Ransomware infecting user32.dll

June 13, 2014

Over the past months we’ve been monitoring a new variant of the Department of Justice (DOJ) ransomware.

Till date there is nothing written about this new variant on the internet. This blog item aims to address this.

Analysis of this particular ransomware shows that the method to infect victims is different compared to previous ransomware samples. Instead of dropping an executable on the system it infects the Windows system DLL: user32.dll.

This file is typically located in:
C:\Windows\System32\user32.dll
      or
C:\Windows\SysWOW64\user32.dll

So far we’ve observed that the ransomware is only infecting the 32-bit version of user32.dll.

Static detection
Our support desk helped a victim in January 2014. Four months later, detection is still poor:

vt-user32

Resource section
The ransomware enlarges the resource section of user32.dll as can be seen in the table below:

Original user32.dll Infected user32.dll
name va vsize rawsize name va vsize rawsize
.text 0x1000 0x5f283 0x5f400 .text 0x1000 0x5f283 0x5f400
.data 0x61000 0x1180 0xc00 .data 0x61000 0x1180 0xc00
.rsrc 0x63000 0x2a088 0x2a200 .rsrc 0x63000 0x33a88 0x33c00
.reloc 0x8e000 0x2de4 0x2e00 .reloc 0x8e000 0x2de4 0x2e00

Analysis of the increased resource section in this file shows that it contains an encrypted payload with a decryptor embedded. We will show how the malware gets active once it has successfully infected the user32.dll file.

EntryPoint patched
The code in the entrypoint of an infected user32.dll is patched with a jump to AlignRects, as can be seen below:

Original:

UserClientDllInitialize:
7e41b217 8B FF          mov  edi, edi 
7e41b219 55             push ebp 
7e41b21a 8B EC          mov  ebp, esp 
7e41b21c 83 7D 0C 01    cmp  [ebp+0xC], 1 
7e41b220 75 05          jnz  0x7e41b227
 
7e41b222 E8 5D 07 00 00 call 0x7e41b984
 
7e41b227 5D             pop  ebp 
7e41b228 90             nop 
7e41b229 90             nop 
7e41b22a 90             nop 
7e41b22b 90             nop 
7e41b22c 90             nop 
7e41b22d 8B FF          mov  edi, edi 
7e41b22f 55             push ebp 
7e41b230 8B EC          mov  ebp, esp

Patched:

UserClientDllInitialize:
7e41b217 8B FF          mov  edi, edi 
7e41b219 55             push ebp 
7e41b21a 8B EC          mov  ebp, esp 
7e41b21c 83 7D 0C 01    cmp  [ebp+0xC], 1 
7e41b220 75 0E          jnz  0x7e41b230
 
7e41b222 E8 00 00 00 00 call 0x7e41b227
 
7e41b227 83 04 24 0A    add  [esp], 0xa 
7e41b22b E9 B0 22 05 00 jmp  AlignRects 
________________________________________
7e41b230 8B EC          mov  ebp, esp

The code at AlignRects is not the original, but is replaced with code that allocates a new block of executable memory. Hereafter it copies the encrypted payload from the resource section to this newly allocated memory.

AlignRects:
7e46d4e0  leave 
7e46d4e1  pusha 
7e46d4e2  push ebp
7e46d4e3  mov  ebp, esp
7e46d4e5  sub  esp, 8
7e46d4e8  mov  eax, [ebp+0x4C]        ; EAX becomes base-address of 
                                      ; user32.dll (7E410000)
7e46d4eb  mov  ecx, eax
7e46d4ed  add  eax, 0x13bc
7e46d4f2  mov  eax, [eax]             ; EAX becomes address of 
                                      ; NtQueryVirtualMemory

7e46d4f4  add  eax, 0xfffff5f0        ; EAX becomes address of 
                                      ; NtAllocateVirtualMemory
7e46d4f9  push 0x40
7e46d4fb  push 0x3000
7e46d500  lea  ecx, [ebp-0x4]
7e46d503  mov  [ecx], 0xc576
7e46d509  push ecx
7e46d50a  push 0
7e46d50c  lea  ecx, [ebp-0x8]
7e46d50f  mov  [ecx], 0
7e46d515  push ecx
7e46d516  push 0xff
7e46d518  call eax                    ; Call NtAllocateVirtualMemory
7e46d51a  mov  edi, [ebp-0x8]         ; EDI = allocated address
7e46d51d  mov  eax, edi
7e46d51f  mov  esi, [ebp+0x4C]        ; ESI = base-address of 
                                      ;       user32.dll (7E410000)
7e46d522  add esi, 0x8d200            ; ESI = address of encrypted payload 
                                      ;       in resource section
7e46d528  mov ecx, 0x98bb
7e46d52d  rep movs es:[edi], ds:[esi] ; Copy to allocated 
                                      ; (executable) range
7e46d52f  leave 
7e46d530  add  eax, 0x981e            ; EAX = address of decryption code
7e46d535  jmp  eax                    ; Start decryption !!

