Vulnerability in Microsoft Windows XP Dbghelp.dll(version 5.x) has been exploited by malwares to thwart debugging by researchers. The Dbghelp.dll is the Windows Image Helper dynamic linking library. This dll was being used by almost all the debuggers and disassemblers. The code that reads export function name fails to check the function name length before moving the data into the stack.
The malware authors have exploited this Remote code execution vulnerability with a specially crafted executable file with malicious export table. The exploit code exits the Olly debugger while it was trying to load this executable. Certain IRC bots are coming with this anti debugging(loading) protection. The latest version of Olly Debugger comes with this vulnerable dll.
To exploit this vulnerability the export function name must be greater than 2104 bytes. The interesting thing is malwares are coming with export function name longer than this size. The malware which I have seen had TLS call back function. The malware author tried to hide this exploitation trick by setting a TLS call back function so as to make us think the anti debugging trick would be lying in TLS function. The IDA pro debugger version 5.1.x itself is using the Dbghelp.dll version 6.x. I don't know what version of this dll other debuggers are using.
I kindly request the malware reversers particularly those who use Olly debugger to reverse malwares to use the new version of Dbghelp.dll(6.x and above).
Wednesday, November 10, 2010
Friday, September 3, 2010
Applications vulnerable to Dll Hijacking
These are all the list of applications (along with dll name) that are vulnerable to Dll Hijacking attack in windows.
For more Information about Dll Hijacking take a look at my previous posting on Dll preloading.
* ArchiCad 13.00 (srcsrv.dll)
* Nokia Suite contentcopier (wintab32.dll)
* Nokia Suite communicationcentre (wintab32.dll)
* Sony Sound Forge Pro 10.0 (MtxParhVegasPreview.dll)
* Camtasia Studio 7 (mfc90enu.dll, mfc90loc.dll)
* Media Player Classic v1.3.2189.0 (ehtrace.dll)
* Microsoft Help and Support Center (wshfra.dll)
* Microsoft Clip Book Viewer (mfaphook.dll)
* Real Player 1.1.5 Build 12.0.0.879 (wnaspi32.dll)
* SiSoftware Sandra (dwmapi.dll)
* SMPlayer v0.6.9 (wintab32.dll)
* Winmerge v2.12.4 (MFC71ESN.DLL)
* Steam Games (steamgamesupport.dll)
* UltraISO Premium 9.36 .isz (daemon.dll)
* wscript.exe (XP) (wshfra.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Daemon tools lite .mds (mfc80loc.dll)
* Google Earth v5.1.3535.3218 .kmz (quserex.dll)
* Nullsoft Winamp 5.581 .cda (wnaspi32.dll)
* Media Player Classic 6.4.9.1 .mka (iacenc.dll)
* Corel PHOTO-PAINT X3 v13.0.0.576 .cpt (crlrib.dll)
* CorelDRAW X3 v13.0.0.576 .cmx .csl (crlrib.dll)
* Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll)
* Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll)
* Mozilla Thunderbird ( dwmapi.dll )
* Microsoft Office PowerPoint 2007 (rpawinet.dll)
* Roxio MyDVD 9 (HomeUtils9.dll)
* Windows Internet Communication Settings (schannel.dll)
* Microsoft Windows Contacts (wab32res.dll)
* Adobe InDesign CS4 (ibfs32.dll)
* Cisco Packet Tracer 5.2 (wintab32.dll)
* Nvidia Driver (nview.dll)
* Adobe Illustrator CS4 (aires.dll)
* Adobe On Location CS4 (ibfs32.dll)
* Adobe Premier Pro CS4 (ibfs32.dll)
* Roxio Creator DE (HomeUtils9.dll)
* Skype <= 4.2.0.169 (wab32.dll)
* Mediaplayer Classic 1.3.2189.0 (iacenc.dll)
