Wednesday, September 9, 2009

Decoded Reference File - PC Antispyware 2010

This reference file is related to this CA Global Security Advisor blog entry -
PC Antispyware 2010's Scheming Password Protection

The decoded file contains the following
- RAR password used to decompress downloaded files
- Registry keys to create
- Malware related domains (update, download and report)
- Download username and password

Users are advised to avoid surfing the URLs mentioned below; except for the domains in DOMAINS_SKIP, those are legit websites.


REG_MICROSOFT_SC=SOFTWARE\Microsoft\Security Center



DOMAIN_FEEDBACK=hulieropedaso {dot} com
DOMAIN_FEEDBACK=rvertundfertug {dot} com
DOMAIN_FEEDBACK=xcuidflofertun {dot} com
DOMAIN_FEEDBACK=ertubedewse {dot} com
DOMAIN_FEEDBACK=huladopkaert {dot} com
DOMAIN_FEEDBACK=iobacebauiler {dot} com
DOMAIN_FEEDBACK=ewaxertulio {dot} com
DOMAIN_FEEDBACK=arosakilomen {dot} com
DOMAIN_FEEDBACK=osaertugern {dot} com
DOMAIN_FEEDBACK=koliopewaqs {dot} com
DOMAIN_FEEDBACK=kasonkertub {dot} com
DOMAIN_FEEDBACK=tahulavumbak {dot} com
DOMAIN_BILLING=paysecuresystem {dot} com
DOMAIN_BILLING=pay-solution24 {dot} com
DOMAIN_BILLING=billing-365-solution {dot} com
DOMAIN_BILLING=cc-payment-sys24 {dot} com
DOMAIN_BILLING=billing365solution {dot} com
DOMAIN_BILLING=ccpaymentsys24 {dot} com
DOMAIN_BILLING=cc-pay-system {dot} com
DOMAIN_BILLING=cc-paysystem {dot} com
DOMAIN_BILLING=pay-cc-24 {dot} com
DOMAIN_BILLING=payment-solution365 {dot} com
DOMAIN_BILLING=pay-securesystem {dot} com
DOMAIN_BILLING=billsolution365 {dot} com
DOMAIN_BILLING=cred-card365 {dot} com
DOMAIN_BILLING=pay-cc24 {dot} com
DOMAIN_BILLING=bill-solution-365 {dot} com
DOMAIN_BILLING=billsystem-24 {dot} com
DOMAIN_BILLING=bill-service-365 {dot} com
DOMAIN_BILLING=cc-process24 {dot} com
DOMAIN_BILLING=365daysbilling {dot} com
DOMAIN_BILLING=payment-cc24 {dot} com
DOMAIN_BILLING=gateway-pay24 {dot} com
DOMAIN_BILLING=billsystem365 {dot} com
DOMAIN_BILLING=paymentsystem24 {dot} com
DOMAIN_BILLING=paymentnow24 {dot} com
DOMAIN_BILLING=processing-24 {dot} com
DOMAIN_UPDATE=hulieropedaso {dot} com
DOMAIN_UPDATE=rvertundfertug {dot} com
DOMAIN_UPDATE=xcuidflofertun {dot} com
DOMAIN_UPDATE=ertubedewse {dot} com
DOMAIN_UPDATE=huladopkaert {dot} com
DOMAIN_UPDATE=iobacebauiler {dot} com
DOMAIN_UPDATE=ewaxertulio {dot} com
DOMAIN_UPDATE=arosakilomen {dot} com
DOMAIN_UPDATE=osaertugern {dot} com
DOMAIN_UPDATE=koliopewaqs {dot} com
DOMAIN_UPDATE=kasonkertub {dot} com
DOMAIN_UPDATE=tahulavumbak {dot} com
DOMAIN_DOWNLOAD=hulieropedaso {dot} com
DOMAIN_DOWNLOAD=rvertundfertug {dot} com
DOMAIN_DOWNLOAD=xcuidflofertun {dot} com
DOMAIN_DOWNLOAD=ertubedewse {dot} com
DOMAIN_DOWNLOAD=huladopkaert {dot} com
DOMAIN_DOWNLOAD=iobacebauiler {dot} com
DOMAIN_DOWNLOAD=ewaxertulio {dot} com
DOMAIN_DOWNLOAD=arosakilomen {dot} com
DOMAIN_DOWNLOAD=osaertugern {dot} com
DOMAIN_DOWNLOAD=koliopewaqs {dot} com
DOMAIN_DOWNLOAD=kasonkertub {dot} com
DOMAIN_DOWNLOAD=tahulavumbak {dot} com