As can be seen from this code an executable block of memory is allocated. In order to do that, the address of NtAllocateVirtualMemory is calculated using the address of NtQueryVirtualMemory, which was obtained from the IAT of user32.dll.

The encrypted payload is copied into the newly allocated range of memory. This encrypted payload contains a small piece of decryption code, located near the end of the encrypted payload. This decryption code is shown below:

0:000> r
eax=0029981e ebx=7e41b217 ecx=00000000 edx=7c90e514 esi=7e4a6abb edi=002998bb
eip=0029981e esp=0007f9d4 ebp=0007fa10 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

0:000> u eax l20
0029981e call 00299823
00299823 pop  edx                     EDX = current location !
00299824 sub  edx,7FFA2F22h
0029982a push esi
0029982b lea  esi,[edx+7FFA2F1Dh]     ESI = allocated mem-base (290000)
00299831 mov  ecx,981Eh               ECX = size to decrypt (num bytes)
00299836 sub  esi,ecx
00299838 push esi
00299839 mov  ebx,6FAAEh              The XOR key (BL only, so AEh)
0029983e xor  byte ptr [esi],bl       Decrypt byte-by-byte
00299840 inc  esi
00299841 inc  ebx                     Modify XOR key for each byte (+1)
00299842 loop 0029983e
00299844 pop  eax
00299845 pop  ecx
00299846 mov  dword ptr [eax+12h],ecx
00299849 jmp  eax                     Jump to allocated mem-base, 
                                      which is now decrypted.

The decryption of the payload uses a XOR based decryption scheme were the XOR value for each byte to decrypt is incremented after each operation.

Once all bytes in the allocated memory range are decrypted, the now plain code is executed. Note the first two instructions of this decryption code, where a call/pop combination is used to obtain the current address.

This makes the decryption code position independent. The only ‘fixed’ values in this code are the size of the encrypted payload and the XOR key, so automating the payload and decryptor to avoid static detection can be easily accomplished.

user32-decrypted2

user32-decrypted1

Once the ransomware becomes active, some typical ransomware behavior is performed:

  • Windows Safe Mode is disabled
  • Task Manager is blocked
  • Command Prompt is blocked
  • Registry Editor is blocked

… and of course the police themed picture is shown where a ransom fee is demanded in order to release the PC (see picture at the top of this article).

Victims can use the very easy-to-use HitmanPro.Kickstart to get rid of police themed ransomware infection.

Blocking CD-ROM drives
A new property of this particular ransomware is that it disables CD-ROM drives. This makes it for some computers harder to clean the system as is explained below.

When HitmanPro detects a system file that is infected, it searches for a white-listed variant on the computer. This as Windows tends to keep a copy of system files on multiple locations on the hard disk.
If HitmanPro cannot find a white-listed known safe version, it prompts for the Windows installation CD/DVD media that came with the computer. This is a very useful feature of HitmanPro and it has been in HitmanPro for years to return infected system files to pristine state!

But since this new ransomware infection blocks access to the CD/DVD the user can no longer provide the Windows installation media for original files.

New Cloud Service
EDIT: HitmanPro build 219 (or newer) queries a new HitmanPro-cloud service that can provide a clean system file so that the user no longer has to provide Windows installation media.

32-bit: http://dl.surfright.nl/HitmanPro.exe
64-bit: http://dl.surfright.nl/HitmanPro_x64.exe

 

Samples:

3AF4FA2BFFAAB37FD557AE8146AE0A29BA0FAF6D99AD8A1A8D5BF598AC9A23D1
3A061EE07D87A6BB13E613E000E9F685CBFFB96BD7024A9E7B4CB0BE9A4AF38C
7DD93123078B383EC179C4C381F9119F4EAC4EFB287FE8F538A82E7336DFA4CA

Background on hyped Bitcoin miner served via Yahoo

January 10, 2014

Last Friday security researchers from Fox-IT noticed that Yahoo was inadvertently spreading malware via its advertisement services. Last Monday the Israel-based security company Light Cyber spread a much hyped press release that most of the malware was used to mine Bitcoins. I am personally a bit surprised that the BBC, The Guardian and even Interpol tweeted about it, as Light Cyber provided little to no details or evidence.

interpol

The story is not completely wrong but, when you read those articles, the perception now is that the entire attack revolved around Bitcoin mining, which is false.

