Tuesday, November 10, 2009

"AntiMalware" Fake Security Product: Malware Analysis and Related Domains [Updated]

A recent tweet from Panda Security Malaysia led me to do some further investigation of a new (and not widely known yet) malware distribution site (scansecurityhole .cn) and the malware it's distributing.  Here's some of what I've discovered so far.

Only 12 out of 41 antivirus engines currently detect the malicious payload.  From the VirusTotal analysis:
File name: antimalware.exe
File size: 1572864 bytes
MD5...: d7cb2ac94a4ad92df54f46fa1a1518dc
SHA1..: 065af3ef68d32b686b61b0a144c83bdfa352b2e1
SHA256: 959d2f7efc5aa7fa719067d466f73aa4c015adddc5149663351a604beda47314

12/41 detection rate as of 2009.11.10 18:25:06 (UTC)

Variously identified as: Artemis!D7CB2AC94A4A, FraudTool.Win32.RogueSecurity (v), Mal/FakeAV-BP, Medium Risk Malware, Packed.Win32.TDSS.aa, Trojan:Win32/FakeCog, Trojan.FakeCog.DZ, Trojan.Win32.Alureon, W32/FakeAV.C!genr, Win32/Adware.CoreguardAntivirus.A, Adware/CoreguardAV, Win32/AntiMalware.A, Win32:Jifas-BY, Win-Trojan/FakeAV.1572864, HomeProtectionCenter, Adware/SystemGuard2009, Malware-Cryptor.Win32.Trac, Packed/Win32.Tdss.gen, TR/FakeAV.AS.1, TROJ_FAKECOG.AJ, Trojan.FakeAV-200, Trojan.FakeAV.AS.1, Trojan.Generic.2649775, Trojan.TDSS.aa, Trojan.Win32.FakeCog, Trojan.Win32.Generic.51F11C66, Trojan.Win32.Malware.1, Generic.TRA!d7cb2ac94a4a, W32/FakeAlert.DY.gen!Eldorado, Trojan/W32.TDSS.1572864.I, Trojan.Tdss.Dhy, Packed.Tdss.adic, Packed.Win32.Tdss.y (v), etc.
Behavioral analyses of this malware:
Web of Trust (WOT) reports for scansecurityhole .cn and several sites to which the malware phones home:
I have submitted a sample of this malware to multiple antivirus companies, so it should soon be detected more widely.  I am also submitting the above malicious sites to several blacklists, so hopefully the sites will soon be blocked more widely as well.

UPDATE, 11 Nov 2009 @ 07:20 PST: Added 5 new detection names from Fortinet, MalwareURL, and VirusTotal, and also added 8 related domains identified by hpHosts and MalwareURL.

UPDATE, 13 Nov 2009 @ 12:10 PST: Added 14 new detection names from McAfee and VirusTotal.  Detection is still fairly low at only 27 out of 41 engines.  In other news, with help from hpHosts the malicious URL hosted at has been taken down.  Additionally, the antimalware.exe hosted on scansecurityhole .cn has changed, and has a very low detection rate (currently 5 out of 41):
File name: antimalware.exe
File size: 1585152 bytes
MD5...: 8d48379fd946e06b12d1ee8fe9efc65b
SHA1..: de3f142cf15ac4fc4eb97b14a3c7ad9a73acb227
SHA256: 647320fa125cd4b540faab30513ca5a3517affc73bf9bb9b48b7507a8fd03246

5/41 detection rate as of 2009.11.13 18:58:28 (UTC)

Variously identified as: Artemis!8D48379FD946, FraudTool.Win32.RogueSecurity (v), Sus/UnkPacker, Trojan.FakeAlert.Gen!Pac.13, W32/FakeAV.C!genr, Packed.Win32.TDSS.aa, W32/FakeAlert.FL!tr, Heur.Suspicious, Medium Risk Malware, Packed.Win32.Tdss, SHeur2.BRRJ, TR/PCK.Tdss.AA.1855, TROJ_FAKEAV.BNY, Trojan:Win32/FakeCog, Trojan.FakeAV, Trojan.PCK.Tdss.AA.1855, Trojan.Win32.Generic.51F15672, W32/FakeAlert.DY.gen!Eldorado, Win-Trojan/FakeAV.1585152, Win32:Malware-gen, Win32/Adware.CoreguardAntivirus.A, Generic FakeAlert.c, Trojan.Tdss.Dkx, Win32/AntiMalware.D trojan, Trojan.TDSS-1247, Packed.Tdss.adld, etc.

Behaviorally it appears to be very similar to the previous sample (see the Xandora, ThreatExpert, and Anubis analyses), except that it contacts different domains:
One interesting thing from the Xandora analysis is that this version installed faster, so the screenshot taken after 90 seconds showed a scan result—with "Nothing found!"  However, that doesn't mean it's a legitimate product; case in point, ThreatExpert's analysis shows that it disables Windows' Security Center service, which no legitimate antivirus product would do automatically upon installation.  Perhaps the software intentionally doesn't find anything in its first scan for the sole purpose of looking legitimate to malware analysts and automated systems.  It's also worth noting that malware creators can specifically design their programs to act differently when being analyzed, as Brian Krebs wrote about in his recent Security Fix article titled Former anti-virus researcher turns tables on industry.

UPDATE, 16 Nov 2009 @ 08:20 PST: Added 2 new detection names from VirusTotal for the first sample.  Current detection is now 30/41.  Also added 14 new detection names from Kaspersky, Fortinet, and VirusTotal for the second sample.  Current detection is now 24/41.  As of the time of this update, scansecurityhole .cn (which has hosted both variants of antimalware.exe) is inaccessible. 11:30 PST: The site is back up again, and it's still hosting the second variant.

UPDATE, 18 Nov 2009 @ 18:30 PST: Added 3 new detection names from VirScan for the first sample and 5 new detection names from McAfee and VirScan for the second sample.

For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.

No comments:

Post a Comment

Comment moderation is enabled. (If you wish to contact Josh privately, you can leave a comment and ask that it not be published.)