miekiemoes' Blog

IOBit Steals Malwarebytes’ Intellectual Property

noreply@blogger.com (miekiemoes) — Mon, 02 Nov 2009 19:52:00 +0000

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version since they deleted the thread - well, now the cached version got deleted as well. Glad I still have a screenshot, see below) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes’ Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can’t publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don’t want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, dummy.exe. It is a harmless dummy executable that runs, displays a “Hello World” message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! — the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes’ Anti-Malware software and indeed it was flagged as “Don’t.Steal.Our.Software.A”. We scanned it with IOBit using their current build and database version and it was flagged as the same “Don’t.Steal.Our.Software.A”. We have included log file file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, “rogue.exe”, matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other “fake.exe”, matches our Adware.NaviPromo definition (screenshot). VirusTotal results for “fake.exe” and “rogue.exe” so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes’ proprietary research and database from their software. We also demand IOBit be delisted from Download.com due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as Download.com and Majorgeeks.com requesting that all IOBit software be removed.

Copy/paste of the original Article here

Update to this post: IOBit’s Denial of Theft Unconvincing

My New Toy... a HTC Magic

noreply@blogger.com (miekiemoes) — Fri, 31 Jul 2009 14:43:00 +0000

I finally decided to buy a Smartphone...: http://www.htc.com/www/product/magic/overview.html

Love at first sight!
Too many options and too much stuff to configure. This will certainly keep me busy for a while....

Searchengine Redirects? It could be a patched ws2_32.dll file...

noreply@blogger.com (miekiemoes) — Wed, 10 Jun 2009 22:45:00 +0000

I was helping someone yesterday (online support via forums) who was complaining about searchengine redirects. Redirections mainly went to mybig-portal.com, virus-detect-soft.com, edmonds.com, us.peeplo.com, directkitchenremodeling.com...

There are already many different infections responsible for searchengine redirections, I see several different ones every day.... so after a while, it's getting easier for me where to look/search.
The info is mainly gathered from logs (Registry loading points, Rootkit scans, etc).

However, this one was different. I just couldn't find the culprit. Same scenario as with the first Daonol/JsRedirect/Gumblar variant I discussed here last year (October 2008).
People who know me also know that I will search untill I find it, so I finally found the culprit - a patched ws2_32.dll file.
The ws2_32.dll is a legit Microsoft Windows file that contains the Windows Sockets API used by most Internet and network applications to handle network connections.
In this case, it was patched by malware. Its copies in the dllcache and ServicePackFiles\i386 folder were also affected. Reference thread here.
It wasn't detected by any scanner yet. Sophos Antivirus will now detect this one as Troj/WShack-B.

So if you encounter the same and just can't find the culprit of a searchengine Hijack after trying anything else - then it *may be a patched ws2_32.dll file. Don't delete that file if it's indeed patched/infected, but replace it with a clean copy.
If unsure/in doubt, post you issue in the forums.

In case you're wondering....

noreply@blogger.com (miekiemoes) — Wed, 06 May 2009 12:38:00 +0000

Yes, I'm still alive, just extremely busy lately.

It's now already a couple of months that MalwareBytes hired me as Malware researcher, so that's where most of my time goes nowadays.
I've decided I will only blog here once in a while - I hope at least once a month - but I cannot promise anything :-)

Also... Thank you for the nice mails I've received lately via this blog and sorry I didn't respond earlier. It looks like something went wrong with the "Contact Me" mailform, so a lot of delayed (2 months or so) mails arrived just today. Anyway, this should be fixed now.

In between message...

noreply@blogger.com (miekiemoes) — Fri, 06 Mar 2009 11:26:00 +0000

It's been a while that I've blogged and since I'm going through some major changes in my personal and professional life (maybe new job), I won't have the time and inspiration either to blog in the next couple of weeks.
In a meanwhile... Click the icon to play a little game, so you didn't come here for nothing. :-)

See you later!

Virut and other File infectors - Throwing in the Towel?

noreply@blogger.com (miekiemoes) — Tue, 17 Feb 2009 13:25:00 +0000

I actually wanted to blog about this last week, but didn't find the time yet...
In the last couple of weeks, I noticed a HUGE increase of Virut present on computers. As a matter of fact, 30% of the infected computers I analyzed were infected with Virut. This is bad, really bad... :-(

Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well.
This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.
An excellent write up on this latest variant (and previous one) can also be found here (by Nicolas Brulez): http://securitylabs.websense.com/content/Blogs/3300.aspx

Disinfection of the infected webpages should be easy - it's just a matter of deleting the iframe script in it.
The disinfection of the infected exe and scr files is something else...
Since Virut infects legitimate files, the files may not be deleted, but disinfected instead. And that's where the problems start...
Virut was known to be a buggy Virus in the past and it appears that this hasn't changed yet. We've seen this with other File infectors as well: To Junk Or Not To Junk.

And because of that, Virut may misinfect a proportion of executable files > result > corrupted file.
The same applies for other File infectors such as Sality.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall.
And even though an Antivirus is able to disinfect the files, in a lot of cases, many files will be corrupted anyway > result > many programs won't work > loads of errors > corrupted Windows + there's still no guarantee that the Virus is really gone.
So why bother to clean this if a format and reinstall is the fastest and especially the safest solution?