* TechSmith Snagit 10 (Build 788) (dwmapi.dll)
* Ettercap NG-0.7.3 (wpcap.dll)
* Microsoft Group Convertor .grp (imm.dll)
* Safari v5.0.1 (dwmapi.dll)
* Adobe Device Central CS5 (qtcf.dll)
* Microsoft Internet Connection Signup Wizard (smmscrpt.dll)
* InterVideo WinDVD 5 (cpqdvd.dll)
* Roxio Photosuite 9 (homeutils9.dll)
* Microsoft Vista BitLocker Drive Encryption (fveapi.dll)
* VLC Media Player (wintab32.dll)
* uTorrent DLL Hijacking Vulnerabilities
* TeamMate Audit Management Software Suite (mfc71enu.dll)
* Microsoft Office Groove 2007 (mso.dll)
* Microsoft Address Book 6.00.2900.5512 (wab32res.dll)
* Microsoft Visio 2003 (mfc71enu.dll)
* avast! <= 5.0.594 license files (mfc90loc.dll)
* Adobe Photoshop CS2 (Wintab32.dll)
* Adobe Dreamweaver CS5 <= 11.0 build 4909 (mfc90loc.dll)
* BS.Player <= 2.56 build 1043 (mfc71loc.dll)
* Adobe Dreamweaver CS4 (ibfs32.dll)
* TeamViewer <= 5.0.8703 (dwmapi.dll)
* Microsoft Windows 7 wab.exe (wab32res.dll)
* Opera v10.61 (dwmapi.dll)
* Microsoft Windows Movie Maker <= 2.6.4038.0 (hhctrl.ocx)
* Firefox <= 3.6.8 (dwmapi.dll)
* Windows Live Email (dwmapi.dll)
* Foxit Reader <= 4.0 pdf Jailbreak Exploit
* uTorrent <= 2.0.3 (plugin_dll.dll)
* Microsoft Power Point 2010 (pptimpconv.dll)
* Wireshark <= 1.2.10 (airpcap.dll)
* Notepad++ (SciLexer.dll)
* Microsoft Power Point 2007 (pp4x322.dll)
* Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll)
* Microsoft Word 2007 (msapsspc.dll,schannel.dll, digest.dll, msnsspc.dll)
* Microsoft Powerpoint 2007 (pp7x32.dll, pp4x322.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll)
* Tftpd32 version 3.35 (IPHLPAPI.DLL)
* Microsoft ATL Trace Tool Build 10.0.30319.1 atltracetool8.exe dwmapi extention .trc
* Windows Live! Messenger (Build => 14.0.8117.416) msgsres.dll Hijacking
* Active Perl v5.12.1 (wshenu.dll)
* CATIA V5 R17 (hzs_lm.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Cool Edit Pro 2.0 (coolburn.dll)
* GOM Player 2.1.25.5015 (schannel.dll)
* MAGIX Music Studio 12 deluxe (playripla6.dll)
* Opera 10.61 (dwmapi.dll)
* TeamViewer 5 (dwmapi.dll)
* Windows Address Book (wab32res.dll)
* Java Version 6 Update 21 (schannel.dll)
* Windows Progman Group Converter (imm.dll)
* NetStumbler 0.4.0 (mfc71enu.dll)
* Windows Mail 6.0.6000.16386 (wab32res.dll)
* TeamViewer (TV.dll)
* Wireshark <= 1.2.10 (libintl-8.dll)
* Microsoft Windows Media Encoder 9 .prx (msxml.dll)
* Notepad++ V5.4.5 Dll Hijack (SpellChecker.dll)
* Windows 7 and Vista Backup Utility .wbcat (fveapi.dll)
* Virtual DJ 6.1.2 .mp3 hdjapi.dll
* Atheros Client Utility dll Hijacking exploit (oemres.dll)
* Internet download manager dll Hijacking exploit (idmmkb.dll)
* Forensic Toolkit .ftk (MFC90DEU.DLL)
* EnCase .endump (rsaenh.dll)
* IBM Rational License Key Administrator .upd (IBFS32.DLL)
* PGP Desktop 9.8 .pgp (credssp.dll)
* Forensic CaseNotes .notes (credssp.dll)
* Microsoft RDP .rdp (ieframe.dll)
* pdf x viewer .pdf (wintab32.dll)
* Ultr@ VNC Viewer .vnc (vnclang.dll)
* Babylon v8.0.0.18 .txt (besextension.dll)
* QtWeb v3.3 .htm, .xml (wintab32.dll)
* IZArc 4.1.2.2012 .rar .zip .jar (ztv7z.dll)
* Jetaudio v7.1.8.4006 plus VX .mp3 mogg .mov and others (wnaspi32.dll)
* TechSmith Snagit v7.2.5 .snagprof (mfc71enu.dll)
* QXDM v03.09.19 (Qualcomm eXtensible Diagnostic Monitor) .isf (mfc71enu.dll)
This listing was published to make security analysts aware of exploitable applications in order to protect their resources from any possible attacks.