[XP Antispyware 2009]

[AntiSpywareXP 2009]

[Antivirus Pro 2009]

[XP Protection Center]

[Home Antivirus 2009]
DOMAIN_UNREG=homeantivirus2009 {dot} com
DOMAIN_UNREG=home-antivirus2009 {dot} com
DOMAIN_UNREG=home-anti-virus2009 {dot} com
DOMAIN_UNREG=homeantivirus-2009 {dot} com
DOMAIN_UNREG=homeanti-virus-2009 {dot} com
DOMAIN_UNREG=home-antivirus-2009 {dot} com
DOMAIN_UNREG=home-anti-virus-2009 {dot} com
DOMAIN_UNREG=homeavirus2009 {dot} com
DOMAIN_UNREG=home-avirus2009 {dot} com
DOMAIN_UNREG=homeavirus-2009 {dot} com
DOMAIN_UNREG=home-a-virus-2009 {dot} com
DOMAIN_UNREG=homeantiv2009 {dot} com
DOMAIN_UNREG=home-antiv2009 {dot} com
DOMAIN_UNREG=homeantiv-2009 {dot} com
DOMAIN_UNREG=home-anti-v2009 {dot} com
DOMAIN_REGED=home-anti-v-2009 {dot} com
DOMAIN_REGED=homeav2009 {dot} com
DOMAIN_REGED=home-av2009 {dot} com
DOMAIN_REGED=homeav-2009 {dot} com
DOMAIN_REGED=home-av-2009 {dot} com
DOMAIN_REGED=home-a-v-2009 {dot} com
DOMAIN_REGED=hantivirus2009 {dot} com
DOMAIN_REGED=h-antivirus2009 {dot} com

[AntiSpywareHome 2009]
DOMAIN_UNREG=ash2009 {dot} com
DOMAIN_REGED=ash2009 {dot} com

[PC Security 2009]
DOMAIN_UNREG=pcsecurity-2009 {dot} com
DOMAIN_UNREG=pc-security-2009 {dot} com
DOMAIN_UNREG=pcsecurity09 {dot} com
DOMAIN_UNREG=pc-security09 {dot} com
DOMAIN_UNREG=pcsecurity-09 {dot} com
DOMAIN_UNREG=pc-security-09 {dot} com
DOMAIN_UNREG=pcsecurity2009 {dot} com
DOMAIN_UNREG=pc-security2009 {dot} com
DOMAIN_REGED=pc-securitysupport {dot} com
DOMAIN_REGED=pcsecurity-support {dot} com
DOMAIN_REGED=pc-security-support {dot} com
DOMAIN_REGED=pcsecuritysupp {dot} com
DOMAIN_REGED=pcsecurity-supp {dot} com
DOMAIN_REGED=pc-securitysupp {dot} com
DOMAIN_REGED=pc-security-supp {dot} com
DOMAIN_REGED=pcsecuritysupport {dot} com

[Home Antivirus 2010]
DOMAIN_UNREG=homeantivirus2010 {dot} com
DOMAIN_UNREG=home-antivirus2010 {dot} com
DOMAIN_UNREG=homeantivirus-2010 {dot} com
DOMAIN_UNREG=homeanti-virus2010 {dot} com
DOMAIN_UNREG=home-anti-virus2010 {dot} com
DOMAIN_UNREG=home-anti-virus-2010 {dot} com
DOMAIN_UNREG=home-antivirus-2010 {dot} com
DOMAIN_UNREG=homeanti-virus-2010 {dot} com
DOMAIN_UNREG=homeav2010 {dot} com
DOMAIN_UNREG=home-av2010 {dot} com
DOMAIN_UNREG=homeav-2010 {dot} com
DOMAIN_UNREG=home-av-2010 {dot} com
DOMAIN_REGED=homeantivirussupport {dot} com
DOMAIN_REGED=home-antivirussupport {dot} com
DOMAIN_REGED=homeanti-virussupport {dot} com
DOMAIN_REGED=home-anti-virussupport {dot} com
DOMAIN_REGED=home-antivirus-support {dot} com
DOMAIN_REGED=home-anti-virus-support {dot} com
DOMAIN_REGED=home-avsupport {dot} com
DOMAIN_REGED=homeav-support2010 {dot} com
DOMAIN_REGED=home-avsupport2010 {dot} com