And that's why I am blogging about this in the first place, especially since Virut is a very common infection nowadays. It's a pity to see that so many people are struggling with it and whatever they try, nothing helps. Then they ask for support via the forums and in a lot of cases, the one who is helping/guiding won't give up either and posts a new set of instructions to deal with this one.
Unfortunately another failure as result, so again, new instructions are posted... and this may go on and on...sometimes for weeks....
Is this responsible?
I'm not saying it fails everytime, but from what I have seen so far and especially if you're helping someone else with this infection... don't guarantee them a "clean" and errorfree computer afterwards .

In anyway, that's how I see it. Imho, dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall.
Many people may see this as "giving up", but I see this different.
After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

Happy Dance - Blog 1 year old!

noreply@blogger.com (miekiemoes) — Wed, 04 Feb 2009 15:55:00 +0000

I started with this blog exactly 1 year ago. I actually didn't expect anything from this since I'm not a writer and don't have enough inspiration either to update my blog every (other) day.
The main goal of this blog was to post some tutorials and thoughts for the "average" user I was helping on forums and newsgroups - so I could link to my blogposts instead of reposting it again and again.
I was already happy with only a few blogposts and actually didn't really plan to update it anyway - only once in a while.
Maybe I could have updated my blog more often with latest Security News etc, but decided not to do so.
However, after a month or two, I saw that some people started to follow this blog and linked to it as well. That was a pleasant surprise.
And that's why I'm still updating this blog with thoughts (mainly rants), tutorials and other (stupid) stuff.

Anyway, thanks for the comments and feedback I have received so far - I've learned a lot from this and I'm still learning every day!

Thank you readers!

IX Web Hosting - Reliable?

noreply@blogger.com (miekiemoes) — Sat, 31 Jan 2009 11:46:00 +0000

Someone contacted me recently about the wdmaud.sys / sysaudio.sys - Win32:Daonol infection. This because his site was injected with the iFrame Javascript "Yahoo! Counter starts here". People who visit the compromised site will get infected with Win32:Daonol.
Even though he removed all injected code, it came back all the time. Also, he couldn't understand how his site(s) got compromised in the first place.
Until he told me what his webhosting service was..... IX Web Hosting.

A quick google search explained a lot....

There's even a blog called "IX Web Hosting Warning" to warn people for this webhosting company.
Quote from their About page:

"IX Web Hosting the incompetant cheap web hosting company was hacked in May of this year, and hackers managed to “seed” the servers, which are now injecting 1000’s of innocent paying customers websites, on a weekly basis. It has gotten so bad, and happened so frequently that even the backups are infected.

This has been going on now for almost 8 months!!… Yes that is correct, 8 months, and IX web hosting has still not fixed this massive security issue.
The worst part of this ordeal, is the fact that IX web hosting knows, and has openly admitted to certain people ( myself being one) that they have a massive issue, they still blame the innocent customers that it is their fault."

In anyway, that may also explain why so many people got infected with Win32:Daonol lately:
http://ixwebhostwarning.wordpress.com/2008/12/24/ix-web-hosting-and-the-yahoo-counter-script-injection/
http://ixwebhostwarning.wordpress.com/2009/01/11/is-your-site-infected-by-the-yahoo-counter-or-htaccess/

"Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines."

Lesson learned: Avoid IX Web Hosting - Avoid sites being hosted with IX Web Hosting, because you may get infected.

Miekiemoes rules ?? Yeah right...

noreply@blogger.com (miekiemoes) — Thu, 22 Jan 2009 09:41:00 +0000

This is about the Searchengine Hijack I blogged about a couple of months ago. Files responsible for this hijack are sysaudio.sys or wdmaud.sys, present in the system32 folder - detected by most scanners as Win32:Daonol.
Someone notified me yesterday about a version of Win32:Daonol which is a bit different than other versions.
The malware author(s) decided to add "Miekiemoes rules" under file description in one of its versions.
Again, another proof why not to believe what malware tells you :P

This is what you get when you hover your mouse over the malicious wdmaud.sys:

I only have above screenshot. The person who uploaded this screenshot for me already deleted the wdmaud.sys, so no sample available. In anyway, thanks for the screenshot.

~~Sample is welcome (only above version).~~
Edit - Sample received - Thank you blogreaders :)

Settings won't save in Firefox

noreply@blogger.com (miekiemoes) — Wed, 14 Jan 2009 14:57:00 +0000

This is another common problem I see in forums lately. This especially since more and more malware targets firefox as well.
An example we see in forums lately is "Yoog Search". This is a searchengine Hijacker - comes with a variant of AdRotator/IconAds Adware.
The Firefox startpage + searchengine / Searchsettings get hijacked and even though the malware (responsible for changing startpage+searchengine) is gone/deleted already, if people want to change it back to default again, or change it back to their own startpage / searchengine, firefox won't save the settings.
So after a next Firefox session, the Hijacked startpage / searchengine etc is back again.

The cause is a user.js file present inside the Firefox profile folder. So, in this case the %APPDATA%\Mozilla\Firefox\Profiles\"identity" folder.
The user.js file does not exist by default and was in this case added/modified by malware.
This file is used to set or reset preferences to a default value. For example whenever the browser is loaded, the values present in the user.js file will supersede the stored values in the prefs.js file.
The prefs.js file contains the values you can access/modify via about:config or via the preferences in Tools > Options Menu in Firefox.
See here for more info about the user.js file.

