Wednesday, September 9, 2009

Decoded Reference File - PC Antispyware 2010

This reference file is related to this CA Global Security Advisor blog entry -
PC Antispyware 2010's Scheming Password Protection

The decoded file contains the following
- RAR password used to decompress downloaded files
- Registry keys to create
- Malware related domains (update, download and report)
- Download username and password

Users are advised to avoid surfing the URLs mentioned below; except for the domains in DOMAINS_SKIP, those are legit websites.

-------------------------------------------------------------------------

[REGISTRY]
REG_AUTORUN=Software\Microsoft\Windows\CurrentVersion\Run
REG_MICROSOFT_SC=SOFTWARE\Microsoft\Security Center

[ALIEN]
EXE=%system%\pphcjkrj0etfg.exe
EXE=%programfiles%\rhcnkrj0etfg\rhcnkrj0etfg.exe
MISC=%windows%\qegbdmwf.dll
MISC=%windows%\pntqkflv.dll

[MISCELLANEOUS]
RAR_PASSWORD=abcd012345efgh
DWN_USERNAME=user
DWN_PASSWORD= :D
IE_BLOCK_CONTENT=1
IE_OUR_WINDOW_ONLY=0

[DOMAINS]
DOMAINS_SKIP=aol,att,btconnect,bellsouth,charter,comcast,mail,msn,traust,yahoo,google
DOMAINS_SKIP=youtube,facebook,live.com,blogger,wikipedia,baidu,myspace,qq.com,twitter
DOMAINS_SKIP=rapidshare,microsoft,sina.com,bing.com,ebay,craigslist,fc2,yandex,amazon
DOMAIN_FEEDBACK=hulieropedaso {dot} com
DOMAIN_FEEDBACK=rvertundfertug {dot} com
DOMAIN_FEEDBACK=xcuidflofertun {dot} com
DOMAIN_FEEDBACK=ertubedewse {dot} com
DOMAIN_FEEDBACK=huladopkaert {dot} com
DOMAIN_FEEDBACK=iobacebauiler {dot} com
DOMAIN_FEEDBACK=ewaxertulio {dot} com
DOMAIN_FEEDBACK=arosakilomen {dot} com
DOMAIN_FEEDBACK=osaertugern {dot} com
DOMAIN_FEEDBACK=koliopewaqs {dot} com
DOMAIN_FEEDBACK=kasonkertub {dot} com
DOMAIN_FEEDBACK=tahulavumbak {dot} com
DOMAIN_BILLING=paysecuresystem {dot} com
DOMAIN_BILLING=pay-solution24 {dot} com
DOMAIN_BILLING=billing-365-solution {dot} com
DOMAIN_BILLING=cc-payment-sys24 {dot} com
DOMAIN_BILLING=billing365solution {dot} com
DOMAIN_BILLING=ccpaymentsys24 {dot} com
DOMAIN_BILLING=cc-pay-system {dot} com
DOMAIN_BILLING=cc-paysystem {dot} com
DOMAIN_BILLING=pay-cc-24 {dot} com
DOMAIN_BILLING=payment-solution365 {dot} com
DOMAIN_BILLING=pay-securesystem {dot} com
DOMAIN_BILLING=billsolution365 {dot} com
DOMAIN_BILLING=cred-card365 {dot} com
DOMAIN_BILLING=pay-cc24 {dot} com
DOMAIN_BILLING=bill-solution-365 {dot} com
DOMAIN_BILLING=billsystem-24 {dot} com
DOMAIN_BILLING=bill-service-365 {dot} com
DOMAIN_BILLING=cc-process24 {dot} com
DOMAIN_BILLING=365daysbilling {dot} com
DOMAIN_BILLING=payment-cc24 {dot} com
DOMAIN_BILLING=gateway-pay24 {dot} com
DOMAIN_BILLING=billsystem365 {dot} com
DOMAIN_BILLING=paymentsystem24 {dot} com
DOMAIN_BILLING=paymentnow24 {dot} com
DOMAIN_BILLING=processing-24 {dot} com
DOMAIN_UPDATE=hulieropedaso {dot} com
DOMAIN_UPDATE=rvertundfertug {dot} com
DOMAIN_UPDATE=xcuidflofertun {dot} com
DOMAIN_UPDATE=ertubedewse {dot} com
DOMAIN_UPDATE=huladopkaert {dot} com
DOMAIN_UPDATE=iobacebauiler {dot} com
DOMAIN_UPDATE=ewaxertulio {dot} com
DOMAIN_UPDATE=arosakilomen {dot} com
DOMAIN_UPDATE=osaertugern {dot} com
DOMAIN_UPDATE=koliopewaqs {dot} com
DOMAIN_UPDATE=kasonkertub {dot} com
DOMAIN_UPDATE=tahulavumbak {dot} com
DOMAIN_DOWNLOAD=hulieropedaso {dot} com
DOMAIN_DOWNLOAD=rvertundfertug {dot} com
DOMAIN_DOWNLOAD=xcuidflofertun {dot} com
DOMAIN_DOWNLOAD=ertubedewse {dot} com
DOMAIN_DOWNLOAD=huladopkaert {dot} com
DOMAIN_DOWNLOAD=iobacebauiler {dot} com
DOMAIN_DOWNLOAD=ewaxertulio {dot} com
DOMAIN_DOWNLOAD=arosakilomen {dot} com
DOMAIN_DOWNLOAD=osaertugern {dot} com
DOMAIN_DOWNLOAD=koliopewaqs {dot} com
DOMAIN_DOWNLOAD=kasonkertub {dot} com
DOMAIN_DOWNLOAD=tahulavumbak {dot} com