For more Information about Dll Hijacking take a look at my previous posting on Dll preloading.
* ArchiCad 13.00 (srcsrv.dll)
* Nokia Suite contentcopier (wintab32.dll)
* Nokia Suite communicationcentre (wintab32.dll)
* Sony Sound Forge Pro 10.0 (MtxParhVegasPreview.dll)
* Camtasia Studio 7 (mfc90enu.dll, mfc90loc.dll)
* Media Player Classic v1.3.2189.0 (ehtrace.dll)
* Microsoft Help and Support Center (wshfra.dll)
* Microsoft Clip Book Viewer (mfaphook.dll)
* Real Player 1.1.5 Build 12.0.0.879 (wnaspi32.dll)
* SiSoftware Sandra (dwmapi.dll)
* SMPlayer v0.6.9 (wintab32.dll)
* Winmerge v2.12.4 (MFC71ESN.DLL)
* Steam Games (steamgamesupport.dll)
* UltraISO Premium 9.36 .isz (daemon.dll)
* wscript.exe (XP) (wshfra.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Daemon tools lite .mds (mfc80loc.dll)
* Google Earth v5.1.3535.3218 .kmz (quserex.dll)
* Nullsoft Winamp 5.581 .cda (wnaspi32.dll)
* Media Player Classic 6.4.9.1 .mka (iacenc.dll)
* Corel PHOTO-PAINT X3 v13.0.0.576 .cpt (crlrib.dll)
* CorelDRAW X3 v13.0.0.576 .cmx .csl (crlrib.dll)
* Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll)
* Adobe Extension Manager CS5 v5.0.298 (dwmapi.dll)
* Mozilla Thunderbird ( dwmapi.dll )
* Microsoft Office PowerPoint 2007 (rpawinet.dll)
* Roxio MyDVD 9 (HomeUtils9.dll)
* Windows Internet Communication Settings (schannel.dll)
* Microsoft Windows Contacts (wab32res.dll)
* Adobe InDesign CS4 (ibfs32.dll)
* Cisco Packet Tracer 5.2 (wintab32.dll)
* Nvidia Driver (nview.dll)
* Adobe Illustrator CS4 (aires.dll)
* Adobe On Location CS4 (ibfs32.dll)
* Adobe Premier Pro CS4 (ibfs32.dll)
* Roxio Creator DE (HomeUtils9.dll)
* Skype <= 4.2.0.169 (wab32.dll)
* Mediaplayer Classic 1.3.2189.0 (iacenc.dll)
* TechSmith Snagit 10 (Build 788) (dwmapi.dll)
* Ettercap NG-0.7.3 (wpcap.dll)
* Microsoft Group Convertor .grp (imm.dll)
* Safari v5.0.1 (dwmapi.dll)
* Adobe Device Central CS5 (qtcf.dll)
* Microsoft Internet Connection Signup Wizard (smmscrpt.dll)
* InterVideo WinDVD 5 (cpqdvd.dll)
* Roxio Photosuite 9 (homeutils9.dll)
* Microsoft Vista BitLocker Drive Encryption (fveapi.dll)
* VLC Media Player (wintab32.dll)
* uTorrent DLL Hijacking Vulnerabilities
* TeamMate Audit Management Software Suite (mfc71enu.dll)
* Microsoft Office Groove 2007 (mso.dll)
* Microsoft Address Book 6.00.2900.5512 (wab32res.dll)
* Microsoft Visio 2003 (mfc71enu.dll)
* avast! <= 5.0.594 license files (mfc90loc.dll)
* Adobe Photoshop CS2 (Wintab32.dll)
* Adobe Dreamweaver CS5 <= 11.0 build 4909 (mfc90loc.dll)
* BS.Player <= 2.56 build 1043 (mfc71loc.dll)
* Adobe Dreamweaver CS4 (ibfs32.dll)