I've also seen the same where malware changed the Proxysettings and created a user.js file to store the Proxysettings there. Result > once the malware was removed, the user would get the error: "The Proxy Server is Refusing Connections" since the user.js file is still in use.
Some versions of the Ask Toolbar also create a user.js file in the Firefox userprofile, so after uninstalling the Ask Toolbar, the homepage + searches are still set to Ask.com because the user.js file is still present.

That's why, if you're ever having problems with Firefox that won't save settings like startpage, searchengine, proxysettings etc.., then look if a user.js file is present in the Firefox profile folder and delete or modify it.
The presence of user.js in the Firefox profile folder doesn't necessarily mean that it's a bad file. Many people create their own user.js to supersede the stored values in the prefs.js file. So if you didn't create the user.js file yourself, you may delete it (since it's not present by default anyway).
If you're not sure, just rename it to user.js.bak, or open the file with notepad to see what values are present there.

Cold Turkey for X-mas.

noreply@blogger.com (miekiemoes) — Mon, 15 Dec 2008 10:05:00 +0000

I haven't been online much lately, this for several reasons. One of the reasons is.. I quit smoking!
I was trying to avoid situations where cigs were needed the most. I have to admit that actually every situation where I was allowed to smoke was a reason to smoke.
But the worst situation was when I was using computers - more than 10 hours a day, one cig after another. You can imagine I was smoking a lot!

I've already tried to quit last year - but that failed. I was going nuts after two days and a cig was my only relief. Sad, isn't it?
After my failure last year, I decided to smoke less. I didn't allow myself to smoke in the house anymore. So everytime I wanted a cig, I had to go outside, or smoke in the garage.
This actually helped a lot, I didn't break my own rule and smoked only the half of what I used to smoke. Even when I was using the computer, instead of having 6 (or sometimes more) cigs in one hour, I only had to go outside 2 or 3 times an hour. (I know, I know, it's still a lot).

After a couple of months (last week), I was wondering what I was actually doing. This was just silly and I had to stop that.

My own rule to go outside for a smoke worked like I charm and I never broke that rule. So why can't I make my own rule to quit smoking?

So, last week, I smoked my last cig and that was it.

I'm not using any nicotine replacement therapy aids like gum, patches or inhalers. No medications either like Zyban to reduce the craving, no hypnosis, acupuncture.... whatever. Just quit smoking Cold Turkey.
The only thing I used was a book (no, I didn't smoke it) by Allen Carr - "Easy Way To Stop Smoking". As a matter of fact, it is easy if you believe it!

It's already more than a week I quit smoking and I have to say - it's going pretty well. I've tried to avoid computers as much as possible in the first couple of days. Now I'm "facing" computers again and I don't really feel the "hunger" for a cig. The only thing is - I still feel the need to stand up 2 or 3 times in an hour to go outside. :-)
I'm like Pavlov's Dog - but then I remember the famous quote by Yoda: "You must unlearn what you have learned".

Anyway, I'm glad I quit smoking and I'm sure I won't fail this time.

Happy Holidays!!

Please disable Autorun asap!

noreply@blogger.com (miekiemoes) — Sun, 23 Nov 2008 14:31:00 +0000

We see an increase in USB-Based Malware Attacks lately - See here and here for more info.
Unfortunately, in the last few weeks, I have seen many cases where the enabled autorun feature caused A LOT of problems afterwards. This means that many are not aware of the dangers yet.
For example.. Some scenarios I have seen in the last couple of weeks are:

* Computer gets infected with Win32/Sality.NAR (NOD32 detection). This is a polymorphic file infector which searches local and network drives for files with the .exe extension and infects them by adding a new section that contains the viruscode.
It also copies itself into the root folders of removable drives using a random filename and creates an autorun.inf file to make sure it runs whenever it is inserted into another computer. It also disables most AV scanners by terminating their services/processes, disables Taskmanager, disables Regedit and much more to prevent it being detected or disinfected.
In this case, the user had an USB flashdrive and used it to transfer removal tools etc in order to remove this infection, since no scanners would work. What happened was, since this virus also spreads via removable media, his USB flashdrive became infected > result > His other computer was infected as well!

* Computer gets infected with W32/AutoRun-OY - This one also spreads via removable drives. This computer is used at home and every user has its own account. Mom, dad, son and daughter. Son loves to play games, but also loves to download games + cracks via illegal resources.
And that's how the computer at home gets infected with W32/AutoRun-OY. No detection since the Antivirus application that was installed was only a trial and was already expired for more than a year. Dad works for a big company and he tranfers his database+files from the computer at work to an USB flashdrive so he can proceed with his work at home.
The usb flashdrive gets infected when he inserts it into the infected computer at home. Since no scanner (because it's outdated) gives an alert and blocks the malware, there's no sign that the computer + Flashdrive is infected.
Dad goes back to work, inserts the flashdrive into his computer at work and... it gets infected as well. No alert, nothing! It appears that the computer at work didn't even have an Antivirus installed !! And, worst part of all was... Virut was also present! See here for more info. This is imho a lost case, and especially for business owned computers, it is irresponsible to clean this up manually. Format and reinstall is the fastest and especially the safest solution here.
So, who is to blame here? Imho, everyone is. The son who is responsible for visiting illegal sites in order to download his games + cracks, plus the fact that the Antivirus was outdated, plus the fact that dad uses an USB flashdrive containing corporate information and inserts it into the personal computer (see here how to protect your data), plus the fact that the computers at work didn't even have any protection/AV installed.
Anyway, this is so irresponsible, especially when company owned computers are involved.

