Monday, March 15, 2010

"Play 2 Emulator" Malware

Chris Boyd, Senior Threat Researcher for Sunbelt Software, recently blogged about a malicious site (appzkeygen .com) that claims to distribute a crack, keygen, and serial for "Play 2 Emulator" which the site claims is "a Playstation 2 Emulator that is by far superior to all other PS2 Emulators released before it."  However, the files linked from the site have nothing to do with PlayStation 2 emulation; they're actually Trojan downloaders that will install malware on a victim's computer.

According to Boyd, "A pair of files will be dropped onto your PC, including a randomly named executable in the Windows directory and xpysys.dll in your System32 Folder. You’ve actually wound up with Trojan-Downloader.Win32.CodecPack.2GCash.Gen."  Boyd says that this malware has been associated with fake antivirus and fake codec scams.

I've done some additional research over the past few days and have found that the appzkengen site has been updated daily with new download locations, each hosted on a new domain.  The malware changes slightly each time, as well; the MD5 hash is never the same, and most of the major antivirus vendors have had difficulty detecting the new variants.  The first variant I discovered was detected by only 3 out of 42 antivirus engines in the initial VirusTotal scan, and the latest variant was only detected by 13 out of 42 engines on its initial scan.  I have been submitting each sample to antivirus vendors and eventually most of them add detection for it, but unfortunately most vendors don't seem to be doing a very good job of using heuristics to identify and detect new variants automatically.

Details of the samples I've discovered so far, courtesy of VirusTotal:
File names: Crack_Play.2.Emulator.45059.exe, Keygen_Play.2.Emulator.45059.exe, Serial_Play.2.Emulator.45059.exe
File size: various including 82432 bytes,
84480 bytes, 89088 bytes
MD5...: various including ad566f1b58cdd7c7474df7769cb6df35, d146e96f86500d6f29b81912129d607f, e3a16274d2533c6bc80fbff38f13f5e9, 70722ca6f3995289acda48831f869e56, b094bae6429ec1b23ea588e286273028
SHA1..: various including b76dfe9b6218f66d344eb7dc40e012a4fc4733d0, d74402483f0d596313ffc71ba426d2450c6b7fa8, 26af00d4c02c251f677c16204d513842dd264948, 863c259827090f7ab574578476951fc2529bc841, 4d77f6399298ece12c3eaa6d7078618fb363f3cd
SHA256: various including
7bc482933d9f90585986abba32a8ddeb771c906ccff2389d9fb1ed29c41b0106, acc8413dfe0b510e42f2a0805d33d2ff09246532e3703330beb973d63ac68c62, aedfe6ce93b19f5fc612623558b48eda89e1b3d9afb30d7c162a70ae7b09f2d2, 52e0ae04d942dc5a749a2d265f73042612e394f503d4a5366b5e2f5167adbbb5, 793ff610c1e24fa44b35e13e76d3dd1f54db8a593bf172e34cd29d00789067bf
Variant 1 initial detection:  3/42 as of 2010.03.12 00:07:05 (UTC)

Variant 1 current detection: 33/42 as of 2010.03.15 17:15:39 (UTC)

Variant 2 initial detection: 11/41 as of 2010.03.12 17:46:27 (UTC)

Variant 2 current detection: 34/42 as of 2010.03.15 17:20:15 (UTC)

Variant 3 initial detection:  9/41 as of 2010.03.13 22:33:51 (UTC)

Variant 3 current detection: 26/42 as of 2010.03.15 17:20:49 (UTC)

Variant 4 initial detection: 10/42 as of 2010.03.14 06:09:36 (UTC)

Variant 4 current detection: 25/42 as of 2010.03.15 17:21:22 (UTC)

Variant 5 initial detection: 13/42 as of 2010.03.15 16:08:37 (UTC)

Variant 6 initial detection: 10/42 as of 2010.03.16 02:29:09 (UTC)

Variant 7 initial detection: 10/42 as of 2010.03.16 04:11:37 (UTC)

