Category Archives: Analysis

More on the ThinkPoint Fake Anti-Spyware Application

If your system is infected with the fake antispyware application ThinkPoint you may find yourself greeted with the following screen when restarting your computer:

This is a full-screen window with the lie “ThinkPoint - World’s leading security solution” prominently displayed. Only one button is enabled, and it is labeled “Safe Startup”. Click that, and ThinkPoint will do a dog and pony show that presents your system as infected by various pieces of malware, the solution to which, it claims is to purchase the full version of ThinkPoint. All of this is a lie, of course.

So how does ThinkPoint hijack you computer’s startup screen? It does this by changing the registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Windows NT\Shell to point to hotfix.exe (or whatever filename it is programmed to use). Some versions also modify HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Windows NT\Shell in the same way.

The good news is that you can bypass ThinkPoint to gain access to your computer. Simply press Ctrl+Alt+Del and look for a process named hotfix.exe. Right-click on that and select Terminate Process. The ThinkPoint screen should go away. At this point, all you will see is a blank screen, but we will fix that. Go to to File -> New Task in Windows Task Manager and type explorer.exe. Click OK and Explorer should start, giving you access to your computer again. Now is the time to run an antimalware application, such as TrojanHunter to remove all traces of ThinkPoint for good.

Old-School File Hiding

A new sample came in today - an ad injector for Internet Explorer. I was analyzing it and noticed that the malware hid several of its key files. “Aha - a rootkit!” I thought and proceeded to find out how the trojan had hooked into the system to hide its traces. An SSDT hook perhaps, or maybe an injected user-mode DLL?

I looked and looked and couldn’t find a thing. No rootkit, no driver, no IAT modifications; nothing. Even stranger, the trojan seemed to have rootkitted the entire C:\Windows\system32 folder - it was invisible in Windows Explorer and couldn’t be seen when executing dir in a CMD prompt. That’s strange - why would a rootkit want to hide the system32 folder? If anything would tip you off that something is horribly wrong with your system, a missing system32 folder would be it (see figure 1 below).

Fig 1. Bad things are going on if you open up Explorer and see this.

After about an hour of looking for the rootkit and not finding it I started to get frustrated. So I decided to take another look at RegMon to see what the trojan was doing with the registry. That’s when I stumbled upon this:

Fig 2. The trojan modifies the ShowSuperHidden setting for Windows Explorer

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden determines whether or not Explorer shows files that have the hidden and system attribute set. It wasn’t a rootkit after all! The trojan simply disabled this setting and this caused all files with the system and hidden attribute to be invisible in Windows Explorer. And since the lab machine had the ShowSuperHidden setting enabled the trojan was hidden after performing the above registry tweak.

However, this didn’t explain why the files and folders were invisible in a Command Prompt as well. The explanation is obvious and simple: I had entered a simple “dir”. And since the system32 folder and the trojan files had attributes +h +s (hidden and system) set, they were hidden in the listing. Doing a “dir /ah” showed the missing files.

Moral of the story: Somtimes malware will use “old reliable” instead of messing about with a rootkit and drivers. So check the obvious stuff first before assuming it’s something more advanced.

Why compound scanning is important..

Doing some housecleaning, and going through a whole bunch of malware files with the new scanner (as you do..)

This one brings a smile.. TrojanHunter now includes SFX detection among other things in the 5.0 beta, here’s an “installer”…

Found trojan file: C:\TESTING\2005107\2005107.exe/3721.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad1.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad2.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad3.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad4.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad5.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad6.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/ad7.exe (TrojanClicker.VB.166)
Found adware file: C:\TESTING\2005107\2005107.exe/bind_8432.exe (Adware.AdHelper.107)
Found adware file: C:\TESTING\2005107\2005107.exe/dmshell.dll/Upxlpbqnauj (Adware.Dm.100)
Found trojan file: C:\TESTING\2005107\2005107.exe/s45337.exe (Agent.629)
Found adware file: C:\TESTING\2005107\2005107.exe/setup_110013.exe (Adware.WSearch.121)
Found trojan file: C:\TESTING\2005107\2005107.exe/system.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/system2.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/system3.exe (TrojanClicker.VB.167)
Found adware file: C:\TESTING\2005107\2005107.exe/WIS174.exe (Adware.AllSum.105)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/3721.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad1.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad2.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad3.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad4.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad5.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad6.exe (TrojanClicker.VB.166)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/ad7.exe (TrojanClicker.VB.166)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/bind_8432.exe (Adware.AdHelper.107)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/dmshell.dll/Upxtgyxoryw (Adware.Dm.100)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/s45337.exe (Agent.629)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/setup_110013.exe (Adware.WSearch.121)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system2.exe (TrojanClicker.VB.167)
Found trojan file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/system3.exe (TrojanClicker.VB.167)
Found adware file: C:\TESTING\2005107\2005107.exe/Upxeeorvkdi/WIS174.exe (Adware.AllSum.105)

