos.com,
exe-online-world.com,
zone-exe-files.com,
hot-exe-area.com,
exe-direct.com,
era-exe.com
...
Contacted hosts are also old. But changing much slower. It was first PE binaries hidden under a picture filename. Then it change to a real pic with extra data (the crypted PE added after the picture data).
imagesaudi.com,
imagesopel.com,
images-humanity.com,
imagescopyleft.com,
texasimages2009.com,
imagesmazda.com,
imagesferrar.com,
caninejoker.com,
imageempires.com,
picturesoffline.com,
imagesmonitor.com,
pictureswall.com,
coolimagepro.com,
portalpics.com,
imagescolor.com,
picturehappiness.com,
picturephotoweb.com,
thenewpic.com,
images-smile.com,
picturephotoweb.com,
theimagesstudio.com,
imageheadphones.com,
pixphotos.com,
imgesinstudioonline.com,
yourimagesstudio.com,
isyouimageshere.com
It is not a DNS.Changer infection (can't remember the blog where I read this). It's a Trojan Downloader. See the previous post about it here.
Libellés :
misc
System Tuner
SystemTuner is a fake tool made to speed up PC's performance.
There's nothing (logfile) to control what the tool is removing:
The website is hosted on 209.44.126.16 IP (Netelligent Hosting Services Inc.). This IP is also used for well known rogue: System Security
system-tuner.net (209.44.126.16)
systemsecurityonline.com (209.44.126.16)
systemsecuritytool.com (209.44.126.16)
systemsecuritysite.com (209.44.126.16)
There's nothing (logfile) to control what the tool is removing:
The website is hosted on 209.44.126.16 IP (Netelligent Hosting Services Inc.). This IP is also used for well known rogue: System Security
system-tuner.net (209.44.126.16)
systemsecurityonline.com (209.44.126.16)
systemsecuritytool.com (209.44.126.16)
systemsecuritysite.com (209.44.126.16)
Libellés :
Rogues,
ScreenShots
Friday, July 10, 2009
Secret Service Rogue
TRITAX has released a new version of Secret Service (previous post).
The rogue is still using a part of the Privacy Center sample (Russian female voice).
Like the previous version, the rogue drops many fake executables files to simulate an infection.
Once registered, all the tool options are available. Like the antimalware engine, these options are fake. The software never contacts any host, network activity stays null while database update progress bars are filled.
The rogue is still using a part of the Privacy Center sample (Russian female voice).
Like the previous version, the rogue drops many fake executables files to simulate an infection.
Once registered, all the tool options are available. Like the antimalware engine, these options are fake. The software never contacts any host, network activity stays null while database update progress bars are filled.
Libellés :
Rogues,
ScreenShots,
Tritax
Thursday, July 9, 2009
PC Security 2009
PC Security 2009 is a fake security software (rogue) from the family of Home Antivirus 2009. It displays alerts messages and creates files on the system to simulate an infection (fake PE or VB Script filled with junk).
PC Security 2009 replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.
Thanks to Bharath
PC Security 2009 replaces the original Windows Security Center by its own, and force the Control Panel to be displayed with the classic view.
Thanks to Bharath
Libellés :
Braviax,
Rogues,
ScreenShots
Trojan-Downloader.Win32.FraudLoad
Trojan-Downloader.Win32.FraudLoad (exe-site.com/streamviewer.#.exe) is an "old" infection but I read many times as it is new. It looks new because of the bad AV detections, and because of some tips used by creators.
- The DNS is changing quickly (aroud every 24 hours):
exe-profile.com
load-exe-soft.com
exe-xxx-file.com
exe-box.com
exe-box.com
let-exe-2009.com
exe-4free.com
...
Filenames are composed like necessary software to watch streaming videos: streamviewer.#.exe, flashplayer.v10.#.exe, TubeViewer.ver.6.#.exe (where # is a number of 4/5 caracters).
- File used to be an UPX packed infection and was easy to detect. For some weeks, it is using a stub to bypass Antivirus detection. File is still UPX packed but creators add the stub to cypher it (stub -> UPX -> infection code). The stub code is also quickly modified. This is why a lot of AV are late to detect it.
- At the end of the file there is 8 bytes:
4 bytes for a key (again, quickly modified),
4 bytes for the affiliate ID.
Last 4 bytes is an XOR operation based on # numbers in the filename/webpage and the 4 bytes key. The same file downloaded from a different affiliate website has a different hash...
