SeriousTeK

USPS Fake E-mail

This is a good one - came in this morning...no text at all, just an image in an email:

When the hell is the 27th of Juny? And the entire image is a link to www.annehelene.fr/XXXXXXXXXX.htm - the Xs are likely changed for every email, etc. If you mistype the link or go to the root of the site you get this - a seemingly legit French cooking site:

But if you go to the actual link from the email, you get a nice zip file to download...with a "USPSLabel PDF attachment" - the joke is that Acrobat is not even installed on this system:

Being the good user that I am, I launch the 'USPSLabel PDF File'...first there's a service host started - and if you notice it was started as a child of explorer...sign number 1:

Then I also noted an autostart for some random executable that was dropped:

Then the fun starts- more children processes!! YAY!!

It should be noted that the service host process has a connection open to an address that resolves to the Netherlands:

Then the usual fun begins - oh no! I'm infected!!!!

Nice! Live Security Platinum!!! Interestingly, taskkill won't kill either of the processes...but ProcExp (and even good old TaskManager) can kill the processes.

Scammers phishing by text

Well, scammers have moved "up" in the world...first they were scamming by phone...now, they're using SMS\Text messages to try to get you to browse to some fake, malicious website. Here's the text I received from 321-332-5220 this morning:

A quick whois shows nothing useful:

Registrant City:                             Panama
Registrant Postal Code:                      Zona 15
Registrant Country:                          Panama
Registrant Country Code:                     PA

If anyone is curious what this website looks like, here you go:

And by pressing continue, you are sent here:

Then here:

...And then here:

.....

So in all reality, you will NEVER receive a Best Buy gift card, you will probably get some malware on your system, and in the end...you will just be angry.

IE Toolbar Hell

A picture is worth 1,000 words. I know of a few people that honestly do use the Google toolbar, but this is just nuts. I took a minute or two to uninstall all of these, and no this is NOT one of my systems:

Stupid drive-by-downloads. Total recipe search? Really? Because I need a toolbar for that.....

The Case of the Print Spooler That Stops Running

Recently, I had cleaned up a virus from a user's laptop - it was a fairly straightforward cleanup, and I thought I was done. Not quite. The user had said that her husband had been trying to print and was getting a print spooler error...had the spooler randomly stopped? I sent the command to restart the spooler. This did not work as it seemed the spooler continually stopped running. I then sent the path for the spool folder to see if there was some corrupt spool files that the spooler did not like - turns out that directory was empty. Finally I recomended to uninstall then reinstall the print drivers for the printer...long story short, the laptop came back in.

There was clearly an issue as the spooler stopped nearly immediately whenever anything print related was done - add a printer, view server properties. I tried removing the entire contents of the driver folder in the spool directory. Still nothing. As always- "When in doubt, run Process Monitor!"

I looked through the log to see what the spoolsv.exe process was doing - did not seem to be anything out of the ordinary. Then I found it: right before the spooler thread exits, there's a QueryOpen to a file in a temp directory:

Why was the spooler looking here? Was this somehow a spool file? I figured I would just rename the file and see if that helped -

Sure enought that worked - I could now use all printing functions on the system...but what the heck was 17EB.tmpjQuery15209008132997218726_1340742345248 Let's check the stack:

Bingo! The description of this image (Zhgemubqnkekkwthf) matches one of the .exe files associated with the malware I had cleaned previously. Additionally, I have heard of malware associated with 'Heaventools Software'. Now the root cause analysis: why did any print function hose the spooler? Clearly this was the cause, but what continually called it? Let's check the registry:

So the malware had injected itself as a print provider. Anytime that a print function was called, the malware would have likely recopied itself, or run one of the executables I had already deleted or done something else undesirable. Additionally, it was added to all ControlSet trees.....it was also REMOVED from the registry entirely, and fixed.

Cardmember Service hijacked

The other day a user sent me a screenshot of an online banking website with a comment of "I have a virus..?" I was happy that the user had learned to spot malware or fraudulent activity so quickly....but as it turns out, the user had already called the bank and spoke to the support team - they were the ones that informed the user about having a virus. I tried logging in to the banking site impersonating the user...and everything looked normal - she was in fact infected. Here's what the site looked like:

Clearly that white box is the problem - my favorite part is the "...need to ask for additional information when you access you account online." So - no other sites were being 'attacked' in such a manner - only this financial site. As a bonus, the malware even ripped off the address logo and pasted it into the pop-up window.

Sadly, I did not have time to troubleshoot this further to determine the root cause - this workstation was in desperate need of a re-image anyway, so I just proceeded with doing that. Problem resolved.

My [very un-]clean PC

Now it's time to see if MyCleanPC can really clean an infected PC. So here's my test Windows XP SP3 VM - the only change I have made is the malware that I 'accidentally' downloaded - in reality, it was the typical 'click-where-I-should-not-have' and then have an IE window come up looking like the 'My Computer' window and being scanned....a very common scare tactic: Your computer is infected, download this program to clean it up! When in reality what you're downloading is the malware (sounds a lot like MyCleanPC, doesn't it?)