* And today, I have another case where someone gets infected with W32/AutoRun-OY, where mom uses an usb flashdrive to transfer files to use at work and is already complaining about the fact that there are "problems". This thread is still in progress and I really hope this isn't a lost case.

No wonder the Military bans disks and USB drives

This appears to be a common problem nowadays - that's why it is so important to prevent spreading similar infections by disabling Autorun.

To disable autorun, please read the following tutorials:

http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/ (applies for XP Pro since XP Home has no gpedit.msc present)
http://www.engadget.com/2004/06/29/how-to-tuesday-disable-autorun-on-windows/ (aplies for XP Home. Same can be used for XP Pro)
http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/ (applies for Vista)

Some malware removal tools already disable Autorun by default. Don't complain about this. This is an extra security measure and you should have it disabled. If you really want to enable this again - then it's your own responsibility. Don't complain afterwards if you get infected and are responsible for infecting a lot of other computers as well.

Update: Extra instructions to disable autorun (by US CERT) can be found here.

And another Paypal Phish...

noreply@blogger.com (miekiemoes) — Wed, 19 Nov 2008 17:40:00 +0000

This is a mail I received in my mailbox one hour ago:

For your protection, we have limited access to your account until additional security
measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that Pay Pal
used to make its decision to limit your account access, please visit the Resolution Center.

We encourage you to log in and restore full access as soon as possible. Should access to your
account remain limited for an extended period of time, it may result in further limitations on
the use of your account or may result in eventual account closure.

----------------------------------------------------------------------------------------------

Click here to resolve the problem.

----------------------------------------------------------------------------------------------

Sincerely,
PayPal Account Review Team

Click to enlarge

After I clicked the link, I was presented with this fake page:

Click to enlarge

Ok, let's enter "my" Email Address and PayPal Password to Log In.

Click to enlarge

The usual Logging in screen, which then opened the following page:

Click to enlarge

They don't only want your Paypal Password, but as you see, A LOT of other information as well - Card number, Expiration date, Card verification number, Pin number and Bank name.

Anyway, if you became a victim of this Phish, contact Paypal and your Bank immediately and change your Paypal Password asap!

MSN Virus!! No scanners detect it!!!!

noreply@blogger.com (miekiemoes) — Sun, 16 Nov 2008 00:34:00 +0000

This is a common subject I see in forums lately.
People are complaining about an "MSN Virus" and no scanners can detect it.
This so called "MSN Virus" is responsible for sending links to their contacts list.
Yes, there are indeed some worms, spreading via messenger and infecting your computer, for example the IRCBOT-RB Trojan and many other variants.

However, this one is totally different... and is actually already going on for a while...

It appears that many aren't aware of this one yet, because I still see so many threads in forums where many AV scanners and other scanners were being used > result > no detections, no strange files, no strange loading points etc..
Long threads with no ending since they can't find the main cause.

Actually, the main cause is very simple - The login/password of the MSN account was gathered because they entered that info via the link they received once.
This is an example of a link they receive:

More detailed info from some older blogposts:
http://phatybomb.blogspot.com/2008/04/how-to-solve-this-pesky-msn-virus.html
http://blog.spywareguide.com/2008/06/another-site-asking-for-msn-lo.html

Links may be different, but the scenario is still the same.

If you click that link, your browser will open and you are presented with a webpage where it prompts you to enter your MSN Login and Password to proceed.
Ofcourse, the only purpose here is to gather your Login and password so they can (ab)use it to log in into your account and send the same link to your other contacts.
In this case, your computer isn't infected which explains why scanners won't find a thing.

Solution is simple: Change your MSN password.

As I said, this one is already going on for a while - but in the last couple of days, I see more and more threads in forums about this one - endless threads with several different logs which won't show anything.
That's why, if you think you're dealing with a similar "infection", change your password first and see if that solves your problem. If not, then make sure your Antivirus Scanner is up to date and perform a full scan with it.

Congrats Belsec!

noreply@blogger.com (miekiemoes) — Tue, 11 Nov 2008 11:31:00 +0000

For the people who don't know Belsec, check out the blog here: http://belsec.skynetblogs.be
Today, Belsec exists 1 year - Happy Birthday!!!

Some exclusive articles, free stuff and other goodies will be posted there this week, so make sure you don't miss it.

Meet the Medion Family

noreply@blogger.com (miekiemoes) — Mon, 03 Nov 2008 08:15:00 +0000

A picture of my "Workplace"...

