Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)

Softpanorama Malware Protection Bulletin, 2010

Malware 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010
2009 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999

Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Aug 24, 2010] A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Important tool to block download of remote DLLs

This update introduces a new registry key CWDIllegalInDllSearch that allows users to control the DLL search path algorithm. The DLL search path algorithm is used by the LoadLibrary API and the LoadLibraryEx API when DLLs are loaded without specifying a fully qualified path.

[Jun 01, 2010] FBI Goes After Scareware Fraud Ring

See also FBI/US Justice Department Statement and FBI Goes After Scareware Fraud Ring - Redorbit
InternetNews.

The FBI said late last week that it has filed federal indictments against an Ohio man and two foreign residents in a move meant to halt one of the largest "scareware" malware scams.

Microsoft (NASDAQ: MSFT) hailed the indictments on its On the Issues blog because some of the bogus computer protection programs that the schemers were hawking either masqueraded as Microsoft products or strongly implied they were from the company.

According to the FBI's statement, the alleged perpetrators, who operated out of Ukraine, "caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million."

Scareware is a class of malware that, once installed on a user's PC, typically generates fake error messages that alert the user to purportedly serious security deficiencies or to apparent malware infections. The user is told all she or he has to do to remedy the situation is ante up for a similarly fake anti-malware repair program that actually does little to help the victim.

In this case, bogus products that go by names like DriverCleaner and ErrorSafe were sold to unassuming victims for between $30 and $70.

The scam was run by an Amelia, Ohio, man identified as James Reno in concert with Shaileshkumar P. Jain, a US citizen believed to be living in Ukraine, and Bjorn Daniel Sundin, a Swedish citizen believed to be in Sweden, the FBI said in its statement.

All three ran a company named Innovative Marketing, Inc. (IM), which is registered in Belize. The multiple-count indictment seeks $100 million in forfeitures plus any money held for IM in a bank in Kiev.

The alleged shelter company, IM, then set up "at least seven fictitious advertising agencies" that then placed booby-trapped ads on Web pages that would generate the error messages and alerts and hijack users PCs and take them to sites that supposedly sold the remedial software.

"The scareware went by various names, including WinFixer -- meant to mislead consumers into associating the bogus software with trusted Microsoft products," Tim Cranton, associate general counsel in Microsoft's Digital Crimes Unit, said in the blog post.

"At one time, WinFixer and its variants are thought to have been responsible for 75 percent of scareware worldwide," Cranton added.

Other phony products had names like Malware Alarm, Antivirus 2008, and VirusRemover 2008, the FBI statement said.

Microsoft teams helped the FBI and the U.S. Department of Justice investigate damages caused by the scheme and testified to a federal grand jury in Chicago, where the charges were filed, regarding how the malware scam worked, the blog said.

The case is just the latest in attempts by both government and the technology industry to curb scareware attacks.

Neither has Microsoft been the only technology firm targeted by such scams. For instance, the massive social networking site Facebook was hit by a similar scareware scheme in late January.

"The Department of Justice and the FBI have put a stake in the ground to protect consumers; at Microsoft, we stand beside them in the fight to make the Internet a safer place," Cranton's post concluded.

Users who are potential victims and would like to receive information regarding the criminal case may call 866-364-2621, ext. 1, for periodic updates, the FBI said.

Related Articles

[Mar 21, 2010] Bad BitDefender Update Clobbers Windows PCs

Common problem, but on larger scale then usual...
March 21, 2010 | Slashdot

alphadogg:

"Users of the BitDefender antivirus software started flooding the company's support forums Saturday, apparently after a faulty antivirus update caused 64-bit Windows machines to stop working. The company acknowledged the issue in a note explaining the problem. 'Due to a recent update it is possible that BitDefender detects several Windows and BitDefender files as infected with Trojan.FakeAlert.5,' the company said. The acknowledgment came after BitDefender users had logged hundreds of posts on the topic. Some complained of being unable to reboot their systems."

Hansele: So secure, NOTHING will run (Score:3, Funny)

Its a new security paradigm. The newly locked down computer will not run anything, and therefore no virii, malware, bots, or solitaire, will run. Truly they've created the "most secure antivirus ever".

[Mar 3, 2010] K9 Web Protection - Free Internet Filtering and Parental Controls Software

With the amount of recent infections that might be not a bad idea to try filtering approach.

Blue Coat K9 Web Protection is a member of the Internet Watch Foundation, the UK internet ‘Hotline’ for the public to report their inadvertent exposure to online child sexual abuse content hosted anywhere in the world and criminally obscene and incitement to racial hatred content hosted in the UK.