Variously identified as: a variant of Win32/Kryptik.CZE, a variant of Win32/Kryptik.DAQ, FakeAlert-MA.gen, FakeAlert.BWTM, FakeAV.AFB, Generic17.AKG, Mal/FakeAV-CO, Medium Risk Malware Dropper, Packed.Win32.Krap,, Packed/Win32.Krap, Packed/Win32.Krap.gen, Packer.Win32.Agent.GEN, Sus/UnkPack-C, Suspicious.Insight, TR/Agent.AS.1828, TR/Agent.AS.2131, Trj/CI.A, TROJ_RENOS.SMAD, Trojan-Downloader:W32/Renos.gen!C, Trojan-Downloader.Win32.CodecPack, Trojan-Downloader.Win32.CodecPack.ktn, Trojan-Downloader/W32.CodecPack.84480.D, Trojan.Agent.AS.1828, Trojan.Agent.AS.2131, Trojan.DL.Renos.JEX, Trojan.DL.Win32.Crypt.ur, Trojan.DownLoader1.2182, Trojan.FraudPack-3439, Trojan.FraudPack-3440, Trojan.Gen, Trojan.Generic.KD.3368, Trojan.Generic.KD.3645, Trojan.Generic.KD.3955, Trojan.Generic.KD.4004, Trojan.Win32.Downloader.84480.AR, Trojan.Win32.Fraudpack, Trojan.Win32.Generic!BT, Trojan.Win32.Generic!SB.0, Trojan.Win32.Krap.82432.C, Trojan/FakeAV.gen, Trojan/, TrojanDownloader:Win32/Renos.KO, W32/FAKEAV.CO!tr, W32/FraudPack.E!Generic, W32/Krap.AS!tr, W32/Packkrap.AS!tr, Win-Trojan/Agent.82432.BV, Win-Trojan/Downloader.84480.Q, Win32:Trojan-gen, Win32.DownloaderReno, Win32/FakeAlert.C!generic, Win32/TrojanDownloader.FakeAlert.AQI, Win32/Wardunlo.EG, etc.
Behavioral analyses of the fifth variant:
According to the Panda Autovin behavioral analysis, the latest variant may install sshnas21.dll into the system32 folder.  When cleaning this infection, be sure to remove xpysys.dll and sshnas21.dll if you find them in the C:\WINDOWS\system32\ directory.  You may need to boot from a live CD to delete these files, or alternatively you can try using a utility such as FileASSASSIN from Malwarebytes.

Following are links to Web of Trust reports for appzkeygen .com, affiliated download sites, and several domains to which the malware phones home:
UPDATE, 15 Mar 2010 @ 21:16 PDT: I've added information above about a sixth and seventh variant and the domains that host them (mediaatmedia .com and fileutiliteenligne .com).

Also, I've done some further investigation into one of the files that this malware downloads from the lookpike domain:
File name: setup.exe
File size: 97280
MD5...: 6a358143bac4b30e2103b052f2c5965a
SHA1..: fba4d30cd8bd5e75e39621dc43166f29872d4d4a
SHA256: 50509fed7e729d3525825869cd1b163cd8aad8fc5c56cde8c9932d942b332321

Initial detection:  9/42 as of 2010.03.16 02:54:38 (UTC)

Variously identified as: (Suspicious) - DNAScan, Backdoor.Tidserv, Backdoor.Tidserv!gen3, Heur.Packed.Unknown, Sus/UnkPack-C, Trj/Genetic.gen, Trojan.Generic.KD.4024, Trojan.Win32.Generic!BT, etc.
ThreatExpert report
Anubis report
    UPDATE, 16 Mar 2010 @ 09:44 PDT: I've added two new domains hosting this malware (dvdhomemedia .com and videodatavoice .com).  19:48 PDT: Added mediaprogrammet .com.

    UPDATE, 18 Mar 2010 @ 09:38 PDT: I've added two new domains that have hosted this malware (besttoolsonline .com and supermovieplugins .com).

    For more from the JoshMeister on Security, please subscribe to the RSS feed or follow me on Twitter.