Swatkat's rants

How to build cURL static library with SSL support on Windows

noreply@blogger.com (swatkat) — Sat, 22 Jun 2013 18:01:00 +0000

This is a short note about building cURL with SSL support on Windows.

Tools required:

cURL source: Download latest cURL source from here.
Microsoft Visual C++ 2008 or 2010 Express Edition: It looks like 2008 Express Edition is no longer available, but 2010 Express Edition can be downloaded from here.
Win32 OpenSSL:

Download Win32 OpenSSL installer and Visual Studio redistributable from here - these are Win32 OpenSSL v1.0.1e and Visual C++ 2008 Redistributables at the time of this writing.
Install Win32 OpenSSL; by default it installs to C:\OpenSSL-Win32.
Install Visual C++ 2008 redistributable.

Building cURL:

Run Visual Studio 2008 Command Prompt from Start Menu > All Programs > Microsoft Visual C++ 2008 Express Edition > Visual Studio Tools. Or, Visual Studio 2010 Command Prompt if you're using Visual C++ 2010.
Navigate to winbuild sub-directory in cURL source directory, and issue following command:

nmake /f Makefile.vc mode=static WITH_SSL=static WITH_DEVEL=C:\OpenSSL-Win32 VC=X ENABLE_SSPI=no ENABLE_IDN=no ENABLE_WINSSL=no DEBUG=no MACHINE=x86 GEN_PDB=no ENABLE_IPV6=yes

Note: In VC=X, replace X with 9 for Visual C++ 2008 or 10 for Visual C++ 2010.

Once build is complete, cURL static libraries would be copied to builds sub-directory in cURL source directory.

FLVTube - rogue video player

noreply@blogger.com (swatkat) — Sun, 31 Oct 2010 08:26:00 +0000

FLVTube is supposedly a video player that downloads and plays YouTube videos. Only a few anti-viruses categorize FLVTube as an adware, and most of the antivirus software do not have any detection for it. FLVTube uses the familiar fake codec download techniques to trick PC users in downloading their software: You chance upon a video clip on a random website and to view it you need to download FLVTube! If FLVTube is really a genuine video player, then I wonder why they are using such misleading installation strategies.

During installation, FLVTube gives options to install following affiliate products of questionable reputation:

Emoticons Toolbar by SweetIM
WhiteSmoke Grammar software
Uniblue RegistryBooster

And, it installs following mandatory components:

FLVTube Player
FLVTube Toolbar
QueryBrowser Search Assistant

FLVTube Toolbar and QueryBrowser Search Assistant hijack browser homepage and search provider to http://flvtubesearch.co and www.querybrowser.com (however, this is mentioned in terms and conditions during installation).

VirusTotal scan results of installer and browser plugins can be found here, here and here. Stay clear of this rogue video player! Malwarebytes Anti-Malware can be used to remove FLVTube Player.

ThinkPoint rogue antivirus

noreply@blogger.com (swatkat) — Sat, 23 Oct 2010 15:56:00 +0000

ThinkPoint is a new addition to the long list of rogue antivirus programs. ThinkPoint uses fake codec download tricks for its distribution. Once installed, it shows a fake "Microsoft Security Essentials Alert" popup box showing a non-existent threat.

ThinkPoint adds a Winlogon Shell registry entry, so that ThinkPoint starts up instead of Windows Explorer during Windows startup. ThinkPoint hijacks the startup/login screen.

At this point, follow these steps to get back the standard Windows desktop:

Start Task Manager by pressing CTRL+ALT+DEL and kill the process named hotfix.exe.
Go to File Menu > New Task (Run) in Task Manager and type explorer.exe to spawn Windows Explorer.

In case you don't find hotfix.exe process in Task Manager, it could mean that the rogue program is using a different filename. Interestingly, there's a workaround built into this rogue program to get to desktop:

Click "Safe Startup" button and allow it to finish its fake scanning (duh!). After it completes scanning and shows scan results, click "Continue Unprotected".
Now, click "Settings" and select the option "Allow unprotected startup".

Close ThinkPoint rogue program's window by clicking the close button on top-right corner. This should take you to the standard Windows desktop.

