Security news and information

After reading an article written by Jose Nazario, a security expert for Arbor Networks about a particular long lived malware distribution site located on the 217.73.66.0 network I thought it would be interesting to document what this malware does when you install it. It should be noted that I do not have a modem installed, so the results will be different on a computer with one installed.

According to Jose’s article, this site has been delivering malware to unsuspecting computers since at least 2002. Also 7 of the antivirus programs used on Jotti, as shown below, are detecting it. You may be wondering then, as I am, how this site could still be up after all these companies know about it. The problem is that due there being nowhere to report these types of sites and lack of legislation, we the consumers and security advocates are left holding the bag.

The malware that is being distributed from this site is called an adult dialer. An dialer is a program that uses your modem to dial a pay-per-call number in order to access a particular service which in most cases is pornography. The problem is that most adult dialers are installed without your consent or knowledge and the first time you suspect something is wrong is when you see the thousands of dollars of unknown charges on your phone bill.

The installation of these dialers is broken down into 2 different executables. The downloader corresponds to the numbered .exe, like 240964.exe, and the corresponding dialer, such as cmb_240964.exe. It appears that for each downloader there is a matching dialer. Each version of the dialer at this site probably belongs to a different affiliate and the id is used to track which affiliate distributed the malware and thus is owed a portion of the revenue from the calls.

When the downloader is started it connects to 217.73.66.1 and downloads the corresponding dialer executable. When it has finished downloading the dialer, it will start the dialer installation program and will then send back the following information to the IP address 217.73.64.1:

• Whether or not the file rsapi32.dll has been found in your C:\Windows\System32 folder.
• Whether or not the dialer installer has been started and the version of the dialer being installed
• The download speed of your connection. Probably attained when it downloaded the dialer installer.
• The country the computer is in.
• The number of modems is sent twice. One of my readings was 6 the other was 0. This may be the different connections available on the computer.

At this point the dialer should be installed and a process called dia4.exe will be running from the computer’s temp folder. The number after the dia varies per installation. This process listens on the ports 127.0.0.1:8081 and 127.0.0.1:8089 and acts as the dialer’s configuration utility. Internet Explorer will be started and opened to the address hxxp://127.0.0.1:8081/index.html? which actually pulls the page from 217.73.66.16/getpin.php?did=240964&refid=&udata=. Notice the number for the did variable matches the number of the dialer we installed?

The configuration screen allows you to configure the dialer to work over a broadband connection or dialup. If you are on a LAN, then you can dial into the number listed and enter a pin. When you enter this pin, you are essentially authorizing the company to bill the phone number you used to call the number when you access the porn site. If you opt to use a modem, the tool would instead configure a dialup networking connection and connect you to a pay-per-call number. With some porn dialers, this may happen without your knowledge, but this particular one does issue warnings and displays a license agreement that explains you will be charged if you continue the installation.

So with all of this said, is this malware doing anything wrong? Maybe, maybe not. It depends on how it gets on your machine in the first place. If the malware is installed without your permission then yes it is. If on the other hand, it was installed with your knowledge, then it is actually a legitimate program regardless of the content it offers. Regardless, most people would not want this software on their machines. SO block the IP range 217.73.66.0 - 217.73.67.255. with your firewalls and if you feel that you are a victim of this dialer there are some great links and information about the company itself at Suzi Turner’s Spyware Confidential blog.

Tags: No Tags

A new rogue anti-spyware application has been released called Trust Cleaner. At first glance, this rogue anti-spyware application works the same way as the other ones that have been released lately like SpyFalcon and SpywareQuake as it uses trojans to display fake warnings that act as a goad to make you purchase the full commercial version of its software. This particular variant, though, adds some additional “features” to its installation that we will describe below. For those who are here because they are infected, and do not wish to read this entire article, you can visit our Trust Cleaner Removal Guide instead.