HitmanPro 3 - maybe better, but I still have my doubts..

noreply@blogger.com (miekiemoes) — Sun, 02 Nov 2008 16:37:00 +0000

Mainly dutch users will know this program/removal tool. There were many discussions about it in the past as you will read here.
However, the newest version is a bit different. Instead of installing many several different Antispyware and Antivirus removal tools, it now uses a "Scanwolk" or "ScanCloud". This means that potential malware related files are being uploaded there and are being scanned by a couple of different engines. These engines are Eset (NOD32), Avira, PrevX, Emsi Software - a-squared Anti-Spyware and Ikarus Anti-Virus. As far as I know, some of these "Scansoftware" are for free. Correct me if I am wrong.

This is a littlebit the same principle as Virustotal, but in this case, it happens automatically without users interference.
Previous versions of HitmanPro were for free, however, this time, the new version is different. Scanning stays for free, but to remove what it has found, you have to purchase a license. First you get a trial which is able to remove the found threats - but once that trial has expired, you have to purchase a license..

Before testing this application, I already had a few remarks....

* What about false positives the external scanners find. Will HitmanPro remove them as well or not?
* Automatically uploading files to the "ScanWolk" (as how they are calling it) - what about users interference? Is this automatically allowed? Most scanners ask this before users upload potential suspicious files to a server. HitmanPro goes for faster results and uploads automatically without users interference. Ethics???

Anyway, those were my main concerns, so I decided to give HitmanPro3 a try..

If I test software, I always try it in a Vmware Image first. In this case, it was Windows XP Pro Service Pack 2.
It was a clean install, only some analysis tools (tools which enumerate windows loading points) were installed.

I've downloaded HitmanPro 3 and executed it...
Once again, this is a clean Windows XP SP2 install with only some analysis tools present.

It started with the scan...

Ok, tracking cookies in the first place. You're kidding if people really have to purchase a license to remove these tracking cookies. Easy money..
Anyway.. the other detections..
Too bad to see it detected one of my favorite analysis tools (OtScanIt.exe) as Trojan.Dos.Win32....
I've uploaded it to Virustotal and came back with the following results: http://www.virustotal.com/nl/analisis/ab129671f0130d829a70e395ec5b64fa
HitmanPro uses the Prevx engine, and in this case, its detected as "Cloaked Malware". This is a heuristic detection and may be a false positive. Not sure where HitmanPro gets the "Trojan.Dos.Win32.." from..
Anyway.. during detection, there is NO WAY where you can deselect what it has found. The only option you get is the "next" button. (and the option to select what subscription you have).
Then, if you click the "next" button, it removes what it found, no matter if it was a false positive or not (after all, you could not deselect in from the main screen). Byebye OtScanIt - I couldn't save you.. :(
And even in my clean Vmware image, HitmanPro decided (without notice) to remove my desktop background and replace it with the 'plain blue standard background'. Is there any reason why? Without notice? So this means that everyone who runs HitmanPro3, no matter if you're infected or not, gets a "blank" desktop afterwards?

Once again, this was in a clean Windows XP SP2 image. Detections and removal of files that weren't even malicious and deleting valuedatas in keys (without notice) that weren't even malicious...
It also appears that some others were having problems as well with this newest version. For example:
http://www.techzine.nl/nieuws/18270/SurfRight-brengt-finalversie-Hitman-Pro-3-uit.html (First reaction present there).
To translate: "I've used it two times and deleted it immediately. The scripts crashed and deleted important files from my PC. BSOD, then a system restore (removed HitmanPro) and everything worked OK again."

I'm not suprised at all.....

So the only thing I can say here is... please remove the official version and give it more time to beta test. It's way too dangerous to use/release it in public.
Some important thoughts:

* Ask for confirmation before uploading potential dangerous files.
* Make sure people can select/deselect what files to remove.

EDIT: There's indeed an option to select/deselect what files to remove, but only if you rightclick the view and select the "Virus analist view". Many people won't know about that option (I didn't either), so it may be better to make checkboxes to select/deselect in the main view.

* I can't find a backup/quarantine option. Better to give the option to quarantine what it removed with the option to restore if needed.

... and some more thoughts that I will post later.

Extra note... I have NOT tested this on an infected system yet - I'll certainly do this later and see how it acts/reacts - and post the results. My main important point was how it acted/reacted on a NON infected system since many people just love to run tools and even purchase them if not needed.

That was a stupid thing to say

noreply@blogger.com (miekiemoes) — Mon, 27 Oct 2008 12:32:00 +0000

I was helping someone yesterday with a SEVERLY infected computer. This computer was infected for at least 1 year since older malware was still active and running, with on top, newer malware including a File infector, some backdoors, random adware and god knows what else...
So you can imagine there wasn't much we could do about it, this computer was TOAST.
Then this user told me that he was actually PROUD of the fact that he managed to get 4 different computers infected/damaged in a short period of time.
Excuse me?

That's where I ended my support - told him to format and reinstall Windows and never use a computer anymore.

This is once again an example why some people should be restricted to use computers and is a perfect addition to my previous rant: "The Neverending story".
Oh, and yes, I do agree with Eugene's Final thoughts - with the addition that Internet access should be restricted for such people as in above example.

MEDION Akoya Mini 10" Netbook E1210

noreply@blogger.com (miekiemoes) — Mon, 27 Oct 2008 09:24:00 +0000

Yes, that's going to be my new notebook. This is the Aldi offer in Belgium for this week and since I always wanted a "mini notebook" to take everywhere with me, this looks like the ideal one for me.
My other notebook (older one) died in a meanwhile after the "coffee accident" I blogged about last month. I'm still surprised that it worked for a couple of days afterwards, so I could back up important data. So in a way, I was lucky.