* TeamViewer <= 5.0.8703 (dwmapi.dll)
* Microsoft Windows 7 wab.exe (wab32res.dll)
* Opera v10.61 (dwmapi.dll)
* Microsoft Windows Movie Maker <= 2.6.4038.0 (hhctrl.ocx)
* Firefox <= 3.6.8 (dwmapi.dll)
* Windows Live Email (dwmapi.dll)
* Foxit Reader <= 4.0 pdf Jailbreak Exploit
* uTorrent <= 2.0.3 (plugin_dll.dll)
* Microsoft Power Point 2010 (pptimpconv.dll)
* Wireshark <= 1.2.10 (airpcap.dll)
* Notepad++ (SciLexer.dll)
* Microsoft Power Point 2007 (pp4x322.dll)
* Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll)
* Microsoft Word 2007 (msapsspc.dll,schannel.dll, digest.dll, msnsspc.dll)
* Microsoft Powerpoint 2007 (pp7x32.dll, pp4x322.dll, msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll)
* Tftpd32 version 3.35 (IPHLPAPI.DLL)
* Microsoft ATL Trace Tool Build 10.0.30319.1 atltracetool8.exe dwmapi extention .trc
* Windows Live! Messenger (Build => 14.0.8117.416) msgsres.dll Hijacking
* Active Perl v5.12.1 (wshenu.dll)
* CATIA V5 R17 (hzs_lm.dll)
* Autodesk AutoCAD 2007 (color.dll)
* Cool Edit Pro 2.0 (coolburn.dll)
* GOM Player 2.1.25.5015 (schannel.dll)
* MAGIX Music Studio 12 deluxe (playripla6.dll)
* Opera 10.61 (dwmapi.dll)
* TeamViewer 5 (dwmapi.dll)
* Windows Address Book (wab32res.dll)
* Java Version 6 Update 21 (schannel.dll)
* Windows Progman Group Converter (imm.dll)
* NetStumbler 0.4.0 (mfc71enu.dll)
* Windows Mail 6.0.6000.16386 (wab32res.dll)
* TeamViewer (TV.dll)
* Wireshark <= 1.2.10 (libintl-8.dll)
* Microsoft Windows Media Encoder 9 .prx (msxml.dll)
* Notepad++ V5.4.5 Dll Hijack (SpellChecker.dll)
* Windows 7 and Vista Backup Utility .wbcat (fveapi.dll)
* Virtual DJ 6.1.2 .mp3 hdjapi.dll
* Atheros Client Utility dll Hijacking exploit (oemres.dll)
* Internet download manager dll Hijacking exploit (idmmkb.dll)
* Forensic Toolkit .ftk (MFC90DEU.DLL)
* EnCase .endump (rsaenh.dll)
* IBM Rational License Key Administrator .upd (IBFS32.DLL)
* PGP Desktop 9.8 .pgp (credssp.dll)
* Forensic CaseNotes .notes (credssp.dll)
* Microsoft RDP .rdp (ieframe.dll)
* pdf x viewer .pdf (wintab32.dll)
* Ultr@ VNC Viewer .vnc (vnclang.dll)
* Babylon v8.0.0.18 .txt (besextension.dll)
* QtWeb v3.3 .htm, .xml (wintab32.dll)
* IZArc 4.1.2.2012 .rar .zip .jar (ztv7z.dll)
* Jetaudio v7.1.8.4006 plus VX .mp3 mogg .mov and others (wnaspi32.dll)
* TechSmith Snagit v7.2.5 .snagprof (mfc71enu.dll)
* QXDM v03.09.19 (Qualcomm eXtensible Diagnostic Monitor) .isf (mfc71enu.dll)
This listing was published to make security analysts aware of exploitable applications in order to protect their resources from any possible attacks.
