September 16, 2013
Titan Antivirus 2013

This is another one in the FakeAV family although less aggressive. When I started analyzing it the detection was 2/47 on VT, right now its at 31/47: https://www.virustotal.com/en/file/69ded14a0d53cebfed8309cea164a77eb8cf9257a42079a943433fcf652efa69/analysis/1379311654/

This sample dropped from Neutrino and first showed itself by having a desktop shortcut together with an icon in the tray.

image


But before any of this happens it will spawn the default browser and wait until it gets confirmation from this that the machine has an active internet connection.

image

After it has confirmed it has internet connectivity it will install itself, this is done by writing a copy of itself together with its additional files to:

  • %appdata%\xtendr\
  • %appdata%\xtendr\app.ico
  • %appdata%\xtendr\support.ico
  • %appdata%\xtendr\uninst.ico
  • %appdata%\xtendr<Random Named.exe>
  • %appdata%\xtendr\xtuis.txt
  • %appdata%\xtendr\xtx.txt

The ‘xtendr’ name will change in the future as older version have been seeing installing in ‘ifdstore’. Next to creating files on disk it also modified the registry. First it makes sure it will be started at boot:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"xtfgsvc"="C:\Documents and Settings\All Users\Application Data\xtendr\1dftrh6y5et4weafwafwafwaf.exe /min"

It also adds keys to the uninstall registry for windows, although the uninstall will not do anything its there to convince the user it is legit:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\xtendr]
"DisplayName"="Titan Antivirus 2013"
"InstallLocation"="C:\Documents and Settings\All Users\Application Data\xtendr"
"UninstallString"="C:\Documents and Settings\All Users\Application Data\xtendr\1dftrh6y5et4weafwafwafwaf.exe /tout"
"DisplayIcon"="C:\Documents and Settings\All Users\Application Data\xtendr\1dftrh6y5et4weafwafwafwaf.exe,0"

The last modification it does to the registry is install itself as the shell extension handlers for ‘.exe’. This is so it can catch any application that the user tries to start, it will then flag these as ‘malicious’ I will show that later in the blog. The registry entries for this shell extension looks like this:

[HKEY_CURRENT_USER\Software\Classes.exe]
@=”4g” “Content Type”=”application/x-m”
[HKEY_CURRENT_USER\Software\Classes.exe\DefaultIcon]
@=”%1”
[HKEY_CURRENT_USER\Software\Classes.exe\shell]
[HKEY_CURRENT_USER\Software\Classes.exe\shell\open]
[HKEY_CURRENT_USER\Software\Classes.exe\shell\open\command]
@=”"C:\Documents and Settings\All Users\Application Data\xtendr\1dftrh6y5et4weafwafwafwaf.exe" /ex "%1" %*” “IsolatedCommand”=”"%1" %*”
[HKEY_CURRENT_USER\Software\Classes.exe\shell\runas]
[HKEY_CURRENT_USER\Software\Classes.exe\shell\runas\command]
@=”"%1" %*” “IsolatedCommand”=”"%1" %*”


It will then start it’s check-in procedures to set itself up on the infected machine:

GET /cmd/check/ HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Host: check.getonlineupdatesage.org
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 09 Sep 2013 19:55:26 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17-1~dotdeb.0


1e
@check.getonlineupdatesage.org
0

This tells the application it has been registered and can start its multi-stage check-in at stage 1 (1e) at the domain check.getonlineupdatesage.org. Do note how the useragent is MSIE 9.0, this is hard-coded it does not look at the OS for the used browser. The bot starts its check-ins to confirm all data and get information from the C&C:

GET /cmd/s/?stage=1&uid=a9798eb0b5d60b4c93064f994f3ab9f0&id=10&subid=21&os=1&avf=0 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Host: check.getonlineupdatesage.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 09 Sep 2013 19:55:27 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17-1~dotdeb.0


2
ok
0

It reports the unique identifier for this infection, the id (possibly for the type of payload, unsure), subid (also unknown for me), the os version and avf (unknown). It gets back an OK that all is fine and proceeds to stage 2 but first it downloads a crypted blob of data:

GET /cmd/ui/?uid=a9798eb0b5d60b4c93064f994f3ab9f0 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Host: check.getonlineupdatesage.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 09 Sep 2013 19:55:27 GMT
Content-Type: text/plain; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17-1~dotdeb.0


1eb0
..g..6.{O.r…i`.i…r.K;.6…K…g..6.;O.r…i..i…r.O;.6..g………Z=…|….=…s.n……….g..6..E…i….:.H…oU.D…1…… ?b79..t……..M.C3…………Gk79..t……].