[Feb 28, 2010] Remove Dr. Guard (Uninstall Guide)

Another Rogue Antivirus that uses internal proxy of port 5555 to control internet access. Install a couple of drivers (names vary, you need to compare with baseline to detect (actually names are random and can be detected as such). Put initial "bootstrap" executable into %UserProfile%\Application Data subfolder with a random name. Windows Defender actually registers the moment of infection but does not prevent it with default settings. Probably contain root kit or shell-hooks or something of this nature as computer stops responding and sometimes crashes often even after the deletion of those three components (I have found two drivers in system32/drivers folder and executable in %UserProfile%\Application Data folder that is referenced in one of the keys in CurrentVersion/Run). Check using See Remove Dr. Guard (Uninstall Guide). Again the main lesson is to have an image of C-drive and remember what data to copy from the current drive to bootable USB drive (you need to put the drive into USB enclose and boot from USB drive is image first) to the restored image. Disinfection involved too much troubles: it is not an easy task to try to outsmart those extortionists...

What this programs does:

Dr. Guard is a rogue anti-spyware program from the same family as Paladin Antivirus. This rogue is promoted and installed through the use of fake alert Trojans that advertise the program on your desktop. This rogue is also known to be bundled with the TDSS, or TDL3, rootkit. As MBAM is not capable of removing this rootkit, you may need to request further assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum to remove all of the malware on your computer.

Once downloaded and installed, Dr. Guard will attempt to uninstall various security applications in order to protect itself from being removed. The anti-malware programs that it tries to uninstall include:

The program will then load and start to scan your computer for infections. Once the scan is finished it will state that there are numerous infections on your computer, but will not allow you to remove them until you purchase the program. In reality, the infections that it shows are all fake and do not actually exist on your computer. Therefore, please do not purchase this program based upon any of the scan results it shows.

Dr. Guard screen shot
For more screen shots of this infection click on the image above.
There are a total of 8 images you can view.

Dr. Guard also employs numerous methods where it tries to trick you into thinking you are infected. The first method is the display of a Window that impersonates the legitimate Windows Security Center. The difference is that this fake version suggests you purchase Dr. Guard to protect yourself. While the program is running you will also see a constant display of fake security alerts and warnings appear on your desktop and Windows taskbar. These alerts contain dire messages stating that your computer is under attack, all of your data is being deleted, or that personal information is being sent to a remote location. Some examples of the alerts you may see include:

ANTIVIRUS IS RUN IN DEMO MODE. ACTIVATE YOUR ANTIVIRUS OTHERWISE ALL THE DATA WILL BE LOST OR DAMAGED!

DANGEROUS! ANTIVIRUS DETECTED SOME HARMFUL PROGRAMS ON YOUR PC! THEY MAY CORRUPT YOUR INFORMATION OR SEND IT TO HACKERS.
PLEASE, OPTIMIZE YOUR PC. IT RUN ONLY 10%.
NEED HELP? PLEASE, CONTACT DR. GUARD CUSTOMER SUPPORT SERVICE.

Windows Firewall has detected unauthorized activity, but unfortunately it cannot help
you to remove viruses, keyloggers and other spyware threats that steal your personal
information from your computer

System files of your computer are damaged. Please, restart your system ASAP.
There are some serious security threats detected on your computer. Please, remove them ASAP.

There are some serious security threats detected on your computer: viruses, trojans, keyloggers, exploits etc.
Your computer and all your personal data are in serious danger.
Protection: Click the balloon to install antivirus software.

Defenseless OS: Windows 2000/XP/Vista
Description: Spyware. Blocks access to computer. Attacks porn sites visitors.
Protection: Click the balloon to install antivirus software.

Just like the fake scan results, these fake alerts are just another tactic where Dr. Guard is trying to convince you that you have a security problem on your computer.

As you can see, Dr. Guard was created to trick you into thinking you are infected so that you will then purchase the program. It goes without saying that you should definitely not purchase this program, and if you already have, please contact your credit card company to dispute the charges. To remove this infection and any related malware, please use the removal guide below.

Threat Classification:

Advanced information:

View Dr. Guard files.
View Dr. Guard Registry Information.

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers\SimpleShlExt
HKEY_LOCAL_MACHINE\SOFTWARE\Dr. Guard
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Dr. Guard
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Dr. Guard"
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E2121EE-0300-11D4-8D3B-444553540000}"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = "1"

Entries for this program found in the Add or Remove Programs control panel:

Dr. Guard

Tools Needed for this fix:

Symptoms that may be in a HijackThis Log:

O4 - HKCU\..\Run: [asr64_ldm.exe] %Temp%\asr64_ldm.exe
O4 - HKCU\..\Run: [Dr. Guard] "C:\Program Files\Dr. Guard\drguard.exe" -noscan

Guide Updates:

02/19/10 - Initial guide creation.