We saw the Bitcoin miner too but omitted it from our initial excerpt because, according to our own telemetry, only 4% of the victims that we rescued received this malware. And contrary to popular belief, click fraud and banking malware is a lot faster lucrative than mining Bitcoins with malware, as a miner likely requires specific hardware to be effective and that it will not survive long on a victim’s computer. In fact, this miner is easily picked up by antivirus software. And infected users will certainly notice the stressed out processor and/or GPU, which seriously hinders normal work or gaming.

Let me provide some useable evidence.

Citadel
We found that a Citadel trojan in this attack pulled in the Bitcoin miner about a minute after the PC got infected. Citadel is based on the Zeus banking malware, also known as Zbot. It typically creates a random folder under the %AppData% folder and has a random filename of typically 5 or 6 characters, e.g.:

C:\Users\<user>\AppData\Roaming\Iquha\ruyvy.exe

On each victim computer this malware is uniquely obfuscated to evade antivirus detection.

cgminer
The Bitcoin miner, however, is actually a wrapped version of an abused legitimate tool called cgminer, version 3.7.2 to be exact. Cgminer is a multi-threaded multi-pool FPGA and ASIC miner and relies on the OpenCL framework to perform the hashing computations for Bitcoin mining. OpenCL is mandatory for cgminer, which is by default not installed on Windows computers. This means that cgminer only works/affects machines with the OpenCL SDK installed or with special gaming-oriented hardware, as OpenCL.dll only comes standard with certain display drivers from AMD and NVIDIA.

In this attack, the cgminer malware was installed here:

C:\JvaApp\wdsdll.exe

When the victim computer is equipped with a modern GPU, this tool can produce hash rates orders of magnitude higher than what can be achieved with just a CPU. If the computer doesn’t have a capable GPU to speed up mining it returns “clDevicesNum returned error, no GPUs usable”.

cgminer

The miner uses libcurl for communication with a mining pool. Libcurl is also legitimate software.

Some SHA-256 hashes for the security community:

9621744EF9C063DAB33CCA0FD4CCB24D79D227AC29D28CD27797338ACD9ABD47
A99253A538C3EF1945E146050645E321DA3B055A2624F83356FCB3F8C37B0DB3
31DD1B7A65EEC28F0D2B03E070290494A945AD4643053D8396B5DC65DE595409
26CE58F04C7A002CDBE6F05BADF0E986825B25138802368D79C300B3E2E2E2F0

So the attackers do not have a 2.5-million-large Bitcoin mining network (or ‘bitnet’). This ‘bitnet’ is also not as effective as some think. A single infected computer with e.g. a decent NVIDIA GTX 560 Ti display card would take a week to generate EUR €0,1430 (at about 85.1 MHash/sec). We do not have hardware specifications of any or all victim computers, so let’s assume (hypothetically) that 1/4 of these infected machines would have this special NVIDIA display card. Also assuming that the miner would not have been noticed by antivirus software or the user, this ‘bitnet’ of 25,000 computers (1/4 of 4% of 2.5 million) would have generated about 5.5 BTC, or EUR €3,575 at the current exchange rate of the virtual currency.

The created perception that Bitcoin mining was the driving force behind the Yahoo attack is just plain wrong. The attack is about the people who earned a lot by offering their malware staging area at Yahoo to a multitude of criminals. Hence the enormous variety of malware. Surely, malware designed to steal your identity or banking credentials is far more threatening than malware which only takes a toll on your computers speed.


Malware served via Yahoo affected millions

January 5, 2014

We have been pretty busy with a lot of new exciting technology that we are introducing next month, so our blog did not get as much attention as it should. But yesterday, an interesting malvertising campaign on Yahoo drew my attention.

Yahoo!
Yahoo is the #4 website in the world and with literally millions of daily visitors and users, Yahoo is a high-profile target for malvertising.

Fox-IT already wrote a great blog entry mainly about the network details of the attack. But since there is also a lot to tell about the malware I decided to spend my Sunday to do some digging in our databases and write some details about it.

Discovery
Lennart Haagsma (@lennarthaagsma) and Maarten van Dantzig (@MaartenVDantzig) from Fox-IT’s Security Operations Center were the guys that sent out the first tweet about this on January 3rd, 2014: the ads.yahoo.com host, associated with advertisements and tracking, was infecting visitors of Yahoo Mail.