VirusTotal scan results for ThinkPoint installer can be found here. Malwarebytes' Anti-Malware can be used to remove ThinkPoint rogue antivirus program completely.

OAuth support for twitCurl

noreply@blogger.com (swatkat) — Sun, 12 Sep 2010 19:30:00 +0000

The twitCurl twitter API library now supports OAuth authorization methods for twitter! Check out project wiki page for more information on twitCurl OAuth flow:

http://code.google.com/p/twitcurl/wiki/TwitcurlOAuthFlow

ARKit updates

noreply@blogger.com (swatkat) — Wed, 01 Sep 2010 08:45:00 +0000

Few updates on ARKit library! Following functionalities have been added to the library:

VAD tree traversal to find images loaded by a process
SSDT hook restoration
Kernel inline hook restoration
Process detection by scanning Handle Table
Process termination using NtTerminateProcess and NtTerminateThread

Get the source code here.

ARKit - An open-source rootkit detection library for Windows

noreply@blogger.com (swatkat) — Sun, 25 Jul 2010 15:18:00 +0000

ARKit is an open-source rootkit detection library for Microsoft Windows. ARKit has two components:

ARKitLib - A Win32/C++ static library that exposes various methods to scan system and detect rootkits
ARKitDrv - A device driver that actually implements methods to scan and detect rootkits

Currently, ARKit has following features:

Process scanning – Detect all running processes (hidden and visible)
DLL scanning – Detect DLLs loaded in a process
Driver scanning – Detect all loaded drivers (hidden and visible)
SSDT hook detection
Sysenter hook detection
Kernel inline hook detection

ARKit works on 32-bit flavors of Windows 2000, XP, 2003 and Vista. It has not been tested on Windows 2008 and Windows 7 yet.

For more information on ARKit project, please visit:

http://code.google.com/p/arkitlib/

yelpcurl - C++ Yelp API library

noreply@blogger.com (swatkat) — Tue, 06 Apr 2010 16:08:00 +0000

yelpcurl is an open-source, pure C++ wrapper for Yelp's RESTful APIs. The library currently supports all the APIs provided by Yelp. yelpcurl uses cURL and is written in a similar way as that of twitcurl. Building applications using yelpcurl is quite easy:

Compile yelpcurl source files (yelpcurl.h and yelpcurl.cpp) and link with cURL library (libcurl.lib) to build static library yelpcurl.lib.
Include yelpcurl.h and cURL headers (present in /include/curl/ directory in cURL source) in your Yelp based application and link to yelpcurl.lib and also libcurl.lib/libcurl.dll.
Instantiate an object of yelpCurl class and use the Yelp API wrappers that are exposed as public methods.

yelpcurl works on all OS (Windows, Linux, Mac etc.) as it is written completely in C++ and the only dependency is cURL (which works on all OSes mentioned earlier).

More info about the yelpcurl library can be found here:

http://code.google.com/p/yelpcurl/

twitcurl - C++ twitter API library

noreply@blogger.com (swatkat) — Wed, 02 Sep 2009 03:46:00 +0000

twitcurl is an open-source pure C++ library for twitter REST APIs. Currently, it has support for most of the twitter APIs and it will be updated to support all the APIs. twitcurl uses cURL library for handling HTTP requests and responses. Building applications using twitcurl is quite easy:

Compile twitcurl source files (twitcurl.h and twitcurl.cpp) and link with cURL library (libcurl.lib) to build twitcurl.lib
Include twitcurl.h in your twitter based application and link to twitcurl.lib and libcurl.lib/libcurl.dll.
Instantiate an object of twitCurl class and use the twitter API wrappers that are exposed as public methods.

twitcurl works on all OS (Windows, Linux, Mac etc.) as it is written completely in C++ and the only dependency is cURL (which works on all OSes mentioned earlier). More info about the twitcurl library along with an example program is available here:
http://code.google.com/p/twitcurl/

Wolfram|Alpha launches

noreply@blogger.com (swatkat) — Sat, 16 May 2009 16:00:00 +0000

Wolfram|Alpha is finally launched! Wolfram|Alpha is a computational knowledge engine that to interpret the questions/queries and tries to formulate answers. It is not a search engine, it is a combination of encyclopedia and real-time data mining. Wolfram|Alpha tries to structure the information scattered in world wide web. It could be great for scientific (physics, mathematics etc.) queries as it uses Wolfram Mathematica to compute answers. It is still in alpha stage and has a long way to go. Try it out!