Tuesday, August 31, 2010
Windows DLL load hijacking
This blogging is to demonstrate DLL Pre-loading/hijacking bug in Windows.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rarMD5: 886173D0BB985E7E8DF51E4CBAE242B6
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
The basis of this exploit is the way in which Windows works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations. This is being abused by computer criminals.
The Microsoft Security Response Center has written about the issue :
"Loading dynamic libraries is basic behavior for Windows and other operating systems, and the design of some applications require the ability to load libraries from the current working directory. Hence, this issue cannot directly be addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. However, we’re looking into ways to make it easier for developers to not make this mistake in the future.
Microsoft is also conducting a thorough investigation into how this new vector may affect Microsoft products. As always, if we find this issue affects any of our products, we will address them appropriately."
Microsoft also has published some Registry tweaks which can change the default DLL library search behavior:
http://support.microsoft.com/kb/2264107
Testing the Exploit:
Ok let us try to employ this exploit on "Media Player Classic".
Write a dll of your own. If don't know how to write a dll you can get it from the link below.
http://www.filefactory.com/file/b32433b/n/iacenc.rar
http://rapidshare.com/files/416173663/iacenc.rar
I assume that you have Media player classic being installed in your machine.
Rename the dll as "iacenc.dll". Place it in a directory with any media file that can be played by Media player Classic.
Now open the media file and see the magic.
This exploit can be used by malware writers to spread their malware. So security professionals are expected to get updated knowledge on this exploits. To check on what priority applications load a dll you can use Sysinternal's FileMon tool.
Friday, June 11, 2010
Gunpack - God's Unpacker
To protect malwares from detection by AV vendors malware authors use packers/cryptors for protection. For malware analysts unpacking executable is the greatest problem they encounter while analyzing protected executable files.
To combat packer challenges a memory dumping attack was employed in GUnpack tool.G(ods)Unpack tool unpacks packed executable files based on memory dumping technique.
Download page[Google code]
To combat packer challenges a memory dumping attack was employed in GUnpack tool.G(ods)Unpack tool unpacks packed executable files based on memory dumping technique.
Download page[Google code]
Wednesday, June 9, 2010
Autorun Cleaning tool
To clean autorun files on all the drives I have written a handy tool in Visual C.
Link1 [File Factory]
Link2 [YourFileLink]
Link3 [RapidShare]
Zipfile MD5 : BEEB5D98FBB1031F1046D801D61074DD
SHA1: D841CD5F60448FA2E487FDED179CA5E05DF79DBB
Unzip the file and check checksum before using.
SHA1 : 9A83F85FB7BFE0D585BAE662A946D8025695D11D
MD5 :BD891972669DD82393F303DDA15BF2CE
Link1 [File Factory]
Link2 [YourFileLink]
Link3 [RapidShare]
Zipfile MD5 : BEEB5D98FBB1031F1046D801D61074DD
SHA1: D841CD5F60448FA2E487FDED179CA5E05DF79DBB
Unzip the file and check checksum before using.