Image

Our own telemetry and research confirmed this and I immediately started to send out additional information on Twitter and share some malware details with the security community.

Below a screenshot of Fiddler showing the recorded drive-by infection, proofing that Yahoo was indeed infecting its visitors through a malicious iframe:

Image

Sharing Information
We also shared some initial information with the Dutch National Cyber Security Center (NCSC) so they could combine it with data from Fox-IT.

The NCSC sent out a warning message to contacts at key infrastructure and important computer networks in The Netherlands, so technicians could add firewall rules to block the attack. This, because the malware used in the attack were slipping passed security defenses, which we can confirm thanks our HitmanPro agents on millions of computers in the world. Our software has detected Yahoo-related malware on computers protected by up-to-date antivirus software.

Note: Microsoft Enhanced Mitigation Experience Toolkit (EMET) offers no protection against these attack as EMET does not protect against Java-based exploit attacks.

HitmanPro
If you are unfamiliar with our HitmanPro software: it is a small anti-malware tool that functions as a second-opinion for your antivirus software to reveal undetected threats.

HitmanPro works on-demand and is purpose-built to be compatible with other antivirus programs. Its behavior and forensic analysis are designed to pick up threats without requiring prior knowledge of malware attacks, commonly called virus signatures.

Here an example of how HitmanPro gives you insight on how the attack happened, even days after the incident:

HitmanPro-flagging-malware-and-giving-insight-into-the-attack-without-signatures

About the Malware
Thanks to the telemetry coming from HitmanPro we are able to compile a list of threats that were used in the attack staged from Yahoo’s own servers.

Our systems detected the first threats associated with this malware campaign on Monday December 30th, 2013 (now 6 days ago). This means that a lot more users are infected than initially thought (4 days x 24 hours x 27,000 infections = 2.5 million infected computers).

The attackers made good use of Yahoo’s reputation and installed many different malware, which leads us to believe there are more interested criminals involved (a so-called Pay-Per-Install operation). An excerpt with some background information:

Click fraud malware
https://www.virustotal.com/en/file/fd831dc7b66e2c05d8b83f0fe6a4c67d57f0e1a2bb7126cdb20963bf6fb0bbb8/analysis/
The creator of this file used a neat Star Wars icon:

clickfraud

Once executed by the exploit kit, this malware installs itself in the C:\Windows\Fonts folder. The Fonts folder is a special folder and shows only fonts in Windows Explorer. The malware executable doesn’t come up in the contents list so the user is not able to access it manually. The publisher of the malware executable was also set to Symantec Corporation DB in an attempt to fool users who were somehow able to to access it.
This malware program is causing click fraud and causes high CPU usage. It runs multiple hidden web browser processes to open web pages with ads belonging to the affiliate ID of the criminal. The program is started each hour through the Windows Task Scheduler:

Image

Necurs backdoor
https://www.virustotal.com/en/file/45ada47d018abec15f1e06d6d4858a865577fcea8a4c0934390c69ad0ad8d06c/analysis/
The malware author of this file decided to use an ICQ icon, abused the name of a legitimate registry tool and accidentally gave a clue to where the file could’ve originated from:

Image

The purpose of this malware downloads additional malware and enables backdoor access and control of your computer. It also capable of disabling antivirus software and injects itself in other system processes. It typically installs itself in C:\Windows\Installer\<random GUID>\

Dorkbot backdoor
https://www.virustotal.com/en/file/1528545e5a55eb109cbbd11e579b41b82fc5a97a45a1a5e0110f199e2661f8d3/analysis/
dorkbot
This malware can steal usernames and passwords, block websites, and launch a denial of service (DoS) attack. The malware is also often used to haul in additional malware.

The most interesting feature of this malware, I think, is that it creates a so-called hollow process to conceal its presence. In this case it spawns and abuses a legitimate Windows Calculator process (calc.exe) and does an in-memory replacement of the original contents with the malicious code. For the operating system and the user it looks like the original calc.exe is running, while in fact the calc.exe process has been transformed into Dorkbot. This Windows Calculator process now has unusual capabilities, like HTTP and DNS interception:

calc

Ramdo malware
https://www.virustotal.com/en/file/045a52e97d894018765b053f9d82b1021e7567d980bc2bfdfbfd7b38205a44a6/analysis/

This particular malware employs NTFS encryption in an attempt to stay hidden from low level virus scans. A low level scan, like HitmanPro’s Direct Disk Access method, does not use the higher level Windows API’s to scan the disk for malware, because, usually, the higher level Windows API’s are manipulated by malware to evade detection.