By the way, Wolfram|Alpha has answer to life, the universe, and everything. It's 42 ;)

And, you will see this when Wolfram|Alpha website traffic exceeds its bandwidth limit:

Google is working on a similar tool called Google Squared, which aims to structure the unstructured information.

New rogue: AV Antispyware

noreply@blogger.com (swatkat) — Sat, 18 Apr 2009 16:21:00 +0000

AV Antispyware is new rogue software that belongs to MS Antispyware 2009 family. The AV Antispyware installer is dropped by a fake codec hosted at http://lvl-softwares.com (195.88.80.41) (do NOT visit this site).

VirusTotal scan result for the dropper can be found here, and AV Antispyware removal guide can be found here.

Waledac's new geo-sensitive social engineering

noreply@blogger.com (swatkat) — Wed, 18 Mar 2009 14:40:00 +0000

Waledac spammers are using yet another social engineering tactic to spread their malware. As usual, the spam mails contain link to dubious websites. One of such spam mail can be seen in the following screenshot:

These websites look like a Reuters news webpage reporting "powerful bomb blasts" near your area/city, with a video clip embedded in it. To see the video, the site persuades you to download a fake Flash Player.

These fake websites are geo-sensitive and they figure out the place/city of a visitor (based on visitor's IP address) and report it as the location of "bomb blasts". This technique is called geo-targeting. An innocuous PC user may fall for this trick by thinking that bomb blasts have really occurred in his/her area and download the fake Flash Player! Following screenshots show the location sensitive website content (check the place where blasts are reported; they change based on the visitor's gepgraphical location):

As of now, fake webpage is located at yyr.breakingkingnews.com (81.241.128.178) (whois).

VirusTotal results of the malware hosted at the above site can be found here and here. An automated analysis by ThreatExpert can be found here.

SysProt AntiRootkit v1.0.1.0 released

noreply@blogger.com (swatkat) — Sun, 15 Mar 2009 17:50:00 +0000

Another update for SysProt AntiRootkit! The latest version, SysProt AntiRootkit v1.0.1.0, contains few bug fixes and enhancements. The changelog is as follows:

Added a "activity bar" to indicate scan progress
Optimzed device driver scanning
Added help file
Fixed process and driver scanning bugs in Windows 2003 SP1 and SP2

Get the latest version here.

Yauba - Privacy Safe Search Engine!

noreply@blogger.com (swatkat) — Thu, 12 Mar 2009 18:25:00 +0000

Yauba is a brand new search engine from India. Yauba's search result quality is great and is comparable to that of Google. Yauba neatly organizes the search results and also shows text/image previews of websites.

One of the important features of Yauba is its stress of user's privacy and security. Yauba operates in complete incognito mode and does not collect any personal data. Their privacy policy goes like this!

Here's an excerpt from Yauba's site, which tells us about their privacy practices:

Most search engines try to gather and record as much information about their users as possible. They (or their parent companies) operate massive server farms with even more massive databases that secretly record your entire search history, your private contacts, the identity of your family and friends, your personal emails, your conversations and chats, your browsing habits, your physical location, details on the software you use on your computer, your IP address, and much much more. This is no exaggeration. Indeed, if you ever saw exactly how much most search engines actually know about your private details, you would be completely shocked.

At Yauba, we completely reject the view that search engines somehow need to keep mountains of data on their own users. Instead, we take the exact opposite approach. We do everything we can to protect the privacy of our users.

This is why we do not keep any record of any of your search terms, browsing habits or any other personally identifiable information.
This is why we automatically delete any and every piece of personally identifiable information from our servers on a continuous basis.
This is why we can have the shortest privacy policy (9 words) of any major Internet service in the world.
This is why you can visit almost every Internet site through the main Yauba service on a completely anonymous basis (with the only exception of file types that use other external third party software or plug-ins for downloading or playing).