Specifications of the Medion Akoya Mini are:

1.6Ghz Intel® Atom™ Processor N270
Intel® Atom™ Processor – a new series of very low power processors developed by Intel® especially for Mobile Internet Devices (MIDs) and for a new class of more affordable, smaller and fully functional computer systems built to provide fast, easy internet access. These ‘Netbooks’ are impressive thanks to their ease-of-use, portability, powerful wireless LAN functionality and long battery life.

Windows® XP Home Edition
(incl. Service Pack 3)

10" TFT Widescreen Display
1024 × 600 pixels

80GB SATA hard drive
for more than 16,000 music tracks or photos**

1GB RAM

Fast WLAN Wireless LAN 802.11 b/g +
Draft-n with up to 300 MBit/s.*

Intel® Graphics Media Accelerator 950

Connectivity
USB 2.0, Memory card reader and much more...

Integrated webcam

Connections

* Multi-card reader for SD, MMC, Memory Stick
* 3× USB 2.0
* 1× VGA out
* 1× network (RJ45)
* 1× line out

Also included

* Li-ion battery and mains power adaptor

Dimensions and Weight

* Approx. 260 × 180 × 19/31.5mm
* Approx. 1.2kg incl. battery

Bag and Bluetooth dongle are also included.

And this for 399 euro!

More info also here: http://www.medion.de/ms/aldi/md97160/au/flash.html

I guess I'll have to hurry before they are sold out.

Fake sysaudio.sys causes Searchengine Hijack

noreply@blogger.com (miekiemoes) — Mon, 13 Oct 2008 17:44:00 +0000

What is this infection about...
It actually loads a script, so searchengine results are loaded within a script. For example, when you research something in google or another searchenigine, you get this when you view the source:

script scr= //78. 157. 142. 58/ and then the searchengine results.
or
script scr= //209 .85 .171 .9/ and then the searchengine results.
(more may be present as well)

So, whenever a popular searchengine is being used, a script is loaded to insert its results. For example, a search for: "How to remove rootkits with icesword", you get irrelevant results. Screenshot here:

This only applies for the first page of the results.

It looks like stopzilla.com is also promoted via this piece of malware
Example:

As far as I know.. this one is getting installed via a "Yahoo! Counter starts here" javascript (which is a malicious script and not related with Yahoo) injected on many forums/sites/blogs.

The responsible file for the searchengine hijack is sysaudio.sys, (which is actually a DLL) dropped in the %sysdir% folder (system32 folder).

Note - do NOT confuse this one with the legitimate sysaudio.sys file which is present in the %sysdir%\drivers folder!!! So don't delete the legitimate %sysdir%\drivers\sysaudio.sys file!

The loading point for the fake sysaudio.sys is under the
HKLM\software\microsoft\windows nt\currentversion\drivers32 key
with value and valuedata:

"aux"="sysaudio.sys" or
"aux2"="sysaudio.sys"

Legitimate valuedata for "aux" should be wdmaud.drv or mmdrv.dll or ctwdm32.dll (those are the most common legitimate ones I've seen so far, there could be more)

Other files the fake sysaudio.sys may use are divx.nls or ntnet.drv which is also present in the %sysdir% folder.
(could be more already - newer variants)

Anyway, this is another method being used to "hide" its presence because it causes confusion with legitimate files/keys. So be cautious if you think you're dealing with this one and do not delete the legitimate sysaudio.sys file present in the system32\drivers folder or "aux" value in the registry. Ask for help if you're not sure.

UPDATE!!!
A new variant is Windows\system32\wdmaud.sys <== bad one
The legitimate ones are Windows\system32\wdmaud.drv and Windows\system32\drivers\wdmaud.sys, so don't delete those!!

UPDATE2!!!

And again a new variant around. Malwarebytes' Anti-Malware detects this one as Trojan.Gumblar or Trojan.JSRedir. (previous variants were detected as Trojan.Daonol)
Redirections go for example to 209.85.171.199 - or you see 7.7.7.0 in the status bar.
This time, it uses a random file name. To find out, browse to the HKLM\software\microsoft\windows nt\currentversion\drivers32 key in the registry and look what's present under the "aux" values (aux1, aux2, aux3, aux4..) One of them is the cause. It's a "weird" looking filepath and name, examples are: "C:\WINDOWS\system32\..\sjkemx.iqd" or "C:\WINDOWS\system32\..\kvlhurx.niq" or "c:\docume~1\%username%\LOCALS~1\Temp\..\herlppj.sna" - note the reference named ".." which actually refers to "go up two levels". To find the file itself, easiest way is via Windows search. If it comes back immediately after you have removed it, you can use the "Hijackthis - Delete on reboot" option, or any other tool that is able to delete files on reboot.
In case you can't launch regedit (crashes when you launch it), rename regedit and try again.
If you're unsure, don't delete anything, but ask help instead.

Update: A Great, detailed writeup by MAD (French)

To receive help to remove the infection or similar infections, register at one of the forums present on the right, or register at my personal forum here. It's a dutch forum but I also give english support.