Image

For interested security researchers, I’ve compiled an incomplete SHA-256 list of malware associated with the Yahoo malvertising campaign:

1528545E5A55EB109CBBD11E579B41B82FC5A97A45A1A5E0110F199E2661F8D3
159E8975BF6545C958FB5BD427C9E5ADBE6B8804743B690C8AA74410D7FC7300
26CE58F04C7A002CDBE6F05BADF0E986825B25138802368D79C300B3E2E2E2F0
28140E82A245A63AC5EF1C570EB134F3EC19FC9E067A8D8F87988D284A5DC655
37127616D0ED3D23FAB66F116B8D4DF2BEC0B95405449A5652E64ADA3693BC03
456D4332346E0FBF27B3838700FB8EACCF57DE1E5F79D800C06B1B90518CAB49
45ADA47D018ABEC15F1E06D6D4858A865577FCEA8A4C0934390C69AD0AD8D06C
76741E8256C99F53507D67D2525AE813570EF49054B14919B06955349F96BD50
77481D089DDBE7F4F7CDB0B4AAB60537DEE80D1653D721BC7B7A2CE4E83C374C
A4092A6594263E3B0756A02614E65191875F3564D14D6933638A9E0CC9B25495
A6080BA41FB029CC37641E3CDB84C89A83A77754BE91DCE899142BB5C8E19294
B7637854EEB881927F531997923563275CC73A9697606BD16C7C108203A81A1F
C6148B3A52CEFC754A9B1BE6573BECE14034117DA300F9F66803B4A8FC588B8C
E0270A70A205C71C6C612BDAFCE3D2DE23DA634B98A3613B2B791047CB459E68
E9A9532515257ABBE38C163136FBD49E585D5B18598DBD240A9B5B9867D192DC
EBE3196950E1E374600E8D0BBD1BB30561B02C68D9F1DCE11990BC8C5AF39234
EC71A4A85AC1AB52C49C5DA31D1B4A29349777AC75024626D06C8113BAC779B6
FD831DC7B66E2C05D8B83F0FE6A4C67D57F0E1A2BB7126CDB20963BF6FB0BBB8

Exploiting Java vulnerabilities
Normally, software cannot be installed on a computer without the owner’s consent. If someone would like to silently install software on your computer they would need to find and abuse a vulnerability on your computer – remember Stuxnet, which similarly abused a software vulnerability to hit Iran nuclear plant staff computers.

But practically, every computer has vulnerabilities, even yours. And for online criminals to be effective, they target multiple vulnerabilities to maximize their campaign.

The Magnitude exploit kit makes this possible, which is a favored tool since the arrest of Paunch (the creator the notorious Blackhole exploit kit).

Yahoo’s servers were used as staging area, redirecting visitors to an attack page with the Magnitude exploit kit. The exploit kit was configured to exploit vulnerabilities in Java Runtime to infect Yahoo’s users with malware.

Java is the #1 target since millions of computers still run outdated vulnerable versions of it, caused by the lack of a silent automatic update feature in Java. Also, many people and companies are unable to upgrade to the latest version of Java because they rely on custom software that will no longer work once Java is updated.

So these users rely on antivirus software to keep their computers safe. But since attackers tailor and continuously update their malware they effectively go undetected by many antivirus software.

We’ve seen at least these Java exploits used in the Yahoo malvertising campaign:

https://www.virustotal.com/en/file/EC71A4A85AC1AB52C49C5DA31D1B4A29349777AC75024626D06C8113BAC779B6/analysis/
https://www.virustotal.com/en/file/E0270A70A205C71C6C612BDAFCE3D2DE23DA634B98A3613B2B791047CB459E68/analysis/
https://www.virustotal.com/en/file/28140E82A245A63AC5EF1C570EB134F3EC19FC9E067A8D8F87988D284A5DC655/analysis/
https://www.virustotal.com/en/file/2b7f8b1a5a4e1466b4d56c25331cc1bb2f69bb1a20023062df037e43031cd767/analysis/1388934020/

We found CVE-2012-0507 to be associated with this campaign on infected computers, confirming the fact that many computers have outdated Java software.