- Downloaded files used to be executables hidden behind a picture filename. They are now real GIF pictures but the size is too heavy for simple pictures. The infection is cyphered behind the picture data (remember tibs infection ? Where tibs was using a simple XOR encryption routine, this trojan-downloader uses a more sophisticated rout.). Extracted executables are using the same Trojan-Downloader stub method to cypher their code.
- The DNS is changing quickly (aroud every 24 hours):
exe-profile.com
load-exe-soft.com
exe-xxx-file.com
exe-box.com
exe-box.com
let-exe-2009.com
exe-4free.com
...
Filenames are composed like necessary software to watch streaming videos: streamviewer.#.exe, flashplayer.v10.#.exe, TubeViewer.ver.6.#.exe (where # is a number of 4/5 caracters).
- File used to be an UPX packed infection and was easy to detect. For some weeks, it is using a stub to bypass Antivirus detection. File is still UPX packed but creators add the stub to cypher it (stub -> UPX -> infection code). The stub code is also quickly modified. This is why a lot of AV are late to detect it.
- At the end of the file there is 8 bytes:
4 bytes for a key (again, quickly modified),
4 bytes for the affiliate ID.
Last 4 bytes is an XOR operation based on # numbers in the filename/webpage and the 4 bytes key. The same file downloaded from a different affiliate website has a different hash...
- Downloaded files used to be executables hidden behind a picture filename. They are now real GIF pictures but the size is too heavy for simple pictures. The infection is cyphered behind the picture data (remember tibs infection ? Where tibs was using a simple XOR encryption routine, this trojan-downloader uses a more sophisticated rout.). Extracted executables are using the same Trojan-Downloader stub method to cypher their code.
Libellés :
misc
WiniFighter
WiniFighter is a clone of WiniBlueSoft rogue.
winbluesoft.com (194.54.81.18)
winifighter.com (194.54.81.18)
Thanks to remixed
winbluesoft.com (194.54.81.18)
winifighter.com (194.54.81.18)
Thanks to remixed
Libellés :
Rogues,
ScreenShots,
WiniSoft
Wednesday, July 8, 2009
Security Central
Security Central Rogue is a clone of Barracuda Antivirus, Antivirus System Pro, Spyware Protect 2009.
It displays fake infections and fake alerts to scare users pushing them into buying a license.
Thanks to Malekal Morte
It displays fake infections and fake alerts to scare users pushing them into buying a license.
Thanks to Malekal Morte
Libellés :
Rogues,
ScreenShots,
SWProtect
Windows Security Suite
Windows Security Suite is a new fake security scanner (rogue). It belongs to the same family as Malware Destructor 2009, FastAntivirus,
MalwareCatcher, VirusShield, Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Windows Security Suite comes from fake online scanners and detects nonexistent malwares to scare users pushing them to buy a license.
Thanks to Bharath
BleepingComputer Windows Security Suite removal guide.
MalwareCatcher, VirusShield, Extra Antivirus, Virus Sweeper, Ultra Antivir 2009, Virusdoctor, VirusMelt, VirusAlarm. Windows Security Suite comes from fake online scanners and detects nonexistent malwares to scare users pushing them to buy a license.
Thanks to Bharath
BleepingComputer Windows Security Suite removal guide.
Libellés :
GCodeRogue,
Rogues,
ScreenShots
Barracuda Antivirus
Barracuda Antivirus Rogue is a clone of Antivirus System Pro, Spyware Protect 2009.
It displays fake infections to incite users into buying a license.
Thanks to Malekal Morte
It displays fake infections to incite users into buying a license.
Thanks to Malekal Morte
Libellés :
Rogues,
ScreenShots,
SWProtect
Tuesday, July 7, 2009
Smart Defender Pro
SmartDefender Pro is a new rogue. It is from the same family as Virus Remover Pro, Extra Antivirus,
AV Antispyware, PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
Thanks to Ryan
AV Antispyware, PAntispyware09, MS Antispyware 2009, Pro Antispyware 2009, SysAntivirus 2009, WinSpywareProtect.
Thanks to Ryan
Libellés :
AVPro,
Rogues,
ScreenShots
Friday, July 3, 2009
Desktop Hijack
System Security 2009, a known rogue, is hijacking Desktop Background. It also displays fake message about trojan infections to scare users.
Previous Post here.
Previous Post here.
Libellés :
DesktopHijack,
ScreenShots
Subscribe to:
Posts (Atom)