Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected by GOTD's new Themida wrapper?


  • This topic is locked This topic is locked
12 replies to this topic

#1 samizdat

samizdat

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:04:52 PM

Posted 01 August 2012 - 11:54 PM

The first week of July 2012 giveawayoftheday created a new wrapper using Themida. People around the net are making this claim:

"Themida is a TCP/IP rootkit that interfaces between Windows and the internet connection.
Any resulting problems can result in loss of internet connection requiring a professional PC repair.

Despite GOTD’s ‘assurance’ on their forum, while only active during installs, the rootkit remains present on PCs at all times.
I have proven this by removing it with ComboFix, then doing a further GOTD install which reinstalls the rootkit.
While this rootkit is installed, there is an extremely serious risk of malware about that exploits Themida for downloading data/compromising PCs for malicious online purposes. The rootkit renders anti-virus and firewalls completely useless, as it is so deep-seated and hidden that it cannot be monitored in any way.
Removing Themida with ComboFix does not compromise future GOTD/GAOTD installs as they reinstall the Themida TCP/IP rootkit every time if not present."

So my question is brought here since you guys developed combofix. Is there legitimacy to this claim. I have used the new Themida wrapper so, am I infected?

PS - I can provide links to sources if needed but didn't want to appear to advertise any site.

Edited by Elise, 06 August 2012 - 01:42 PM.


BC AdBot (Login to Remove)

 


#2 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:04:52 PM

Posted 06 August 2012 - 01:29 AM

PS - I realize I am asking a lot in the above linked thread but if there is any legitimacy to the claims being made on the net, this would affect millions.
Combofix is being named as the only cure and the proof that this new wrapper: http://blog.giveawayoftheday.com/gotd-wrapper-is-updated/ is indeed injecting a rootkit into peoples computers.
I hope that the wrapper will be analyzed / tested for this rootkit, Thanks!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 AM

Posted 06 August 2012 - 01:49 PM

Hello samizdat,
As this does not concern a help request but more a security discussion I moved the topic from the AII forum to the Antivirus/Firewall/Privacy Products and Protection methods forum. I also removed your suggestion to run Combofix, this is a very powerful tool that should not be run without guidance. However, whats more important, if combofix can remove a rootkit, then it can be removed by other means as well.

BC also does not develop combofix, it only hosts it, see this page for more information.

Finally, Themida is a monitoring program, and while I definitely wouldn't want it on my computer it hardly can be called a rootkit. As for breaking TCP/IP, winsock and such, as long as it is software related and not hardware, it will not require a professional PC repair, just some manual fixing (to compare, a rootkit like ZeroAccess/Sirefef does a lot more damage and in most cases we manage to fix the internet connection problems resulting from this infection without too much trouble).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:04:52 PM

Posted 06 August 2012 - 03:30 PM

Thanks Elise. I didn't suggest using Combofix. That's a quote from one of the people making the claim. I withheld the link but for the purposes of clarity, here is one of the places this is being reported:
http://www.raymond.cc/blog/gaotd-setup-keeper-keeps-giveawayoftheday-installer-file/

So, GOTD claims is leaves nothing on our computers but you said it's a monitoring file. Is it possible that it could be used just to keep people from cracking the installation wrapper and nothing more?

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 AM

Posted 06 August 2012 - 03:43 PM

No, Themida is a monitor, not GOTD. :)
Please be aware that the info you quoted wasn't posted by the blog-author, but rather by a comment-poster, which puts quite some doubt by the legitimacy of the information.

I really think there is no need to worry about this though; I see no concluding evidence that there is even a relation between GAOTD and Themida and actual infected computers.

If you want to be sure your computer is not infected, you can just follow this guide.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:04:52 PM

Posted 06 August 2012 - 10:09 PM

Thanks Elise.
You stated, "I see no concluding evidence that there is even a relation between GAOTD and Themida." Giveawayoftheday announced that they use Themida in their new wrapper here: http://blog.giveawayoftheday.com/gotd-wrapper-is-updated/ (That is linked from their own home page.)
This is some of what Giveawayoftheday.com says about their new wrapper, "we applied a newer algorithm, on the other hand we included special protection program Themida." You see many concerned users posts after their announcement. Many peoples posts of concern are being denied by the moderator.

