“Security Shield” Fake Antivirus

2012.09.14

Since all the IT world busy with new release of BHEK, here some not BHEK stuff Ж)

Start point was sent by the friend with remark – “…maybe BHEK2″?

Let’s see :)

GET h00p://www.lift-x-o[xx].com/de/

and here we have iframe with interesting structure of malware string:

Interesting  :)

Well, going further:

GET h00p://paid[xxxxxxx].org/?a=YWZmaWQ9MDUyODg=

Ok, nice, again – jar file, good old java vuln :) and some ping-back

Going with the link:

GET http://paid[xxxxxxx].org/index/cullback/?a=YWZmaWQ9MDUyODg=

Response:

Ok. We also have link to jar! Let’s download it?

GET http://paid[xxxxxxxx].org/analizator_data/rssfra-a.zcirfnpzeh.jar

Response: 404 ? What?

Again from the beginning – got file with different name.Ok.

Standard .jar – very low detection ratio, between 6 to 9/42 on VT. Sample is not relevant here, see 1 in bottom test results

After multiple tests, still cannot be 100% sure, but here are test results:

1. jar files generated per browser,

2. encoded with random obfuscation code

3. jar file alive for abouyt an hour, then removed and replaced with new one.

4. different payload delivered to different browsers. But sometimes same browser + plugins get different browsers. < still have no explanation.

5. Link cullback/?a=YWZmaWQ9MDUyODg= do not remove jar file, as i thought the beginning. It stay on server at least net 5 mins.

Ok, running jar  – as a result – sent reply to server

GET http://192.166.xxx.xxx/istats

And response: 2 bytes. OK. 

Well, something gone as planned, and reported to mothership, that everything is ok.

After 2 minutes of silence:

:)) Nice! Fake Antivirus, named “Security Shield”

Major functions:

1. Stay in top of all windows

2. Continue to require updates, clean the computer and register itself. All those lead to buy page.(screenshot num 2)

3. Do not block regedit, taskmanager, cmd etc -

4. Can be closed by closeing service

5. Appear back after restart

Ok, this one not that harsh, as previous one.

 

Very interesting part is how payment handled:

When You fill the form (Visa\Master Card number checked against Luhn formula), also checked US State and ZIP.

When choosed “Get license”

GET 78.140.149.165/payform/?k=OFtHW0JRE1kNWAwISA1cCRQPSl1Ia3JpemlvanFQXFlBXkJdGFhdCUVdS14bXVkJEA==

Then, when CC data entered and You press BUY, data in POST request sent to same server.

POST http://78.140.149.165/payform/?q=validate_email

then – Credit Card data transferred thru HTTP POST request

IP belong to some server of online shops, based on Cyprus. Anyone have family there? :)

Ok. We got infected, let’s see what and how?

After few checks, found, process pcshgy.exe, that run as user in TaskManager.

Let’s see it :)

Name: pcshgy.exe

MD5: b4381a087c0e7b82be75124ef0a2501e

VirusTotal: [0/42] https://www.virustotal.com/file/b2eb53ec594835bf2b7e69ce26abb1cbc38811248cd41bdc7853b1423f2046bb/analysis/1347539981/

Thank to my friend, @MalwareMustDie, for analysing the exe file

And see VirusTotal comments by @unixfreakxp << thx!

 How to clean
Since no antivirus for now detect and remove iy. here small recommendation on how to clean it from Your system.

1. Open Task Manager and find infected process [pcshgy.exe] in list of running processes. Kill it.

2. Perform full disk search and delete  file [pcshgy.exe]

3. Download latest AV software and update it, if it not.

4. Contact Your AV vendor and ask, why this malware not detected by their program.

 

Conclusions:

1. IMHO it’s not BHEK2. No tojans\rootkits\ddos bots and stealers detected on system, except FakeAV

2. System is still under heavy load of victims traffic, generating files per minute and working hard. Newest Hava vulnerability + 0 detection ratio between Antiviruses guarantee to this malware enough work.

3. System is under investigation, not all details are ibvious, that’s why part of servers not disclosed

4. Malware Distribution server poorly configured, so we may see process of generating new scripts live:

5. CC collecting server still alive, too

6. Your Antivirus will not protect You here, at least for now.  :) Sorry. Follow the cleanup tips and contact Your AV in case of infection. Do not pay!

That’s all for now.

Stay Safe!

D.L.

Update:

About source of infection - malicious Apache module, please read blog  UnmaskParasites.com

More live infected websites – have a look on Securi.net blog

Looks like new vector of attack – compromise the webserver itself, not relate to hosted sites. And this cause to all websites, hosted by this server, became malicious. Interesting :)

Leave a comment