[XP Antispyware 2009]
EXE=XP_Antispyware
REG_MAIN|=Software\XP_Antispyware

[AntiSpywareXP 2009]
EXE=AntiSpywareXP2009
REG_MAIN|=Software\AntiSpywareXP2009

[Antivirus Pro 2009]
EXE=AntivirusPro2009
REG_MAIN|=Software\AntivirusPro2009

[XP Protection Center]
EXE=XPProtectionCenter
REG_MAIN=Software\XPProtectionCenter

[Home Antivirus 2009]
DOMAIN_UNREG=homeantivirus2009 {dot} com
DOMAIN_UNREG=home-antivirus2009 {dot} com
DOMAIN_UNREG=home-anti-virus2009 {dot} com
DOMAIN_UNREG=homeantivirus-2009 {dot} com
DOMAIN_UNREG=homeanti-virus-2009 {dot} com
DOMAIN_UNREG=home-antivirus-2009 {dot} com
DOMAIN_UNREG=home-anti-virus-2009 {dot} com
DOMAIN_UNREG=homeavirus2009 {dot} com
DOMAIN_UNREG=home-avirus2009 {dot} com
DOMAIN_UNREG=homeavirus-2009 {dot} com
DOMAIN_UNREG=home-a-virus-2009 {dot} com
DOMAIN_UNREG=homeantiv2009 {dot} com
DOMAIN_UNREG=home-antiv2009 {dot} com
DOMAIN_UNREG=homeantiv-2009 {dot} com
DOMAIN_UNREG=home-anti-v2009 {dot} com
DOMAIN_REGED=home-anti-v-2009 {dot} com
DOMAIN_REGED=homeav2009 {dot} com
DOMAIN_REGED=home-av2009 {dot} com
DOMAIN_REGED=homeav-2009 {dot} com
DOMAIN_REGED=home-av-2009 {dot} com
DOMAIN_REGED=home-a-v-2009 {dot} com
DOMAIN_REGED=hantivirus2009 {dot} com
DOMAIN_REGED=h-antivirus2009 {dot} com
EXE=HomeAntivirus2009
REG_MAIN=Software\HomeAntivirus2009