SHA1 : 9A83F85FB7BFE0D585BAE662A946D8025695D11D
MD5 :BD891972669DD82393F303DDA15BF2CE
Sunday, June 6, 2010
Buster sandbox Released
A new sand boxing tool Buster sand box has been released.
The tools is available for free and can be downloaded at.
It has both automatic and manual analysis mode.
It even has digital signature detection option also.
It monitors file, Registry, Network changes etc.
It can be also made to work in hidden mode using a build in driver that comes with it.
It also has excluding list to exclude certain file and registry changes.
It needs sandboxie sandbox.
The tools is available for free and can be downloaded at.
It has both automatic and manual analysis mode.
It even has digital signature detection option also.
It monitors file, Registry, Network changes etc.
It can be also made to work in hidden mode using a build in driver that comes with it.
It also has excluding list to exclude certain file and registry changes.
It needs sandboxie sandbox.
Sunday, May 9, 2010
How Wecorl trapped security giant MCAffee
The recent false detection and deletion of svchost.exe(XP sp3) by MCAffee shocked every one who use MCAffee Anti virus. This article will try to reveal the dark side of this incident. False positives problem is a big head ache for AV companies. Even Anti virus titans are having this problem. The number of unique malwares are doubling every year. Every day AV companies are getting thousands of samples from various sources. In reality a malware analyst can analyze only tens of malware every day.
To analyze thousands of samples every day employing malware analysts and paying them is not even an imaginable thing for AV companies. But on many AV tests giving more than 90% detection rate is not possible with very few analysts. so finally many of them start to use a heuristic tool(program) which will scan the sample with major anti virus tools and based on other AV's detection it will directly add detection pattern(eg:CRC) for that sample with out being checked by a malware analyst.
w32/wecorl is a file patching worm that patches svchost.exe(other versions infect iexplore.exe, winlogon.exe etc) and spreads to other machines by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.
The thing to be considered here is that all the AV's are detecting wecorl as a worm. The patching logic of wecorl is not even on all the machines. It varies depending on the cavity(zero bytes) available in the file it is trying to patch. But the call to infected code lies near the entry point. So the detection pattern added by MCAfee for wecorl is too bad in this case.
To avoid this type of incidents every AV vendor should stop adding detection patterns for malware by considering other AV's detection. They should expand the strength of their research lab. Atleast analyzing every samples that they receive with sand-box would help them in avoiding this kind of incidents.
At last I want to refer the article by Magnus - "On the way to better testing" in viruslist.com is a good testing article . But this article has been criticized by most of the AV vendors.
To analyze thousands of samples every day employing malware analysts and paying them is not even an imaginable thing for AV companies. But on many AV tests giving more than 90% detection rate is not possible with very few analysts. so finally many of them start to use a heuristic tool(program) which will scan the sample with major anti virus tools and based on other AV's detection it will directly add detection pattern(eg:CRC) for that sample with out being checked by a malware analyst.
w32/wecorl is a file patching worm that patches svchost.exe(other versions infect iexplore.exe, winlogon.exe etc) and spreads to other machines by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability.
The thing to be considered here is that all the AV's are detecting wecorl as a worm. The patching logic of wecorl is not even on all the machines. It varies depending on the cavity(zero bytes) available in the file it is trying to patch. But the call to infected code lies near the entry point. So the detection pattern added by MCAfee for wecorl is too bad in this case.
To avoid this type of incidents every AV vendor should stop adding detection patterns for malware by considering other AV's detection. They should expand the strength of their research lab. Atleast analyzing every samples that they receive with sand-box would help them in avoiding this kind of incidents.
At last I want to refer the article by Magnus - "On the way to better testing" in viruslist.com is a good testing article . But this article has been criticized by most of the AV vendors.
Wednesday, January 27, 2010
Rogue - Security Tool
This rogue tool roams around the Internet recently and annoys users.