Yauba is still in Beta/Late-Alpha state, and I think it is a very good service. Try Yauba at http://www.yauba.com/

SysProt AntiRootkit v1.0.0.9 released

noreply@blogger.com (swatkat) — Sat, 07 Mar 2009 20:52:00 +0000

Here's the latest version of SysProt AntiRootkit. Now, SysProt AntiRootkit v1.0.0.9 supports Windows Vista (32 bit)! Check out few screenshots that show SysProt AntiRootkit in action:

Kernel modules:

SSDT hooks:

Kernel inline hooks:

Following list summarizes the changes in SysProt AntiRootkit v1.0.0.9:

Added Windows Vista support
Improved device driver detection
Faster "Kernel Hooks" scan
Faster "Ports" scan

The latest version can be downloaded from here. Supported operating systems are Windows 2000/XP/2003/Vista, 32 bit versions. Feedback is welcome :)

New rogue: IE-Security

noreply@blogger.com (swatkat) — Mon, 26 Jan 2009 14:29:00 +0000

IE-Security is new rogue software that belongs to IEDefender family. The IE-Security installer, ie.exe, is hosted at 216.240.151.112 and http://ie-security.com (216.240.151.135). The user-interface of IE-Security is a rip-off of Microsoft Windows Defender.

VirusTotal scan result of IE-Security installer can be found here. By the way, people at IE-Security provide 27x7 support ;)

Files dropped by IE-Security installer:

%PROGRAMFILES%\IE-Security\ies.s1

%PROGRAMFILES%\IE-Security\ies.s2

%PROGRAMFILES%\IE-Security\ies.s3

%PROGRAMFILES%\IE-Security\ies.s4

%PROGRAMFILES%\IE-Security\iescan.exe

%PROGRAMFILES%\IE-Security\uninstall.exe

%USERPROFILE%\Desktop\IE-Security.lnk

%USERPROFILE%\Start Menu\Programs\IE-Security.lnk

where,

%PROGRAMFILES% is \Program Files\ directory in root-drive,

%USERPROFILE% is \Documents and Settings\UserName\ directory in root-drive.

Registry keys created by IE-Security installer:

HKEY_CURRENT_USER\Software\IE-Security

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "IE-Security"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE-Security

AntiSpyware 2009 and AntiSpywareBOT: Neighbours in crime!

noreply@blogger.com (swatkat) — Mon, 26 Jan 2009 10:38:00 +0000

Well, 590-B Schillinger Rd. South, Mobile, Al, 36695 seems to be the John Doe of addresses. Recently ParetoLogic blog posted about the address of the makers of rogueware AntiSpyware 2009. It seems that the headquarters of 2Squared, makers of rogueware AntiSpywareBOT, is also located in the same street. Even these guys have got a high-tech, high-profile CGI office ;)

Fake Obama websites spreading malware

noreply@blogger.com (swatkat) — Sat, 17 Jan 2009 18:53:00 +0000

Similar to eCard spam mails, we are now seeing US president-elect Barack Obama themed mails which contain links to fake websites. These sites host a malicious executable and this malware belongs to the same old Storm/Waledac family. One such mail and a fake website (http://donate.superobamadirect.com) are shown in following screenshots:

These fake sites are hosted using fast flux DNS technique - a typical method used by Storm botnet. It can be seen from the following screenshot that the IP address keeps changing frequently:

VirusTotal scan result of the malware can be found here. An automated analysis by ThreatExpert can be found here.

Fake eCard updates

noreply@blogger.com (swatkat) — Wed, 07 Jan 2009 19:50:00 +0000

Fake eCard spam mails continue to circulate even after the new-year excitement is settled down. As usual, these mails contain links to downloadable fake greeting cards that are generally named "card.exe" or "postcard.exe".

When executed, these malicious executables turn your PC into a zombie machine that becomes a part of Storm/Waledac botnet (more information can be found here and here).

Newer variants of fake eCard executables (hosted at http://topgreetingsite.com - do NOT visit that site! ) are not detected by many AVs as of now (as seen in VirusTotal scan here). An automated analysis of this file is available at ThreatExpert here.

SysProt AntiRootkit v1.0.0.8 released

noreply@blogger.com (swatkat) — Tue, 06 Jan 2009 17:49:00 +0000

A few key improvements were made in driver detection and disabling mechanisms, and hence here's the latest version of SysProt AntiRootkit :) The SysProt AntiRootkit v1.0.0.8 successfully detects and removes Zlob rootkits (TDSServ or Alureon family).