Can you guess what 'pack.exe' is? I'm guessing it's malware. Let's ask VirusTotal:

ageI would say so...though there were only 4 hits for this pack.exe - the other was from Fortinet - it was picked up as W32/Krypt.G!tr. Let's see what happens when we "install" [run] this executable. Here's what happens:

Pack.exe spawns a CMD process to do all of the work - and one of the last things it does is to spawn a taskkill.exe to kill the pack.exe and the cmd.exe. Additionally, the pack.exe that was originally on the desktop is gone. This is the most common malware on the planet - then the end result is a randomly generated process name such as this: temigl.exe (it changes every time)

As soon as you press OK in the warning window above (Warning! you just installed malware!!) the real PITA shows itself:

So I've got a boatload of viruses on this 100% completely clean install of XP...so what? (really?!?) If you look at disk activity during the so called "scan" there is none:

Any time you try to "activate", you must send your credit card information, all your personal information, and your first born child to these people:

Obviously you don't want to do that. On a side note, since I documented these images, the "payment" site no longer works.

At this point, I can still launch anything - regedit, cmd, procexp - but I'm betting this will change after a reboot.

Sure enough! After a reboot and a few minutes, EVERYTHING is "infected" - No admin tools are allowed to run. This is very typical for most of the malware I have seen these days - you can not open anything except an explorer window, or an internet browser...otherwise, you are met with one of the above messages. The easiest way to get around this is to know where the .exe that is running is located, or open a CMD window, or Process Explorer ASAP after a reboot.

Now lets see if our trustee 'MyCleanPC' can get rid of this junk. As you recall from the first scan, there were 144 errors found:

And now after scanning when there is actually malware on the PC...:

That's right! 143 errors!!! So not only did MyCleanPC not pick up the legitimate malware - as you can see by the message bubble, the Security Shield malware is...: still running.... - it also found FEWER errors than during the first scan!!

Long story short: Don't waste your money on these "Clean My PC" or "Got a slow PC" gimics. Get some real protection - and the best protection of all is common sense. Oh, and also don't give your credit card number to the malware authors....now that's a REAL waste of money!

My [not so] Clean PC

Lately, the local stations have been playing the stupid 'MyCleanPC' ad A TON. I have never used any of these products and I have always throught that they look cheezy and "gimic-ey". Here's the ad:

I think the best part is the horrible pink hue on the speaker - hilarious. So I had to try this out and see just what it was all about.

So first up, I needed a PC that I could try this out on - I sure as heck was not going to use this on any of my day-to-day systems- I don't trust anybody. So I spun up a completely fresh, untouched, no software installed, straight from the XP SP3 image, Windows XP SP3 VM.

Now - lets install this great new software and clean up my PC - wait - this is a fresh install? I shouldn't find anything wrong with this PC - my emails open in less than 3 seconds. Here's what the website looks like:

Once you choose to download, you will be sent the file, and bounced to another page showing you how to download a file - in case you have never done so. Here's what you get:

Looks like they are using "CyberDefender". Just out of sheer morbid curiosity - I wonder if this is actually malware in and of itself...

VT says it's clean - 0 out of 43 hits. The install is the usual Next > Next > Finish. Once it is finished installing, it IMMEDIATELY launches a "scan".

Please keep in mind that this is a vanilla install of Windows XP SP3 - no other software...the only website visited was the 'MyCleanPC' site - there is NOTHING on this system.

HOLY CRAP! 144 errors found?!?!?!? Oh my gosh! This must be great software! [sarcasm]

A couple of empty reg keys? SO WHATjQuery15206083239477835278_1341254902788 These are NOT the tell-tale signs of a virus...

Well I guess now I should 'Fix All Errors and Speed up Your PC!' - at which point you are taked to a [mixed content] website congratulating you for completing your free scan!

Now for the greatest part. I can save $10 just by trying to close this stupid webpage! So wait...press Cancel to accept the special offer, but click OK to continue? This$10 savings is ONLY available online right now [and every other time that you click Cancel when you try to activate].

Long story short: why would you spend ANY money on this software when:

• It "found errors" on a clean install
• Is VERY pushy - almost like some malware out there - You must BUY! ACTIVATE!! NOW!!!
• There are several very powerful, legitimate, 100% completely free tools out there that will actually remove malware instead of just asking for your money over and over

Here's some of the tools that are free:

For single, point in time scanning (no real time without paying): Malwarebytes - a GREAT tool    ComboFix - another find-almost-anything scan tool

For free scanning, PLUS real time scanning: AVG Free - one of the first to have a free suite    Microsoft Security Essentials

If I recall, Microsoft Security Essentials will add itself to automatic updates if you do not have any other AV installed...maybe that's why MyCleanPC has been pushing so many ads...

In a future post, I will actually install malware on the system and see if MyCleanPC can pick it up.