Something, somewhere, went terribly wrong.

noreply@blogger.com (miekiemoes) — Fri, 03 Oct 2008 08:45:00 +0000

A t-shirt I ordered - arrived today...

I love it!! :)

MySpace/FaceBook worm causes confusion in HijackThislogs

noreply@blogger.com (miekiemoes) — Wed, 01 Oct 2008 13:54:00 +0000

This blogpost is actually a warning for people who are helping others to get rid of this worm via HijackThis-logs.
Here's some more info about the worm itself and how it is being spread:
http://www.kaspersky.com/news?id=207575670
http://www.pcworld.com/businesscenter/article/149559/malicious_hackers_use_facebook_wall_for_malware_attack.html
This worm is also known as Net-Worm.Win32.Koobface.*

People are complaining about Google Redirects, slow computer in general and browser freezing or shutting down whenever they want to log into their FaceBook or MySpace account.
The files responsible for this infection are:

%WinDir%\kenny**.exe (** stands for a number, in this case 16, 17, 18..), runs from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with displayname sysftray2
%WinDir%\fmark2.dat
%ProgramFiles%\TinyProxy\TinyProxy.exe or %ProgramFiles%\ProtectService\ProtectService.exe which runs as a service.

It also modifies the Proxy to http=127.0.0.1:8181
To fix this:
In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

To remove this infection, just delete the %ProgramFiles%\TinyProxy folder or %ProgramFiles%\ProtectService folder it has created + the %WinDir%\fmark2.dat and %WinDir%\kenny**.exe files + restore proxysettings.
It's recommended that you do this in Windows Safe mode since this infection (mainly the service) is active in Windows normal mode.
There could be newer variants present already.

Now, what's the confusion with HijackThislogs and people who are guiding others with malware removal via HijackThislogs...

Let me explain how HijackThis.exe enumerates the services...
For example, let's take the legitimate Nvidia Display service:

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

What's between the brackets is the Servicename. In this case "NVSvc". That's how the service is registered in the registry.
The Displayname is "NVIDIA Driver Helper Service". This is how you see it in services.msc for example. This is also set under the Servicename with value "Displayname".
The "C:\WINDOWS\system32\nvsvc32.exe" refers to the "ImagePath" value set under the "NVSvc" service. This means the file responsible for running as a service.

In case there are no brackets, then it means that the Servicename is the same as the Displayname, for example:

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

In this case, "Apple Mobile Device" is the servicename and displayname.

If people check and fix a O23 entry in HijackThis, HijackThis doesn't delete the service, but disables it instead. This means, it changes the "Start" valuedata for the service to dword:00000004, which means disabled.
In case when a malicious service is present, if you fix it in HijackThis, it won't remove the service. It will only disable it.
That's why a lot of helpers who are guiding with HijackThislogs are teached to delete the service in the registry as well. The sc delete "servicename" command is the common used command here.

Now let's compare one of these malicious TinyProxy.exe or ProtectService.exe Services..
That's how they look in a HijackThislog:

Some examples:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Logical Disk Manager (dmserver) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Apple Mobile Device (Apple Mobile Device) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: NMIndexingService (NMIndexingService) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe
O23 - Service: DHCP Client (Dhcp) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

O23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Workstation (lanmanworkstation) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Fast User Switching Compatibility (FastUserSwitchingCompatibility) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe
O23 - Service: Computer Browser (Browser) - Unknown owner - C:\Program Files\ProtectService\ProtectService.exe

In this case, let's take O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe as an example.

People who are used to working with HijackThislogs would think: "Netman" is the servicename and "Network Connections" is the Displayname.
Yes, that's how it looks like.
But.. the service "Netman" is a LEGITIMATE service and the Displayname "Network Connections" matches as well as LEGITIMATE. Normally HijackThis whitelists these services.
Now what? Does that mean that this service in the registry was modified and the "Imagepath" value under the "Netman" service was changed to "C:\Program Files\TinyProxy\TinyProxy.exe" instead of %SystemRoot%\system32\svchost.exe -k netsvcs (which is the default valuedata for this one)?
Yes, that's a possibility... we've seen it before.
In such cases, after you have removed the offending folder C:\Program Files\TinyProxy, you need to restore the default "Imagepath" valuedata again to the legitimate one.

HOWEVER, I found out that this infection isn't modifying any legitimate services at all!
After a bit of research - comparing logs and testing with some dummy services - it appears that this infection creates a new service instead, but makes sure it matches a legitimate service and causes extra confusion in HijackThislogs.
Example:

Let's create the service:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Connections (Netman)]
"Displayname"="Network Connections (Netman)"
"ImagePath"=hex(2):25,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,46,00,69,00,\
6c,00,65,00,73,00,25,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,\
00,79,00,5c,00,54,00,69,00,6e,00,79,00,50,00,72,00,6f,00,78,00,79,00,2e,00,\
65,00,78,00,65,00,00,00 <== which translates to %ProgramFiles%\TinyProxy\TinyProxy.exe
"Start"=dword:00000002 <== which means "autostart"

The service "Network Connections (Netman)" isn't legitimate since the legitimate service is actually "Netman".
But, since the "Displayname" in above example matches the servicename here, in HijackThislogs, it will show as:

O23 - Service: Network Connections (Netman) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe

While the servicename is actually: "Network Connections (Netman)" and NOT "Netman"!!