When the programs are installed on your computer, they are downloaded from the domain trustincash.com and trustcleaner.com. Both domains appear to use the domain registrar GoDaddy, but unfortunately, both domains are set as private so we can not determine any further information from the domain names about the people behind this malware. Both hostnames for the download sites, though, resolve to the same IP address so we know that they are running on the same web server and thus are most likely the same company. It is not surprising that we found that these IP addresses belong to the ISP Intercage who are notorious for hosting other malware and Spyware sites. We have purposely left out the specific urls that the infection uses to download its software from in order to protect our readers. If you are a security professional or security developer, please contact us to get this information.

After the malware is installed the rogue anti-spyware program Trust Cleaner is set to to start automatically when your computer starts. It then scans your computer for supposed Spyware and malware and displays a list of the items found. It is quite funny, though, as it finds its own components and labels them as Spyware as shown in the image below.

Trust Cleaner Program

Fake Taskbar Alerts

This infection will also issue fake warnings on your desktop through the program C:\Program Files\TrustIn Popups\TrustInPopups.exe. This program will cause fake security warnings in the form of a Window directly on your desktop. An example of its fake desktop warning is found below. Another interesting feature of this program is it will cancel all Windows restart requests, effectively making it so you can’t restart your computer unless you kill the process first.

Fake Desktop Warning Window

Furthermore, it will install a toolbar and other ActiveX controls in Internet Explorer that will present popups with “contextual” ads about various subjects you are searching for on other pages such as CNN, Yahoo, or Google among others. So if you go to the real Google site and search for something, this software will open a new Internet Explorer windows with its own ads that are specific to this search term. Although this malware alters the results of Yahoo and Google, it instead blocks all access to any web page in the MSN domain.

Finally and equally deceptive, it will change your Internet Explorer homepage to a html page that is loaded from a file on your local computer called C:\Windows\local.html. This page will generate a home page that looks strikingly like Google. In fact, it states at the bottom of the page that it is powered by Google. In reality, though, this page that actually uses results from the site www.mswindowssearch.com and not from Google. Below is an image of the fake home page and a real version of the Google home page so you can see the differences.

Fake Google home page

Real Google home page

Notice the copyright is significantly different from the one the Real Google homepage uses and there are different links on the main page? Let’s take a look at a search in the fake Google homepage using the search term job.

Fake Google search for the term Job

At first glance, the page looks a lot like a Google search result page. When you examine it close, though, you will notice quite a few differences. The main differences are that it does not allow you to go other pages in the results, has its own way of showing sponsored sites on the right side of the page, and displays very different results. Lets take a look at the same search using Google.

Real Google search for the term Job

As you can see the format of the search results are almost identical, the page colors are the same, but the page layout is different. It is possible that this fake search engine is using the Google API to retrieve some of its results, as some of the results are legitimate and contain listing that you would think would not advertise with a Spyware company, but for the most part the results are typical for these types of hijackers.

As you can see this is a new breed of Rogue anti-spyware application. This variant is not satisfied with just try to scare you into purchasing a piece of software, now they are changing settings in Internet Explorer, displaying popups, and trying to cash in on the search engine advertisement market.

Tags: No Tags

Two new SpywareQuake variants found today: C:\Windows\System32\yfysupa.dll and C:\Windows\System32\vhywj.dll.

Reg keys for both files are as follows:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{cbb430e6-5b1b-474a-9d7e-160d4fe74bea}”=”feld”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{cbb430e6-5b1b-474a-9d7e-160d4fe74bea}\InProcServer32]
@=”C:\\WINDOWS\\system32\\yfysupa.dll”

And

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler]
“{a0aa3e4b-31cb-4ea2-9049-22b7f5b65edb}”=”fumarases”

[HKEY_CURRENT_USER\Software\Classes\CLSID\
{a0aa3e4b-31cb-4ea2-9049-22b7f5b65edb}\InProcServer32]
@=”C:\\WINDOWS\\System32\\vhywj.dll”

The SpywareQuake removal instructions have been updated for this varian

Tags: No Tags