IP registrations
A whois query regarding the IP addresses associated with the attack domains gives us some idea on where the attackers might come from:

inetnum: 193.169.244.0 - 193.169.245.255
descr: FOP Zemlyaniy Dmitro Leonidovich
country: NL
organisation: ORG-FZDL2-RIPE
org-name: FOP Zemlyaniy Dmitro Leonidovich
org-type: LIR
address: FOP Zemlyaniy Dmitro Leonidovich
address: Zemlyaniy Dmitro
address: Onore de Balzaka str. 86, app.29
address: 02232
address: Kyiv
address: UKRAINE

CNET
I saw CNET reporting that users had to click on an malicious ad to get infected, but this is not true. Below, side by side, an uninfected Yahoo advertisement and the infected one. Victims did not click on the ads to get infected and also explains the high infection numbers from the Fox-IT research.

cnet

Scan your computer
Not every ad on the Yahoo advertisement network contained the malicious iframe, but if you have an outdated version of Java Runtime (you can check here) and you used Yahoo Mail the last 6 days, your computer is likely infected.

In addition, we also received reports that the malware was spreading through ads in Yahoo Messenger as well. So if you used Yahoo’s services lately, it’s a good idea to scan your computer for malware.

Our HitmanPro software has already helped many Yahoo visitors in these countries: Australia, Germany, Spain, France, Greece, Hungary, Ireland, Israel, Italy, Croatia, The Netherlands, Poland, The United Kingdom and The United States. In most of those scans our HitmanPro anti-malware software also found other malware unrelated to the Yahoo incident, which means it is always a good idea to regularly perform a second opinion scan with a tool from a different security vendor.

Download
You can download HitmanPro here: http://get.hitmanpro.com

HitmanPro Supports 32-bit and 64-bit versions of Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows XP and Windows Server.


HitmanPro rescues anti-virus programs from malware attack

June 3, 2013

ZeroAccess Bag of Tricks
We’ve blogged a few times before about the tricks of the ZeroAccess malware family (aka ZAccess/Sirefef/Max++). For example, in July 2011 we blogged about ZeroAccess injecting a deadly payload into antivirus products and in June 2012 we blogged about ZeroAccess hiding its malicious code in an NTFS Extended Attribute.

Reparse Point
Recently a new ZeroAccess variant is spreading which employs a new trick to disable antivirus products. Specifically, the new variant places NTFS Reparse Points on the files of an antivirus causing access to the files to be redirected.

In the following screenshots (using the tool called Junction from Mark Russinovich, Sysinternals) you can see that ZeroAccess has placed a Reparse Point (type Symbolic Link) on the files of Microsoft Security Essentials. These reparse points redirect file access to a different location, disabling Microsoft Security Essentials:

Also using the ordinary dir-command you can see that redirection to [c:\windows\system32\config] is in place:

File Permissions
In addition to setting Reparse Points, ZeroAccess also strips the permissions from the files as can be seen in the following screenshot:

Permissions Stripped

To the rescue
On May 23rd we’ve released HitmanPro build 198 that removes the reparse points from Windows Defender and Microsoft Security Essentials. Also the permissions on the files are restored by HitmanPro.

Here a video showing the Redirection of the files belonging to Windows Defender and Microsoft Security Essentials:

The repair of Windows Defender and Microsoft Security Essentials by HitmanPro is free.

Download
Existing users of HitmanPro are automatically updated to the latest version while new users can download HitmanPro from here: get.hitmanpro.com.


HitmanPro removes child pornography

March 28, 2013

Today we have released HitmanPro version 3.7.3. One of the new features is the removal of child pornography that is dropped by the latest Urausy ransomware.

Urausy ransomware locks down the computer and displays images on screen to convince the user that child pornography was found. The images, displayed by the ransomware, are there to compel the victim to pay the 100 euro fine. In any case you should never pay the ransom.

Forensic Clustering
Having child pornography on the computer is illegal. Therefore HitmanPro version 3.7.3 not only removes the ransomware, but also the child pornography files. HitmanPro harnesses its forensic file clustering feature to relate images to the ransomware. This way the images get deleted along with the ransomware. An example:

Kickstart in action against Urausy

Kickstart Improvements
The easiest way to remove any kind of ransomware is using HitmanPro.Kickstart (link). HitmanPro version 3.7.3 offers an improved Kickstart Bootstrap loader that allows you to boot straight into your ransomed, but familiar Windows environment, bypassing any ransomware. There is no need to become familiar with the tools of other operating systems, like for instance Linux.

Besides killing ransomware, HitmanPro.Kickstart is also very useful for removing rogue antivirus malware. For example, Disk Antivirus Professional and AVASoft Antivirus Professional, both members of the Winwebsec malware family, prevent you to start any malware removal tools.

AVASoft Antivirus Professional

While HitmanPro already offers Force Breach to counter the attack on the HitmanPro process, you can now also use HitmanPro.Kickstart. Because new in version 3.7.3 is the addition of Kickstart hardening. This basically protects the HitmanPro application from being killed by external processes.