I understand your point about the blog / author but that was just one example. That guy who posted that does seem passionate about this and could be a troll but I get a lot of hits when I enter variations of the following terms 'themida rootkit combofix giveawayoftheday gotd gaotd' In fact I saw anaother inquiry here: http://www.bleepingcomputer.com/forums/topic462889.html
It is concerning that they use Themida and also concerning that the wrapper phones home to download additional data so the wrapper itself may not show as having malware. The previous wrapper just phoned home and checked if the giveaway was in the correct time frame of the giveaway.

Another concern that I had not mentioned is many people's AV and/or Malware programs block the new wrapper. Many can't even get the giveaways due to their security suites. These concerns have been expressed in their blog page linked above.

Edited by samizdat, 07 August 2012 - 12:20 AM.


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 AM

Posted 07 August 2012 - 02:10 AM

Wrappers are very commonly blocked by AVs, based on adware (the so-called special offers often are presented in such a way that the average user will accept them without realizing it), not based on "real" malicious activity. For example: you download an application installer, you install it, and when you open your browser you see all of a sudden that a toolbar has been installed. That does not mean the toolbar is malicious, it means that its been installed without your consent, which is unethical and will cause the installer to be flagged by different security vendors.

GAOTD has however a good reason to use Themida. To understand what Themida does, see here: http://www.oreans.com/themida.php (link is safe to click :))
They offer a certain application for free at a certain date (as the name "give-away of the day" also suggests). To make sure that their wrapper can't be altered easily to make free installation after that date possible they have added a monitoring component, in this case Themida. Seeing the different options to "crack" the GAOTD expiring limit available on the internet I can understand they opted for this solution. Rest assured that, although it has a certain monitoring capability, it is not malicious.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 samizdat

samizdat
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas
  • Local time:04:52 PM

Posted 07 August 2012 - 10:47 AM

Thanks Elise!

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 AM

Posted 07 August 2012 - 12:35 PM

You are welcome! :thumbup2:

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 MrCharlo

MrCharlo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 12 August 2012 - 06:04 PM

Themida along with similar 'wrappers' is a TCP/IP rootkit. This means it interfaces invisibly with your network connection. Many anti-virus programs very rightly flag this a back-door trojan. It can only be detected during the install process for this rootkit. Once it is installed on your computer it is remarkably difficult to remove, hiding itself completely from Windows. Thankfully ComboFix will remove this from your computer.

If you have recently downloaded from GOTD or GAOTD, despite their assurances, Themida will have been installed on your computer and you do need to run ComboFix to ensure that there is no rootkit present.

The problem is not directly with Themida itself, it is to do with the malware that targets Themida, which could include criminal organisations after your data, government security services or copyright enforcement agencies.

It is not sensible to allow ANY rootkit of any kind whatsoever on your computer. Anyone at GOTD could use Themida maliciously, and as their registered website address is a non-existent Virgin isles address, I would not trust their site one iota, it could even be an American Government 'front' or be run by cybercriminals after your data.

All network/system administrators should ensure that the GOTD and GAOTD sites are on their block lists until they stop using a rootkit wrapper. Rootkit wrappers are very insidious as they use randomly named files completely hidden from Windows, registry addresses and processes all hidden from the Windows OS and hence not visible to your AV, anti-malware or Firewall.

Hope this is a clear explanation of the risks entailed by any rootkit TCP/IP wrapper. :thumbup2:

Edited by MrCharlo, 12 August 2012 - 06:11 PM.


#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 AM

Posted 13 August 2012 - 04:26 AM

The fact that Themida can be used by malware does not make it a TCP/IP rootkit. As long as it is used by legitimate software (like GAOTD) there is no need to block it or mindlessly run powerful tools to get rid of something that isn't a threat in the first place.

The statement: "Themida will have been installed on your computer and you do need to run ComboFix to ensure that there is no rootkit present." makes therefore no sense at all. True, it is rightfully flagged by AVs as "riskware" (which means: this program has the potential to do harm to your computer if used wrongly or by the wrong person), however if you reason like that you can just as well no longer go online at all.