We detect supsicious droppers too, simply because a normal SFX should be well, normal. Lets just say I wouldn’t want to execute the above on MY system…

Latest Zhelatin Emails

A new wave of Zhelatin emails is currently going out. A typical example is this email:

Are you ready to have fun at Web Joker.
Account Number: 775152935455
Temp Login ID: user1160
Your Password ID: px259
Please keep your account secure by logging in and changing your login info.
Use this link to change your Login info: http://74.64.28.xx/
Confirmation Dept.
Web Joker

The page linked to in the email advises the user to install a “Secure Login Applet” to view the page, which of course is an executable trojan file — a typical name is applet.exe. Below is a brief analysis.

The applet.exe file, when run, performs the standard Zhelatin actions: Copying itself to C:\Windows\spooldr.exe, and extracting a driver file to C:\Windows\system32\spooldr.sys. It also adds a rename entry for a .tmp file:

HKLM\System\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations = C:\Windows\system32\drivers\OLD3.tmp"

This entry will simply delete the file on reboot. Interestingly enough, the variants we’ve examined so far haven’t patched the tcpip.sys file to make themselves autostart. This makes removal easier since tcpip.sys does not need to be restored from backup. (Check that the digital signature on tcpip.sys is valid though, in case you are infected with this and it is a different variant!)

The OLD3.tmp file is actually a patched version of the legitimate Microsoft kbdclass.sys driver file. The trojan version has an extra 15 KB of data appended to it. The entry point of the patched driver file has been modified to point to the start of this extra block of data. Once loaded, the OLD3.tmp file loads the spooldr.sys trojan driver using the native Windows API function ZWSetSystemInformation.

The spooldr.sys driver will as usual disable most common firewalls, including the built-in Windows firewall.

Manual removal steps

  1. Reboot computer in Safe Mode without networking
  2. Delete the following files: C:\Windows\spooldr.exe, C:\Windows\system32\spooldr.sys
  3. Restart computer normally

Analysis of an Ecard Exploit Page

The recent Ecard.exe trojan is spread via web pages served by infected machines. When a user receives an Ecard email (typical subject line: “Thank you e-card”) and clicks on the link in it, he ends up at a page that has an <embed> tag that will be displayed with a Windows Media Player object on Windows.

There is also a link to manually download the trojan file. This analysis will focus on the page contents, with a full analysis of the obfuscated and encrypted JavaScript that triggers the exploit.

If you view the source of an Ecard web page, you will see a piece of JavaScript that starts with the following:

function xor_str(plain_str, xor_key){ var xored_str = "";for (var i = 0 ; i < plain_str.length; ++i)
xored_str += String.fromCharCode(xor_key ^ plain_str.charCodeAt(i)); return xored_str; }
var plain_str = "xb1x9cx9bx9cx9bx9c (...)

What this script does is take the variable named plain_str and decrypts it using simple XOR decryption (with the key 145 in this case). The result is another piece of JavaScript that starts off with 78 line breaks (presumably to make it harder to display the decrypted code using a JS alert() dialog). Following the line breaks you find the new JavaScript code:

var s=unescape("...");do{s+=s;}while(s.length<0x0900000);
s+=unescape([long unicode string])
<EMBED src="------------ (...)

This code snippet writes out HTML that triggers the Windows Media Player Plug-In EMBED Overflow Exploit (MS06-006). The JavaScript uses a for-loop to create a huge string that holds the buffer overflow data. Once the exploit is successfully triggered, the ecard.exe file is downloaded and installed. It will then in turn start up a web server on the infected machine, and start sending out emails to new unsuspecting victims, making the cycle complete.

Since this worm exploits a flaw in Windows, it can affect you whether you use Internet Explorer or Firefox to browse the web. The only way to be safe against this exploit is to have the Security Update for Windows Media Player Plug-in (KB911564) installed. Check your Windows folder for the presence of the file KB911564.log - if it exists you are patched and secured against this exploit.

Generic Ecard (Worm.Zhelatin) Detection!

After some hard work, we’ve completed development on generic detection for the new Ecard trojan that is going around. This, folks, is what you get when TrojanHunter finds Ecard malware:

Notice that this is all generic detection - you could run TrojanHunter without a single ruleset entry loaded and it would still detect the Ecard trojan.

Obfuscation the go..

More and more obfuscation has been going on in the malware world.. for some time now. Its reaching a peak.. or has it peaked already ?