The total size of this blob is 1.15mb, looking at the files on disc we can see one of these files is the downloaded blob

image

Looking at the data it seems to hold the config for where it should connect to as well as the graphical interface. The main loader that is started at boot and initially infects the system is only 43kb. After it has downloaded this it will start up and start itself (showing the tray icon). It will report back telling it successfully installed:

GET /cmd/s/?stage=2&uid=a9798eb0b5d60b4c93064f994f3ab9f0&success=1 HTTP/1.1
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 5.1; Trident/5.0)
Host: check.getonlineupdatesage.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Mon, 09 Sep 2013 19:55:29 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17-1~dotdeb.0


2
ok
0

The application does not work as aggressively as most FakeAV’s do. It does not block interaction with explorer and the rest of windows. It will not popup on its own with the main screen. It will hint the user something is ‘wrong’ via fake messages of scans, vulnerabilities it sees and when you start any application it will tell you it is infected:

image

image

image

All these messages are obviously fake just try to get the user to activate the ‘antivirus’. When a user decides to look around before activating you will get tons of messages of disabled functionality because it hasn’t been activated yet:

image

image

When trying to change any of these settings a popup will appear forcing you to activate and pay for the product before you can change any of these settings. You can however ‘update’  the antivirus database, traffic wise this does nothing its all for show it doesn’t make any connections:

image

After a while is will also start nagging on the main window asking to be activated:

image

The activation codes are checked when entering false / incorrect keys:
image

So it seems it really needs to get an activation code from the C&C. Pressing the purchase later button will hide the activation window for a while but it will keep nagging with it until the user complies. When you press the ‘Purchase Now’ button a request is made to the payment server:

GET /cmd/b/?uid=a9798eb0b5d60b4c93064f994f3ab9f0 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: mycoolthingsonlinenow.com
Connection: Keep-Alive


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.2
Date: Mon, 09 Sep 2013 19:57:37 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.4.17-1~dotdeb.0
location: hxxp://secfastpay.com/p/?group=fta&nid=a9798eb0b5d60b4c93064f994f3ab9f0&lid=1&affid=00000


0


The request forwards the client via a 302 to the payment page hosted on ‘secfastpay.com’ the request to this looks as follows (it also forwards the client further):


GET /p/?group=fta&nid=a9798eb0b5d60b4c93064f994f3ab9f0&lid=1&affid=00000 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: secfastpay.com
Connection: Keep-Alive


HTTP/1.1 302 FOUND
Server: nginx/1.0.15
Date: Mon, 09 Sep 2013 17:07:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hxxp://secfastpay.com/p/fta/?lid=1&group=fta&reject_url=http%3A%2F%2Fsecfastpay.com%2Fp%2Fdecline%2F%3Flid%3D1%26group%3Dfta%26nid%3Da9798eb0b5d60b4c93064f994f3ab9f0%26affid%3D00000%26ver%3D1&nid=a9798eb0b5d60b4c93064f994f3ab9f0&affid=00000&ver=1
Set-Cookie: pf=u; Path=/


0


GET /p/fta/?lid=1&group=fta&reject_url=http%3A%2F%2Fsecfastpay.com%2Fp%2Fdecline%2F%3Flid%3D1%26group%3Dfta%26nid%3Da9798eb0b5d60b4c93064f994f3ab9f0%26affid%3D00000%26ver%3D1&nid=a9798eb0b5d60b4c93064f994f3ab9f0&affid=00000&ver=1 HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: secfastpay.com
Connection: Keep-Alive
Cookie: pf=u


HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Mon, 09 Sep 2013 17:07:57 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive


f77
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN” “http://www.w3.org/TR/html4/loose.dtd”>

The start of the ‘<!DOCTYPE HTML’ is the payment page, on the client it now looks like this:
image

99.99$ for a full year… I did not check the full extend of this payment system. After some reversing I got the key out of it which allows me to activate the application, the key is hardcoded and works for all samples it is not based on any machine ID’s:

1O2Z3L4W5I6T7F8Q9C1N2Y3K4V5H6S7E

The program will report that it is successfully activated by the user:
image



After activating the program is finally happy allowing you to clean up the ‘infections’ found while scanning:
image

image



And it will start cleaning up:
image


Now would you scan it will never find anything anymore:
image


The now activated program allows the user to change all settings in the configuration panel. The ‘Start with Windows’ will actually work, disabling this will disable the FakeAV from starting.

When the user registers with the key it also writes a small lock-file to called ‘xtrk.dat’ this contains the key used to activate. This is so the next time it runs it knows it is already activated.

The domains involved in this FakeAV scam:

mycoolthingsonlinenow.com
getonlineupdatesage.org
getonlineupdatesace.biz
secfastpay.com
rxprogress.com

The IP’s seen with this FakeAV scam:

195.20.141.33
195.20.141.34
195.20.141.35
109.236.80.29
109.236.80.243

While all the payment processing domains (secfastpay and rxprogress) are registered with whoisguard it seems the other domains used for the FakeAV checkin do not, they are registered with the following information:

Niels Harris (<nyashikos@gmail.com)
+7.501835203
Fax: 
Lenina 34
Moscow, NE 87208
RU

The address refers to an apartment building in Moscow, checking the email address we find an attached facebook profile:

https://www.facebook.com/kawaiko.nyashne


With only a single friend who then has 2 friends and then it fans out quite rapidly. Could be the guy behind it or just an identity they are abusing….

Blog comments powered by Disqus