Similar to the steps followed in the case of GMER (as mentioned in the previous post), SysProt AntiRootkit requires two reboots to completely remove rootkit driver and its Registry entry. Following screenshots show SysProt AntiRootkit detecting Zlob rootkit driver and injected DLL:

Steps to remove Zlob rootkit driver:

Run SysProt AntiRootkit v1.0.0.8 and click "Kernel Modules" tab.
SysProt AntiRootkit shows rootkit/hidden drivers in red color. Click on the rootkit driver's entry and the click "Disable"
Reboot the PC
Repeat steps 1 to 3 (SysProt AntiRootkit will detect the same rootkit driver again)

Now, all the malicious files dropped by Zlob should be unrooted and hence "visible" to standard anti-malware scanners.

More information, changelog and download link for SysProt AntiRootkit v1.0.0.8 can be found at following locations:
MajorGeeks
Softpedia
SysProt AntiRootkit primary download page

Feedbacks are welcome :)

Zlob fake codec rootkit removal procedure

noreply@blogger.com (swatkat) — Wed, 31 Dec 2008 17:28:00 +0000

Lately there has been a rise in rootkit based Zlob fake codecs and video players. The rootkit belongs to TDSServ family, and is quite difficult to remove using standard anti-malware tools. Now, we will see how to remove these rootkit based Zlob malware. This removal procedure holds good for Zlob variants that drop kernel mode rootkits such as BrakePlayer, Moon-Player, TurboPlayer and Light-Track etc.

The removal process consists of three steps:

Removing rootkit driver file and its Registry entry
Removing other malware files dropped by Zlob installer
Removing stray "shell open command" entry (a.k.a malicious autorun.inf file)

Download the following tools and install them (do not run them as of now):

Removing rootkit driver file and its Registry entry:

Launch GMER.exe. As soon as GMER starts, it performs a preliminary system scan. If it finds any traces of rootkit, it will ask you to run a full PC scan. Click "No" for this prompt.
Now, click on "Rootkit/Malware" tab and then select only "Services" checkbox (deselect all other scan options). Click "Scan" button to start scan. An example is shown in screenshot below.
GMER should show the rootkit service after the scan. Right-click on that entry and click "Delete Service". Click "Yes" for the prompts that pop up. An example screenshot is shown below.
Reboot the PC.
Run GMER again and repeat steps 1, 2, 3 and 4 again (GMER will again detect the same rootkit service again).

Note: If GMER does not detect any rootkit in its preliminary system scan (in Step 1 above), then you may not have kernel-mode rootkit variant of Zlob (or GMER is not detecting it ;)). Proceed to the section below.

Update: Zlob rootkit driver can also be removed using SysProt AntiRootkit. More information can be found here.

Removing other malware files dropped by Zlob installer:

Run Malwarebytes' Anti-Malware (MBAM), click "Update" tab and then click "Check for updates" button to download latest malware database.
Once the update completes, click "Scanner" tab and select the "Perform full scan" option. Select all the hard disk partitions (C:\, D:\ etc) and then click "OK" to start scan.
Once the scan completes, remove all the malware that MBAM may report. An example screenshot is shown below.
Reboot the PC.

Removing stray "shell open command" (a.k.a malicious autorun.inf file):

Go to Start Menu > Search option to open Windows Search tool. Make Search to look in sytem/hidden folders and files. Finally, search for files named autorun.inf. An example screenshot is shown below.
These autorun.inf files contain few commands which instruct Windows Explorer to load a Zlob malware file (generally, %rootdrive%\resycled\boot.com) whenever a user double-clicks on drive icons. Delete all the autorun.inf files found in hard disk partitions (for ex: C:\, D:\ etc)
Reboot the PC.

Finally, run an online scan at F-Secure or TrendMicro to make sure that the PC is clean. Hopefully, the Zlob rootkit will be gone for good by this time!