So if you boot your computer with HitmanPro.Kickstart, you can now easily kill rogue antiviruses as well.

Happy Easter!

HitmanPro 3.7.3 Changelog

  • ADDED: Removal of child pornography images dropped by Urausy ransomware.
  • ADDED: Detection of zero-day Urausy ransomware through forensic file clustering.
  • ADDED: Kickstart hardening to protect HitmanPro processes from Winwebsec malware family.
    Use Kickstart against Disk Antivirus Professional, AVASoft Antivirus Professional or other rogue antiviruses.
  • IMPROVED: Forensic file clustering speed.
  • IMPROVED: Reduced memory usage during forensic file clustering.
  • IMPROVED: Processing of registry key values.
  • FIXED: On some BIOSes, when booting with Kickstart, Windows loader would hang with either frozen screen or blinking cursor.
  • UPDATED: Kickstart Bootstrap loader 2.1.
  • UPDATED: Embedded white lists.

Download
http://www.surfright.nl/downloads


NBC.com hacked, serving up Citadel malware

February 21, 2013

A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware). We were investigating this as well and found the following interesting facts.

Update: Fox-IT has also posted a blog item on the incident.

There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located on hxxp://www.nbc.com/assets/core/js/s_wrapper.js

s_wrapper_js

It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:

hxxp://184.82.177.125/tr2002/file.php
hxxp://184.82.177.125/tr2102/file.php

We’ve seen at least two different Citadel Trojans. MD5 hashes of the droppers:
c26c64c3129fca7aafe695904d5976da
16ee24be6b0afac36c994c9568e24331

An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages. We’ve seen them linking to e.g.:

hxxp://umaiskhan.com/ztuj.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://priceworldpublishing.com/aynk.html
hxxp://nikweinstein.com/cl/google.php
hxxp://walterjeffers.com/ctuk.html
hxxp://barbecuechickenrecipes.org/ctuk.htm
hxxp://toplineops.com/mtnk.html
hxxp://fabricaequiposestetica.com/ztuj.htm


RedKit Exploit Kit

The attacks were carried out by the Redkit Exploit Kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour.

RedKit was also used last year during the Telegraaf attack in The Netherlands which served the Citadel Trojan from the Pobelka botnet (Dutch). The Pobelka botnet stole highly sensitive information (including usernames, passwords, certificates, documents and other data), 750GB in size, from over 150.000 computers located in networks from the Dutch government, hospitals, vital infrastructures like water and power plants, airlines, multinationals and other companies.


Just a coincidence
Did you know that the Citadel Trojan responsible for the Dorifel outbreak in The Netherlands last year had the NBC logo as file icon?dorifel-citadel


On-Demand Detection and Timeline
HitmanPro’s behavioral scan detects zero-day Citadel malware quite easily as can be seen in the below screenshot.

The new forensic cluster feature of HitmanPro establish a pretty timeline – post infection. So even if you got infected a few days ago, HitmanPro provides evidence on how that happened.

Citadel infection


ZeroAccess

Some of the victims have also been infected with the ZeroAccess malware after visiting NBC.com:
994da098a62905385af8481329bf7c70

nbc-zeroaccess

nbc-zeroaccess-hitmanpro

The ZeroAccess malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, the cybercriminals. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal.


Unknown malware
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”. If you Google Sadok or Kodas, you come across some interesting webpages.

SadokBdi


Facebook.com
While the attack is ongoing, Facebook.com is preventing posts to NBC.com, as can be seen from this screenshot:

Facebook


Perform Second Opinion Scan
If you’ve visited NBC.com today, you should perform a FREE second opinion scan to see if your computer got infected. You can download HitmanPro from here: get.hitmanpro.com


Late Night Show Jimmy Fallon

4 hours after the initial detection, the webpages of NBC.com still contained iframes opening exploit sites. In addition, we have seen other webpages like hxxp://www.latenightwithjimmyfallon.com and hxxp://www.jaylenosgarage.com serving some of the same links as NBC.com. This is also confirmed by the guys at Securi Blog.


Dorifel, Pobelka and a Chinese connection

February 1, 2013

It has been a while since we wrote our last blog. Sorry for this but we were busy with a lot of projects. Two noteworthy projects were the release of our unique solution against ransomware (e.g. FBI Reveton and BKA/GVU trojans) and of course the disclosure of the Pobelka Citadel botnet that haunted 150.000 Dutch (mostly government and business) computers for 8 months last year. The latter hasn’t been discussed much internationally because we released our extensive research in the Dutch language only (which is available here). Regarding this research, we reveal some additional but striking insights now the entire world is talking about Chinese hackers attacking media networks of the New York Times, Wall Street Journal and Bloomberg.