[PC Antispyware 2010]
DOMAIN_UNREG=pc-anti-spyware-2010 {dot} com
DOMAIN_UNREG=pcanti-spyware-2010 {dot} com
DOMAIN_UNREG=pc-antispy2010 {dot} com
DOMAIN_UNREG=p-c-anti-spyware-2010 {dot} com
DOMAIN_UNREG=pcantispyware20-10 {dot} com
DOMAIN_UNREG=pc-antispyware20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware2010 {dot} com
DOMAIN_UNREG=pc-antispyware2010 {dot} com
DOMAIN_UNREG=pcantispyware-2010 {dot} com
DOMAIN_UNREG=pc-antispyware-2010 {dot} com
DOMAIN_UNREG=pcantispyware2010 {dot} com
DOMAIN_UNREG=pcantispyware-20-10 {dot} com
DOMAIN_UNREG=pc-antispyware-20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware-20-10 {dot} com
DOMAIN_REGED=pc-securitysupport {dot} com
DOMAIN_REGED=pcsecurity-support {dot} com
DOMAIN_REGED=pc-security-support {dot} com
DOMAIN_REGED=pcsecurity-supp {dot} com
DOMAIN_REGED=pc-securitysupp {dot} com
DOMAIN_REGED=pcsecuritysupport {dot} com

[Antivirus Pro 2010]
DOMAIN_UNREG=avp21 {dot} com
DOMAIN_REGED=avp21 {dot} com


Have a malware free day!

Tuesday, August 18, 2009

registry notes .. x of many


HKEY_CLASSES_ROOT : constant HKEY := To_Hkey(16#80000000#);

HKEY_CURRENT_USER : constant HKEY := To_Hkey(16#80000001#);

HKEY_LOCAL_MACHINE : constant HKEY := To_Hkey(16#80000002#);

HKEY_USERS : constant HKEY := To_Hkey(16#80000003#);

HKEY_PERFORMANCE_DATA : constant HKEY := To_Hkey(16#80000004#);

HKEY_PERFORMANCE_TEXT : constant HKEY := To_Hkey(16#80000050#);

HKEY_PERFORMANCE_NLSTEXT : constant HKEY := To_Hkey(16#80000060#);

Friday, August 14, 2009

New SMS Ransomware

As reported here.

New ransomware detected by CA as Win32/RansomSMS.Q.

-Russian Translation-
You are using unlicensed software in your system

To continue using the system, you must obtain a license key
Now it is easy to do just follow the instructions below

1. You need to send SMS-message
2. In response you will receive an activation code
3. Enter the code to activate the system

Send an SMS message with the text:


at number


Enter the resulting code
Activate Product


Currently working on activation code.....

Monday, June 29, 2009

File with no OEP but with TLS

When analyzing files, researchers usually start checking the file structure. Most of the time we check the file’s Original Entry Point (OEP) however if there is no Entry point we start to look on Thread Local Storage (TLS).

Below is the initial judgment when checking on a file.

0 0 - possible corrupt file; needs further checking of file behavior
0 1 - suspicious
1 0 - needs further checking of file behavior
1 1 - suspicious

0 – Do not exist
1 – Exist

These past few days I noticed a few malicious files without OEP, though the presence of a TLS makes it a dead giveaway. Below is a sample case, there are different case scenarios however I will just focus on this one.

In Figure 1 it shows the address of entry point and the image base, adding these two fields will give us the virtual address (VA) of the file's entry point.

[Figure 1 – Shows the file OEP offset is out of range]

Debugging the file I started my way in TLS, see Figure 2. Why? Check this out.
The explanation from that blog entry of Ero Carrera covers it, also with the reference from Ilfak.

[Figure 2 – Start of TLS Callback]

It did not take long when I saw what I am searching for, just after 2 decryption routines.
The TLS code is alreading checking for the PE Header of the file, looking for the entry point offset.
Start of PE Header +0x28 = Address of entry point.

In Figure 3 the malware is currently writing a JMP instruction (0xE9 mnemonic) in the entry point.
Then the precomputed destination address of the JMP instruction, is to be placed in entrypoint + 1.

[Figure 3 – TLS Code used to modify the Entry point Instruction]

The file on disk may not have an entry point however when it is loaded in memory the TLS code decrypts the malware code and allocates the instructions needed to make a jump in the critical instructions.

Utilizing the PE file structure can definitely give an advantage to malware authors and malware researchers, well it depends on how those advantage were used.

Related readings
How Malware Defends Itself Using TLS Callback Functions