The fact that GAOTD uses Themida does not mean that any not-so-well intended malware writer can exploit that, that is not the way Themida works (which is originally a software protection program), see also their website.

Also, because I see this way too much: Combofix is no miracle-tool that mysteriously cures every an all known pieces of malware!!! Its a great tool, sure, but everything it does can be done also manually or with different tools, the important thing is to understand what you are doing, which is also why it is not recommended to run combofix unsupervised.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 MrCharlo

MrCharlo

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:52 PM

Posted 17 August 2012 - 07:54 PM

I am afraid Elise doesn't know what she is talking about. Any software 'protection' program that uses rootkit technology that interfaces with your broadband connection is a back-door trojan that can be targeted by malware. As such it is totally and categorically best NOT to have these on your computer at all under any circumstances whatsoever.

My advice stands totally. Do not use the GOTD or GAOTD sites for giveaways until they remove and stop using rootkit technology. Also note that 'Themida + Problems' entered into Google brings about 60,000 results. You do NOT want Themida in any form anywhere near your computer.

Elise is completely wrong in saying that Themida as used by GOTD/GAOTD cannot be targeted by malware. It can, and there is plenty of malware about that does just that. Also do you really trust a site (GOTD/GAOTD) with a registered web address as a non-existent Virgin isles address (I tried writing to it!). My guess is that Elise is part of the GOTD admin team. Seeing as GOTD have censored all reporting of Themida as a TCP/IP rootkit, which it is, and also censored any mention of the fact that ComboFix removes Themida, this speaks for itself. They have plenty to hide.

As for caution using ComboFix, this is just plain nonsense. It is very easy to use, exit running programs, let it complete its scan and reboot. Result Themida no longer on your computer. Simple.

What Elise and GOTD do not want you to know is that running ComboFix after a GOTD or GAOTD install will show a rootkit present on your computer. Also that ComboFix will remove this!

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,932 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:52 AM

Posted 18 August 2012 - 02:55 AM

I am afraid Elise doesn't know what she is talking about. Any software 'protection' program that uses rootkit technology that interfaces with your broadband connection is a back-door trojan that can be targeted by malware.

Since when is encryption rootkit technology? The fact that malware can use Themida doesn't mean it can exploit it.

Elise is completely wrong in saying that Themida as used by GOTD/GAOTD cannot be targeted by malware. It can, and there is plenty of malware about that does just that.

If you make a statement like that, then come at least with examples and solid evidence.

My guess is that Elise is part of the GOTD admin team.

I can assure you I'm not, although you're absolutely free to think what you want.

As for caution using ComboFix, this is just plain nonsense. It is very easy to use, exit running programs, let it complete its scan and reboot. Result Themida no longer on your computer. Simple.

Unfortunately the developer himself doesn't agree with you, and I suppose he knows better than you... :whistle: See also here (note that this is the official Combofix usage guide):

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


What Elise and GOTD do not want you to know is that running ComboFix after a GOTD or GAOTD install will show a rootkit present on your computer. Also that ComboFix will remove this!

Just for your edification I have installed today's GAOTD on a VM, then run CF. No rootkit was detected. Its up to you whether or not to believe this, however do not make accusations you cannot prove.

ComboFix 12-08-17.03 - Elise 08/18/2012 10:34:42.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.262 [GMT 3:00]
Running from: c:\documents and settings\Elise\My Documents\Downloads\ComboFix.exe
AV: Emsisoft Anti-Malware *Disabled/Updated* {0F8591BB-342B-4493-91C3-4E948ED21255}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2012-07-18 to 2012-08-18 )))))))))))))))))))))))))))))))
.
.
2012-08-18 07:31 . 2012-02-07 13:34 6163104 ----a-r- c:\windows\system32\Flash.ocx
2012-08-18 07:31 . 2012-08-18 07:31 -------- d-----w- c:\program files\kvisoft

I made the line showing today's GAOTD bold. Note, I am not affiliated with GAOTD and am not trying to convince anyone to use their products but merely did this experiment to prove that the claim made by MrCharlo is untrue.

As this topic has run its course and to avoid further hoaxing I am closing this topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users