The result of this is.. many helpers look at the servicename in HijackThis (the one between brackets) and since it has a malicious file attached, some don't think further and think that the service itself is malicious as well (without knowing that it may be a legitimate service) > result > they ask to delete the legitimate service from the registry using the sc.exe delete command.
And yes, a Threatexpert report also reveals how it has created its service. Example: http://www.threatexpert.com/report.aspx?uid=b72eb6f9-00dd-442b-8a08-f095ca088e31
In the Threatexpert's example..
"TrkWks" is the LEGITIMATE service, but in this case, as you see in above report, the service: "Distributed Link Tracking Client (TrkWks) " was created.
A slightly bit different from what I've tested with dummy services, but it does make sense. In above example, the service has an extra space after the services name and since the "Displayname" is the same, it will show it like this in a original HijackThislog (since displayname and servicesname matches):

O23 - Service: Distributed Link Tracking Client (TrkWks) - Unknown owner - C:\Program Files\TinyProxy\TinyProxy.exe (~~note the extra empty space after (TrkWks) and -~~)**

But since people are posting this at forums, the forumsoftware strips that empty space anyway.
The same applies for the threatexpert report itself imho, where it also strips the extra space in the services name/services key if no subkeys are attached.

** After I have posted this, I noticed that this blogpost also strips the extra space after the services name..

Anyway.. imho, I'm pretty sure that, whoever developed this infection is well aware of HijackThis and how it displays its entries, this to cause some extra confusion for helpers.
And that's why I posted this warning in the first place, because I've seen it happen a couple of times already. Legitimate services were deleted > result, no internet access anymore or anything else that was broken because of this confusion in HijackThis.
That's why, before you want to delete a service in the registry, make sure first it's not a legitimate service!

I have not played with this infection itself yet (no samples available) - so my analysis is only based on logs/research and testing.
Samples are welcome. :-) Samples received. Thanks readers :)

Fujitsu Siemens Amilo - RIP..... for now.....

noreply@blogger.com (miekiemoes) — Fri, 19 Sep 2008 10:52:00 +0000

This was going to happen some day anyway...
I finally managed to spill a full mug of coffee (big size) all over my laptop.
In less than a second, the coffee had covered my entire computer desk. Luckily, my other laptop next to it was on a notebook cooler pad, so that one was saved.
The screen went black immediately, strange noises from underneath... and I sweared like never before.
Unfortunately, the swearing didn't work, so instead, I immediately disconnected the power supply and took out the battery.
I put the unit on its side and the coffee was dripping out. I left it in that position for at least an hour. I cleaned the rest of the mess I made, apart from the stains on the wall (Mr Proper can take care of that).
Then I turned it upside down, opened it and I'm going to let it dry for at least 24 hours.

In a way, I'm glad I don't like milk and sugar in my coffee, so maybe there's still hope... but I doubt it.

My dear Fujitsu Siemens Amilo, May The Force Be With You.

UPDATE! I couldn't wait any longer (waited for two days to let it dry)... so... it's up and running again!! No issues so far - everything works. I was really lucky :-)

AntiVirus, Internet Security and Total Security Performance Benchmarking by Passmark.

noreply@blogger.com (miekiemoes) — Wed, 17 Sep 2008 10:33:00 +0000

I actually never really paid attention to comparison/testing reports about Antivirus and Security Suites especially related with "best detection", "best removal" etc etc.. This, since I have my own opinion about this :-)
However, this is a different test, a performance test of several different Antivirus products and Security Suites/Total Security Products by Passmark.

- The Performance tests:

* Boot Time
* Scan Speed
* User Interface launch Speed
* Memory utilization
* Installation Time
* Installation Size
* Registry Key Count
* File Copy, Move and Delete
* Installing Third Party Applications
* Binary File Download Speed
* File Format Conversion
* File Compression and Decompression
* File write, Open and Close

- Overal Ranking in comparison with other products:

Click to enlarge

It looks like Norton Internet Security 2009/Norton Antivirus 2009 is a winner here in comparison with previous tests and older versions.

Anyway, "decide" for yourself and read the full report here: http://www.passmark.com/ftp/antivirus_09-performance-testing-ed1.pdf

Still, imho, the best way to decide what Antivirus/Security Suite to use (for best performance) is to install it and see how it runs on your computer. After all, every computer is different.
If it runs fine and you're satisfied with the Antivirus or Security Suite, then keep it.

I'll be back - (with a Female Schwarzenegger-style voice)

noreply@blogger.com (miekiemoes) — Sat, 13 Sep 2008 12:45:00 +0000

Many people already contacted me in the last couple of days, wondering where I am, why I'm not that active anymore on forums, my blog etc etc..
Well, I have been really busy lately IRL. This involves, searching for a new job (which is still undecided yet), some family related issues and some other stuff I won't post in public :-)
This is exhausting, I'm tired.. and explains why I'm not that active anymore lately. After all... IRL is still a priority.
However, latest Security threats are still one of my priorities as well - so I'm trying to keep up to date as much as possible. :-)

Anyway, I'll be back when things are sorted out... which will be soon (I hope) :-)