[AntiSpywareHome 2009]
DOMAIN_UNREG=ash2009 {dot} com
DOMAIN_REGED=ash2009 {dot} com
EXE=AntiSpywareHome2009
REG_MAIN=Software\AntiSpywareHome2009

[PC Security 2009]
DOMAIN_UNREG=pcsecurity-2009 {dot} com
DOMAIN_UNREG=pc-security-2009 {dot} com
DOMAIN_UNREG=pcsecurity09 {dot} com
DOMAIN_UNREG=pc-security09 {dot} com
DOMAIN_UNREG=pcsecurity-09 {dot} com
DOMAIN_UNREG=pc-security-09 {dot} com
DOMAIN_UNREG=pcsecurity2009 {dot} com
DOMAIN_UNREG=pc-security2009 {dot} com
DOMAIN_REGED=pc-securitysupport {dot} com
DOMAIN_REGED=pcsecurity-support {dot} com
DOMAIN_REGED=pc-security-support {dot} com
DOMAIN_REGED=pcsecuritysupp {dot} com
DOMAIN_REGED=pcsecurity-supp {dot} com
DOMAIN_REGED=pc-securitysupp {dot} com
DOMAIN_REGED=pc-security-supp {dot} com
DOMAIN_REGED=pcsecuritysupport {dot} com
EXE=PC_Security2009
REG_MAIN=Software\PC_Security2009

[Home Antivirus 2010]
DOMAIN_UNREG=homeantivirus2010 {dot} com
DOMAIN_UNREG=home-antivirus2010 {dot} com
DOMAIN_UNREG=homeantivirus-2010 {dot} com
DOMAIN_UNREG=homeanti-virus2010 {dot} com
DOMAIN_UNREG=home-anti-virus2010 {dot} com
DOMAIN_UNREG=home-anti-virus-2010 {dot} com
DOMAIN_UNREG=home-antivirus-2010 {dot} com
DOMAIN_UNREG=homeanti-virus-2010 {dot} com
DOMAIN_UNREG=homeav2010 {dot} com
DOMAIN_UNREG=home-av2010 {dot} com
DOMAIN_UNREG=homeav-2010 {dot} com
DOMAIN_UNREG=home-av-2010 {dot} com
DOMAIN_REGED=homeantivirussupport {dot} com
DOMAIN_REGED=home-antivirussupport {dot} com
DOMAIN_REGED=homeanti-virussupport {dot} com
DOMAIN_REGED=home-anti-virussupport {dot} com
DOMAIN_REGED=home-antivirus-support {dot} com
DOMAIN_REGED=home-anti-virus-support {dot} com
DOMAIN_REGED=home-avsupport {dot} com
DOMAIN_REGED=homeav-support2010 {dot} com
DOMAIN_REGED=home-avsupport2010 {dot} com
EXE=HomeAntivirus2010
REG_MAIN=Software\HomeAntivirus2010
CODE_NAME=ha21

[PC Antispyware 2010]
DOMAIN_UNREG=pc-anti-spyware-2010 {dot} com
DOMAIN_UNREG=pcanti-spyware-2010 {dot} com
DOMAIN_UNREG=pc-antispy2010 {dot} com
DOMAIN_UNREG=p-c-anti-spyware-2010 {dot} com
DOMAIN_UNREG=pcantispyware20-10 {dot} com
DOMAIN_UNREG=pc-antispyware20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware2010 {dot} com
DOMAIN_UNREG=pc-antispyware2010 {dot} com
DOMAIN_UNREG=pcantispyware-2010 {dot} com
DOMAIN_UNREG=pc-antispyware-2010 {dot} com
DOMAIN_UNREG=pcantispyware2010 {dot} com
DOMAIN_UNREG=pcantispyware-20-10 {dot} com
DOMAIN_UNREG=pc-antispyware-20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware20-10 {dot} com
DOMAIN_UNREG=pc-anti-spyware-20-10 {dot} com
DOMAIN_REGED=pc-securitysupport {dot} com
DOMAIN_REGED=pcsecurity-support {dot} com
DOMAIN_REGED=pc-security-support {dot} com
DOMAIN_REGED=pcsecurity-supp {dot} com
DOMAIN_REGED=pc-securitysupp {dot} com
DOMAIN_REGED=pcsecuritysupport {dot} com
EXE=PC_Antispyware2010
REG_MAIN=Software\PC_Antispyware2010
CODE_NAME=pca21