Perhaps you still remember September last year, when cybercriminals were able to launch attacks on Dutch computers by using a compromised marketing server used by ‘De Telegraaf’, a widely read newspaper and the #11 website in The Netherlands. This was the umptiest Dutch incident, after others like NU.nl, weeronline.nl, and of course the Dorifel outbreak which brought operations of many Dutch municipalities, government and large multinational companies to a standstill (for days).

Pobelka botcount

Illustration 1: Bots connecting with Pobelka command and control server

Of course we were curious why the Dutch were hit again and at that time decided to find out what was behind these incidents and if there was a common denominator.

We began investigating the malware dropper used in the Telegraaf incident and discovered (thanks to our HitmanPro cloud data) that it was spreading 4 different malware families during this particular incident: FakeAV, ZeroAccess, Medfos (we omitted Medfos in our earlier blog on the incident) and of course the Pobelka Citadel malware.

Domains
In this investigation we noticed an interesting fact: the Citadel server used in the Telegraaf incident was registered with the EXACT same credentials as a domain used by the gang responsible for spreading the Dorifel trojan. So they are somehow related or perhaps even the same criminals:

pobelka.com

Illustration 2: Pobelka.com domain used by the Citadel server

ipo90.com domain used by Dorifel.3

Illustration 3: ipo90.com domain used by Dorifel-3 to distribute ransomware, that hit mostly non-Dutch systems

Even though we believe that eastern European criminals are behind the attack operations, you obviously have noticed the Chinese registration of the domains as well…

Responsible Disclosure
Remembering their investigative work on the Citadel server responsible for spreading Dorifel, we asked Dutch forensic firm Digital Investigation to work with us and to investigate our early research data. It didn’t took them long to bypass the different proxies that were hiding the server from plain view. In cooperation with law enforcement they seized this Citadel command and control server and discovered over 750 Gigabytes of sensitive information, which included login credentials (passwords), client certificates (remember DigiNotar) and even detailed overviews of internal networks that weren’t directly connected to the internet.

Citadel looking for other systems

Illustration 4: Citadel searching for information about other systems

So all this data was gathered and stolen by the Pobelka Citadel malware from inside Dutch government networks, hospitals, aviation industry and even networks controlling critical infrastructure, including industrial control systems (ICS). We did responsible disclosure e.g. by giving government time to handle the situation internally and by not revealing names of the many, many affected institutions, companies and public authorities. But because government officials did not deem the findings interesting enough to call for a nationwide check (many roaming business and home computers were affected as well), our extensive research didn’t even reach national news, let alone internationally.

Advanced Persistent Threat
It’s also worth noting that the Citadel malware (which is based on source code of the notorious Zeus banking trojan) is not considered to be an advanced persistent threat (APT), even though it also manages to stay under the radar for months (like the malware used in the New York Times breach). Last year we devoted a blog post on the prevalence of banking trojans (like Citadel) which revealed that this type of malware stays undetected for 25 days, on average, on computers actively protected by up-to-date antivirus software: Antivirus shortens the lifetime of financial malware

In our Dutch research paper on the Pobelka botnet we also explain how the Citadel malware easily bypasses these renowned antivirus programs and why it remains undetected for such a long time. And the Pobelka botnet, which was specifically setup to target Dutch and German computers, was not the only botnet operational in The Netherlands last year. We estimate that hundreds of similar (and larger) botnets are still operational right now, not only in The Netherlands. If you think the country of the Dutch is small, insignificant and seemingly unexciting, consider the operations going on in bigger countries, like France, Germany or the United States.

Check Now
If you are Dutch or German and you want to know if your company, network or sensitive data was compromised by the Pobelka botnet, simply go to this website by Digital Investigation to find out:

http://check.botnet.nu

There you can also download HitmanPro, our free second opinion anti-malware, which uses behavioral analysis instead of virus signatures to hunt down zero-day threats, including all variants of malware based on Zeus, like Citadel.

Read here for our blog posting regarding the Dorifel outbreak and our role in rescuing hundreds of millions of documents on government networks and multinationals.

Update: Kaspersky posted an article about McAfee’s research on the Citadel trojan in Europe, spying on government and business computers: Citadel Trojan: It’s Not Just Banking Fraud Anymore


Follow

Get every new post delivered to your Inbox.

Join 36 other followers