Kayaker
July 21st, 2012, 18:54
tl;dr
I came upon a Fake Antivirus malware some may wish to look at. This one goes by the name of Live Security Platinum - oooh..
I renamed the original file to FakeAV.Vxe in order to prevent accidental double clicking. The password for the zip attachment is
malware
Play safe!
I often scan my spam folders for potentially interesting malware. I'm disappointed most of the time because they usually redirect to p0rn sites promising me exquisitely enjoyable sexual encounters until my head explodes. Not that that in itself would disappoint me, I just don't believe it.
I finally got a bite the other day, the infamous US Postal Service "Undelivered Mail" scam. The image redirected to a zip file containing an exe, with PDF icon, which I was supposed to double click on to "print a shipping label". The exe was a generic downloader virtually identical in function, though not details, to the one discussed here:
http://www.woodmann.com/forum/showthread.php?14576-Your-free-airline-ticket-is-ready
Various obfuscations and indirections ultimately leading to creating an svchost.exe process where the entry point is redirected to a mapped section which is the downloader code proper. The decrypted download URL pointed to
http://bing.com/afyu/?r=gate&gh=ac5962b5&group=1807rcm&debug=0
Unfortunately I couldn't get anything from that link, so instead I googled the string "http://bing.com/afyu/?r=gate" and came up with several hits on threatexpert.com. The entry seems to be gone all of a sudden, but one analysis mentioned that the dropper was trying to download the following file:
http://www.tsridharan.info/3.exe
This is the Fake AV malware in the attachment, which I retrieved with Wget.
It's actually amusing to watch, though it wouldn't be if your poor grandmother was the victim. Seems all my previously clean VM images are "infected" with exactly 38 malwares
It would be interesting to discuss your strategies for analyzing a system once infected with something with the capabilities of this Fake AV. Once the pop-up message appears that your system is "infected", none of your favorite RE tools will start.
Running CaptureBAT beforehand will glean some information on the installation of the malware. Having RKU running and doing a rescan after infection will also help, showing several code hooks. You can 'unhook' them, but that seems to be detected and the malware will rehook and close offending running processes (i.e. your RE tools).
I've read general descriptions about these fake AV's before, finally I've got one to play with.
Have fun.
Cheers,
Kayaker
I came upon a Fake Antivirus malware some may wish to look at. This one goes by the name of Live Security Platinum - oooh..
I renamed the original file to FakeAV.Vxe in order to prevent accidental double clicking. The password for the zip attachment is
malware
Play safe!
I often scan my spam folders for potentially interesting malware. I'm disappointed most of the time because they usually redirect to p0rn sites promising me exquisitely enjoyable sexual encounters until my head explodes. Not that that in itself would disappoint me, I just don't believe it.
I finally got a bite the other day, the infamous US Postal Service "Undelivered Mail" scam. The image redirected to a zip file containing an exe, with PDF icon, which I was supposed to double click on to "print a shipping label". The exe was a generic downloader virtually identical in function, though not details, to the one discussed here:
http://www.woodmann.com/forum/showthread.php?14576-Your-free-airline-ticket-is-ready
Various obfuscations and indirections ultimately leading to creating an svchost.exe process where the entry point is redirected to a mapped section which is the downloader code proper. The decrypted download URL pointed to
http://bing.com/afyu/?r=gate&gh=ac5962b5&group=1807rcm&debug=0
Unfortunately I couldn't get anything from that link, so instead I googled the string "http://bing.com/afyu/?r=gate" and came up with several hits on threatexpert.com. The entry seems to be gone all of a sudden, but one analysis mentioned that the dropper was trying to download the following file:
http://www.tsridharan.info/3.exe
This is the Fake AV malware in the attachment, which I retrieved with Wget.
It's actually amusing to watch, though it wouldn't be if your poor grandmother was the victim. Seems all my previously clean VM images are "infected" with exactly 38 malwares
It would be interesting to discuss your strategies for analyzing a system once infected with something with the capabilities of this Fake AV. Once the pop-up message appears that your system is "infected", none of your favorite RE tools will start.
Running CaptureBAT beforehand will glean some information on the installation of the malware. Having RKU running and doing a rescan after infection will also help, showing several code hooks. You can 'unhook' them, but that seems to be detected and the malware will rehook and close offending running processes (i.e. your RE tools).
I've read general descriptions about these fake AV's before, finally I've got one to play with.
Have fun.
Cheers,
Kayaker