Kaspersky detects this one as Fraudpack only. The interesting thing is that KAV fails to detect the unpacked file and detects only the packer.
The malware on execution installs it's copy into %Document & Settings\All Users\Application data%\%rand%\%rand%.exe
On successful installation displays the dialogue box with message "security tool successfully installed".
Then makes an impression of scanning the system for spyware and adware. Always shows a detection count of exactly 21 threats. The threat count never changes for this rogue-ware.
The original file is deleted through a batch file dropped in the same directory.
The batch file kills the initial copying files process by it's image name ( taskkill /im ) and deletes it.
The malware adds a run entry to start automatically after reboot. The real face of the malware can be seen only after reboot. On rebooting the system it kills all the user processes alerting them all as malware.
The malware after making a snapshot of all the available processes terminates them.
It doesn't make privilege escalation to kill highly privileged processes. The reason is, it doesn't want to crash the system but it just wanna annoy the user, by restricting him from running any application.
It asks the user to register the product in order to clean the malwares in the system.
It also shows pop up messages regarding the system infection.
The interesting fact in this scenario is this rogue doesn't terminates the internet explorer process(iexplore.exe).The reason may be to enable the user to make payments to register.
It also allows certain other processes to run.
List:
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft-cleaner.exe
So if you are infected by this malware don't reboot the system.
Just open the task manager and look for a process name with random numbers and terminate them. Then do usual cleaning in registry and file system.
If you reboot the system then it is really hard to kill the process.
As most of the rogue malwares are packed with polymorphic packers I didn't find any AV company unpacking them.
Even though certain AV's detect them as a packed file(packer detection). I have seen certain security application's(even certain av's) processes gets terminated by this rogue.
This malware application is actually written in Delphi. Even manually unpacking this malware is not a impossible task, but you should be aware of anti debugging trick in the packer.
For reference in reversing delphi look for my paper "digging deplhi" at vxheavens.
Kaspersky detects this one as Fraudpack only. The interesting thing is that KAV fails to detect the unpacked file and detects only the packer.
The malware on execution installs it's copy into %Document & Settings\All Users\Application data%\%rand%\%rand%.exe
On successful installation displays the dialogue box with message "security tool successfully installed".
Then makes an impression of scanning the system for spyware and adware. Always shows a detection count of exactly 21 threats. The threat count never changes for this rogue-ware.
The original file is deleted through a batch file dropped in the same directory.The batch file kills the initial copying files process by it's image name ( taskkill /im ) and deletes it.
The malware adds a run entry to start automatically after reboot. The real face of the malware can be seen only after reboot. On rebooting the system it kills all the user processes alerting them all as malware.
The malware after making a snapshot of all the available processes terminates them.
It doesn't make privilege escalation to kill highly privileged processes. The reason is, it doesn't want to crash the system but it just wanna annoy the user, by restricting him from running any application.
It asks the user to register the product in order to clean the malwares in the system.
It also shows pop up messages regarding the system infection.
The interesting fact in this scenario is this rogue doesn't terminates the internet explorer process(iexplore.exe).The reason may be to enable the user to make payments to register.
It also allows certain other processes to run.
List:
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft-cleaner.exe
So if you are infected by this malware don't reboot the system.
Just open the task manager and look for a process name with random numbers and terminate them. Then do usual cleaning in registry and file system.
If you reboot the system then it is really hard to kill the process.
As most of the rogue malwares are packed with polymorphic packers I didn't find any AV company unpacking them.
Even though certain AV's detect them as a packed file(packer detection). I have seen certain security application's(even certain av's) processes gets terminated by this rogue.
This malware application is actually written in Delphi. Even manually unpacking this malware is not a impossible task, but you should be aware of anti debugging trick in the packer.
For reference in reversing delphi look for my paper "digging deplhi" at vxheavens.
Subscribe to:
Posts (Atom)