Universal Spyware and virus tracker

So I build an application that when it is running it simply monitors system folders for any new exe's or dll's being added or renamed: For example Windows and System32 folder is the main harbour for these bugs, but also Program Files or Documents and Settings.

Simple idea but the result surprised me big time. By going to some sites that I expected they add spyware through ActiveX I was shocked what was happening on my multistage-firewall and antivirus protected computer (ZoneAlarm, Norton AV, D-link Router with on-board Firewall and AlphaShield HW firewall - all running at once and none even beep). I could clearly see how a data from IE download folder has been renamed to exe and dll, obviously run, then copied to many places over my computer - to System32, Windows even DllCache folders. Then the exe was copied under different names few times.

System File Check
Additionally a button for SFC was added. This will run Windows Protection that checks all system files for changes and it will copy them from Windows CD if they are different.

Warning: On clear situation, like the one above where basically 3 spyware exe files were added by ActiveX, the Quarantine is a simple choice. But in case where system or IE Helper dll's are involved, forcing these files to Quarantine may make IE partially unoperational. Remember, Spyware use many methods to penetrate your system so if you are unsure then don't experiment. Just acknowledge some files were added and run anti-spyware! In any case run anti-spyware to clean up registry from the bugs.

Legit Files
Spy-The-Spy is a file monitor. It doesn't differentiate between real spyware and a legit file that has been added to watched folders. There are cases when such legit files are created:

[Jan 17, 2010] Return of browseu.dll

This DLL is registered as a Browser Helper Object (BHO) in IE, for example

O2 - BHO: (no name) - {4CCF011D-6BDA-4B1B-AB9F-F24CC89F7F3E} - C:\WINDOWS\system32\browseu.dll

Other names

TrojanDownloaderWin32-Zlob.AOQ (Updated: Feb 06, 2009 | Published: Feb 06, 2009 )

The file BROWSEU.DLL was observed with the following file sizes.

97,280 bytes

[Jan 15, 2010] Antivirus System Pro -- rogue AV program with elements of extortion

For a good description see Win32-WindowsAntivirusPro Family - CA. The note below reflected my experience in removing this malware on Windows XP.

An interesting part of the problem with this malware is that it blocks execution of many programs including programs you try to launch from CD/DVD in a perfect "reverse antivirus" fashion :-). It also uses fake setting in IE proxy configuration, setting proxy to localhost (that means that this malware runs proxy on the computer). In my case the port was 5555. Using this port you actually can detect which program is used as a proxy via netstat.

When the windows screen first appears, hit ctrl-alt-del. This gives you the task manager. Then search for the program with name ending with "guard", for example xylbsguard.exe and kill it.

When you stop this program you combine use of Microsoft Security Essentials tool (free Av tool from Microsoft) with some more specific tool. For example instructions on how remove it Remove Antivirus System Pro (Uninstall Guide), recommend program Malwarebytes' Anti-Malware. The latter works OK but like virus is difficult to remove ;-)

The key here to understand that you are probably dealing with combination of infections of which Antivirus Pro is just one component which were injected when you his some rogue Web site (often of Eastern European origin). Additional components might include Alureon.F, Hotbar, Renos.KS, Renos.JW, Bravine.A, etc. Of them Alureon looks pretty disturbing:

Win32/Alureon is a family of data-stealing Trojans. These Trojans allow an attacker to intercept incoming and outgoing Internet traffic in order to gather confidential information such as user names, passwords, and credit card data. The Win32/Alureon Trojan may also allow an attacker to transmit malicious data to the infected computer. The Trojan may modify DNS settings on the host computer to enable the attacker to perform these tasks. Therefore it may be necessary to reconfigure DNS settings after the Trojan is removed from the computer.

As Antivirus Pro installs a proxy on the computer after killing *guard.exe process in memory you can run AV programs from a CD.

Of course restoring from a clean Ghost or Maxblast/Acronis True Image image, is a better way to spend your time then playing Sherlock Holmes with some unknown, probably Eastern European jerks.

Good analysis can be found at:

  1. Encyclopedia entry TrojanWin32-FakeScanti - Learn more about malware - Microsoft Malware Protection Center
  2. Win32-WindowsAntivirusPro Family - CA

Looks like the latest version of Windows Defender can be affective again this malware too.