[Antivirus Pro 2010]
DOMAIN_UNREG=avp21 {dot} com
DOMAIN_REGED=avp21 {dot} com
EXE=AntivirusPro2010
REG_MAIN=Software\AntivirusPro2010
CODE_NAME=avp21

-------------------------------------------------------------------------

Have a malware free day!

Tuesday, August 18, 2009

registry notes .. x of many

winreg.h

HKEY_CLASSES_ROOT : constant HKEY := To_Hkey(16#80000000#);

HKEY_CURRENT_USER : constant HKEY := To_Hkey(16#80000001#);

HKEY_LOCAL_MACHINE : constant HKEY := To_Hkey(16#80000002#);

HKEY_USERS : constant HKEY := To_Hkey(16#80000003#);

HKEY_PERFORMANCE_DATA : constant HKEY := To_Hkey(16#80000004#);

HKEY_PERFORMANCE_TEXT : constant HKEY := To_Hkey(16#80000050#);

HKEY_PERFORMANCE_NLSTEXT : constant HKEY := To_Hkey(16#80000060#);

Friday, August 14, 2009

New SMS Ransomware

As reported here.

New ransomware detected by CA as Win32/RansomSMS.Q.


-Russian Translation-
-----------------------------------------------------------------
You are using unlicensed software in your system

To continue using the system, you must obtain a license key
Now it is easy to do just follow the instructions below

1. You need to send SMS-message
2. In response you will receive an activation code
3. Enter the code to activate the system

Send an SMS message with the text:

getstore52276

at number

6008

Enter the resulting code
_______________________
Activate Product

-----------------------------------------------------------------

Currently working on activation code.....


Monday, June 29, 2009

File with no OEP but with TLS

When analyzing files, researchers usually start checking the file structure. Most of the time we check the file’s Original Entry Point (OEP) however if there is no Entry point we start to look on Thread Local Storage (TLS).

Below is the initial judgment when checking on a file.

OEP TLS
0 0 - possible corrupt file; needs further checking of file behavior
0 1 - suspicious
1 0 - needs further checking of file behavior
1 1 - suspicious

0 – Do not exist
1 – Exist

These past few days I noticed a few malicious files without OEP, though the presence of a TLS makes it a dead giveaway. Below is a sample case, there are different case scenarios however I will just focus on this one.

In Figure 1 it shows the address of entry point and the image base, adding these two fields will give us the virtual address (VA) of the file's entry point.


[Figure 1 – Shows the file OEP offset is out of range]

Debugging the file I started my way in TLS, see Figure 2. Why? Check this out.
The explanation from that blog entry of Ero Carrera covers it, also with the reference from Ilfak.


[Figure 2 – Start of TLS Callback]

It did not take long when I saw what I am searching for, just after 2 decryption routines.
The TLS code is alreading checking for the PE Header of the file, looking for the entry point offset.
Start of PE Header +0x28 = Address of entry point.

In Figure 3 the malware is currently writing a JMP instruction (0xE9 mnemonic) in the entry point.
Then the precomputed destination address of the JMP instruction, is to be placed in entrypoint + 1.


[Figure 3 – TLS Code used to modify the Entry point Instruction]

The file on disk may not have an entry point however when it is loaded in memory the TLS code decrypts the malware code and allocates the instructions needed to make a jump in the critical instructions.

Utilizing the PE file structure can definitely give an advantage to malware authors and malware researchers, well it depends on how those advantage were used.



Related readings
How Malware Defends Itself Using TLS Callback Functions