Rogue security software video tutorials

noreply@blogger.com (swatkat) — Tue, 30 Dec 2008 18:15:00 +0000

This is really hilarious. It seems that the rogue software gang decided to improve OOBE of their software! They now have video tutorials at YouTube, which tell how to run online malware-scan and how to remove malware using their software for FREE! Check out these screenshots of the video:

Here are the links to some videos:
http://www.youtube.com/watch?v=jykJ1erupZ4
http://www.youtube.com/watch?v=FSQ0WpoyZJo

Video uploaders' profiles:
http://www.youtube.com/user/AntiVirusSpywareMalw
http://www.youtube.com/user/OkThisJustAnti

The webiste, www.antiviruson.com (89.111.176.21), mentioned in those tutorials redirects to another website that hosts System Security rogue application. Do NOT follow the steps told in those tutorials ;)

Zlob updates

noreply@blogger.com (swatkat) — Sun, 28 Dec 2008 17:35:00 +0000

Zlob gang does not seem to be in holiday mood. They are churning up more domains to spread their badware. Here are some of the new domains:

94.247.3.232
216.240.151.112
78.159.99.52
www.newdllsolution.com (92.241.163.90)
http://brakeplayer.net (94.247.2.183)

One of the site mentioned above, http://brakeplayer.net (94.247.2.183), hosts a fake media player installer called BrakePlayer. This installer actually installs a nasty kernel mode rootkit. Following screenshot shows the kernel mode hooks installed by rootkit driver:

The backdoor component of this rootkit establishes connection with a remote rogue server 85.255.112.188 (whois). VirusTotal scan results for the installer and rootkit driver files can be found here and here respectively.

Update: BrakePlayer removal procedure has been posted here. Hope that helps :)

New rogue: System Security

noreply@blogger.com (swatkat) — Fri, 26 Dec 2008 16:18:00 +0000

System Security is new rogue software. The installer is hosted at http://webnetworksecurity.com (91.211.64.31). Here's a screenshot of System Security:

VirusTotal scan results for the installer can be found here. BleepingComputer has a removal guide here.

Zlob updates

noreply@blogger.com (swatkat) — Mon, 22 Dec 2008 17:20:00 +0000

Here are some of the new Zlob trojan spreading domains:

http://vidzwares.com (92.241.163.90)
http://light-player.net (94.247.2.183)
http://fire-player.net (93.190.140.48)
http://downloadallsoft-now.com (94.247.3.228)
http://myprivatetubes09.net (91.208.0.221)

One of the Zlob variant (named wmpcdcs.exe, hosted at http://myprivatetubes09.net) uses Microsoft Windows Background Intelligent Transfer Service (BITS) to communicate with rogue servers to transfer data. Since BITS is a trusted Windows component, firewalls don't block it; making it easy for malware to download files from remote servers (info here and here). An automated analysis of this malware is available at ThreatExpert here.

Antivirus 360 featured in top PC magazines and antivirus certification labs!

noreply@blogger.com (swatkat) — Sun, 21 Dec 2008 11:54:00 +0000

No, we are not talking about Norton 360, which is a genuine security software. This is about Antivirus 360, one of the latest rogue security software (info here).

Now, gang responsible for Antivirus 360 has gone one step further! Their new site, http://anti-viruspcscanner.com (78.46.216.238), claims that Antivirus 360 has been rated as top antivirus solution by reputed websites like Computer Shopper, LAPTOP Magazine, PC Magazine, Computer Active, PC Advisor and CNET.

Apart from this, they also blatantly display Virus Bulletin, West Coast Labs Checkmark and ICSA Labs certifications, which are obviously fake!

All these fake recommendations and a deceptive name may lead an innocent PC user to download Antivirus 360 into his/her PC.

As per the site http://anti-viruspcscanner.com (78.46.216.238), the company responsible for Antivirus 360 is:

BOLZAR LIMITED Arch. Makariou III. 69. TLAIS TOWER. P.C. 1070. Nicosia, Cyprus.
Contact email: company@Antivirus360pro.com

And, it seems that BOLZAR LIMITED (http://bolzar.biz (216.195.62.169)) develops few other fake security software as well:
Antivirus Security - http://antivirussecurity-solution.com/ (89.149.255.191)
Antispyware32 - http://antispyware32.com/ (84.16.231.194)

VirusTotal scan result of Antivirus 360 is available here. An automated analysis of Antivirus 360 is available at ThreatExpert. Stay away from these rogues :)