Friday, 29 July 2011
A malware i got from markusg, at first i've not investigated that but after a 'fast analyze' of EP_X0FF... i've see this one was finaly very interesting and also really heavy.
File is multi-packed with custom crap and upx (as usual.for most of malwares).
I got some problem for make a 'clean' unpack version, access violations and some other problems, bored to search why my dump isn't working properly (the custom engine of the debugger i use is buggy, so for this one i've used 'DeFixed v2')
It start by doing a sort of listing, (file names, downloads, system paths):
Network test (youtube.com etc)
Russian language detection (he get the value from the registry):
Because later, he will pop you a fake alert:
And the russian version:
Do a lame file copy using a .bat:
Note: Most of files are dropped into %Systemroot% and later inside hidden subfolders like 'update.2, update.3 etc..'
Some files downloaded/dropped in %Systemroot% (the text file 'ip list' contain ip's of other infected machines, it create a peer to peer bot for exchange malicious code)
Here, it check what antivirus are you using:
Program files / Common files search:
Another EXE file copy (this time not with a bat file but using API's)
Drop '2916197.exe' in %Temp% (later renamed sysdriver32.exe, it's another malware loader)
Antivirus detections, and a huge list for Kaspersky:
KAV, ESET, Outpost, Comodo, Agava, Avast, McAfee, Avira, Norton, DrWeb, MSE, MSD, AVG, Panda and much more... (all important AV solutions)
System error access denied, maybe related to the name 'flash-player.exe' to fool users.
Malware will modify the registry key for go into safe mode on the next reboot, and will queue your antivirus for unistallation.
When all done, the malware launch a shutdown procedure.
On safe mode you will only see this black screen, and when your antivirus was successfully unistalled, the malware will modify again the registry key this time for boot on normal mode, and just after launch another shutdown procedure.
The passage in safe mode is really fast. (For unistall my Avast Antivirus less than 30 seconds for do it and launch the reboot procedure)
After user is fooled, with a fake icon in the system tray of your Antivirus, for example i've do the test with Avast Antivirus (not by preference, i've just installed the first product who pops into my head).
Header lists (for future fake alerts)
Icon list (used for fake alerts):
Fake Avast update:
And when we click on the Avast icon we see this:
Avast shortcut lead now to the fakeav:
Malware can also unrar archives and execute files, example here with a total legit bitcoin miner:
A downloaded malware has also modified the host file:
Look's good right?:
But check the numbers of lines:
And good luck for find where is right place
And also, remember my 54Mb Avast setup ?
File is now 1,66Kb with a PE header totaly fucked.
Most of us know FakeAV as agressive malware who push users to absolutely buy a license.
This one is composed of 3 images and fool users with 'everything is cool, system is safe'
But in background you got alots of active malwares trojan/downloader, i'll got even a rootkit (ZeroAccess) downloaded.