Obfuscated trojans are ones which have been created, and then manipulated with an obfuscator tool. This encrypts the file using only opcode tricks, and is not a packer. The trojan is encrypted, by jumbling it up so to speak, using encryption opcodes such as SHL SHR (Shift Left, Shift Right) XOR, ADD, SUB or other simple encryption.

Javascript/HTML trojans are also now obfuscated heavily.

So this creates efforts to detect obfuscation with heuristics. This works! For those using some AV’s, HTML or JS heuristic based  alarms are probably common. So what happens ?

If you look at the reaction, some are doing as I thought and not packing malware, and some are of course changing obfuscation technique significantly. For the first time in a long time, I yesterday got a VUNDO aka Adware.Virtumonde distributed unpacked! I hope this is not a mistake. This is something I was unsure if it would happen, ZLOB did it but would they too ? This further suggests a trend back towards unpacked malware, which would be very interesting and good for us!

Good for everyone! (except the bad guys).

Extremely Tiny New Trojan Downloader

Today a trojan sample landed in my inbox, and a closer look showed it to be a trojan downloader. The unique thing about the file is that it is only 474 bytes in size - something almost unheard of. The PE (Portable Executable) file format normally requires a header that is at least 512 bytes, with another 512 bytes for the first code section, for a total of a 1-kilobyte file.

When analyzed, the file ran perfectly under Windows XP, and downloaded and executed a file from the Internet. You can see a hex view of the entire file to the right (with the URL it downloads from obscured).

A PE file consists of two headers - an old DOS header (a legacy header required for compatibility purposes), and the new PE header. Normally, the DOS header contains code that will print out a message saying “This program must be run under Win32″, if anyone attempts to execute it in DOS mode. This file’s DOS header only contains the mandatory MZ signature and is followed with the PE signature after two null bytes. The pointer to the PE header actually points into the DOS header, meaning the two have been merged to save space.

Here is a breakdown of the unique file header for this file:

Here is a disassembly of the code, starting at the entry point:

As we can see, the downloader simply uses UrlDownloadToFileA to download the file from the specified URL, calls ShellExecuteA to run the file and then terminates. I can tell you that someone went through a lot of trouble to create a downloader with that small of a file size.

I predict we’ll see a lot more of these in the near future. I’ve just updated TrojanHunter‘s generic detection routines to catch these, so if you’re a TrojanHunter user you can feel safe about these downloaders.

“1000th” Hupigon backdoor detected

I say “1000th” because we’ve actually added 900+ variants (Hupigon.100 onwards)

Hupigon is sometimes known as Pigeon, Graybird but is really called Huigezi, from China.

This backdoor is probably the most widespread of all. Many many variants exist, but thanks to recycled code usage many are detected in memory as older variants. Hupigon is a backdoor which TH does well against and I’ll continue to add more variants as often as needed - FOUR new variants just now, as of the latest update only ONE detected by KAV7 as Heur.Trojan.Generic (modification)

Which means KAV6 would detect NONE. Heuristics and variant detection are certainly much needed to fight todays malware. Sure, if a certain file is widespread it gets picked up and submitted.. but if it isn’t?

New Zhelatin Worm Infects tcpip.sys to Load its Rootkit Driver

If you’ve recently received emails with the subject line “You’ve received a greeting ecard from a Friend!” then you’ve already made acquintance with a piece of malware known as Worm.Zhelatin. If you were to visit the linked site in the email and run the ecard.exe file, your system would be compromised by the Zhelatin trojan which uses a particularly sneaky way to load itself – one that no autostart viewer can detect.

When executed, ecard.exe copies itself to C:\Windows\spooldr.exe and drops a driver named spooldr.sys into C:\Windows\system32 (as usual, C:\Windows is used to represent your Windows folder – the path may differ on your system). It then infects the Windows file tcpip.sys in the C:\Windows\system32\drivers folder.

It also disables Windows File Protection and then infects the C:\Windows\system32\dllcache copy of tcpip.sys.

After doing all this, it goes dormant until the next reboot to further avoid detection.

The code patched into tcpip.sys is designed to load the spooldr.sys driver, which is the main rootkit component of the Zhelatin worm. Once active, spooldr.sys attempts to hide spooldr.exe, spooldr.sys.

Interestingly, the trojan disables a number of security utilities, such as F-Secure’s Blacklight rootkit detector and the ZoneAlarm firewall.

Manual removal procedure:

  1. Reboot Windows into Safe Mode (not Safe Mode with Networking!)
  2. Delete the following files: C:\Windows\spooldr.exe and C:\Windows\system32\drivers\spooldr.sys
  3. Reboot Windows into normal mode
  4. Go to Start -> Run…, type sfc.exe /scannow and click OK
  5. When prompted, insert your Windows CD to restore the corrupted tcpip.sys

Disclaimer: Follow the manual removal steps at your own risk! You should always back up all important data prior to modifying your operating system.