We are tracking the trails of this fake "System Defragmenter" software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers.

The fake system defragmenter family (FakeSysdef) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers – to extract money.

“Brands” or aliases
Common strategies of fake software include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.

System Defragmenter Smart HDD Scanner
Check Disk Win Defragmenter Full Scan
Win HDD Win Defrag HDD Scan
HDD Plus Win Defragmenter HDD Diagnostics
HDD Low Quick Defragmenter HDD Repair
HDD Tools Smart Defragmenter Win Scanner
HDD Doctor HDD Defragmenter Quick Defrag
HDD Rescue Scan Disk HDD Fix
Disk Doctor HDD Control Memory Fixer
Disk Repair Hard Drive Diagnostic My Disk
Easy Scan Disk Ok Fast Disk
HDD Ok Disk Optimizer Memory Optimizer
Good Memory Memory Scan Windows Scan
Disk Recovery Win Disk WinScan

 

The Packers
FakeSysdef uses a few different packers. Figure 1 shows the custom-packer used by this rogue. FakeSysdef uses a relatively simple custom packer that in turn, uses an anti-emulation trick in its bid to thwart emulators.

Illustration of packing layer and obfuscation by FakeSysdef

Figure 1 – Illustration of packing layer and obfuscation by FakeSysdef

Perhaps, what is important to note about this packer is that it’s being used by other malware such as Rogue:Win32/Sirefef, Rogue:Win32/FakeRean, some variants of TrojanDownloader:Win32/Harnig and Rogue:Win32/Winwebsec and, recently, Rogue:Win32/FakeSpypro as well.  It is not uncommon for malware to share packers; identifying the packer can be sufficient to classify the packed file as malicious. (See “Standards and Policies on Packer Use”, our blog post about the use of “taggants” to identify a packer family).

The packer layer decrypts the code and copies the decrypted code to the newly allocated memory before jumping to the second layer, or the injector stub. The injector stub can be easily recognized by the starting code similar to that shown below:

The first two calls just get the base addresses of KERNEL32.DLL and NTDLL.DLL. With the base addresses in hand, the injector can now easily retrieve other needed APIs by parsing the DLL’s Export Address Table, including the RtlDecompress() API, to uncompress the embedded executable using COMPRESSION_FORMAT_LZNT1:

00A41D21                 push    edx             ; RtlDecompressBuffer
00A41D22                 mov     eax, [ebp+_NTDLL_]
00A41D28                 push    eax
00A41D29                 call    _getprocaddress
00A41D2E                 mov     [ebp+var_204], eax
00A41D34                 lea     ecx, [ebp+var_90]
00A41D3A                 push    ecx
00A41D3B                 mov     edx, [ebp+arg_0]
00A41D3E                 mov     eax, [edx]
00A41D40                 push    eax             ; CompressBufferSize
00A41D41                 mov     ecx, [ebp+arg_0]
00A41D44                 add     ecx, 4
00A41D47                 push    ecx             ; CompressedBuffer
00A41D48                 mov     edx, [ebp+arg_4]
00A41D4B                 push    edx             ; UncompressedBufferSize
00A41D4C                 mov     eax, [ebp+var_19C]
00A41D52                 push    eax             ; UncompressedBuffer
00A41D53                 push    COMPRESSION_FORMAT_LZNT1 ; Format
00A41D55                 call    [ebp+var_204]   ; RtlDecompressBuffer

The injector then fixes the PE image in memory after stuffing the now-decompressed code into the host’s own address space. Finally, it jumps to the final entry point of the malicious program, and begins the installation:

00A42957                 mov     [ebp+var_1C], 'A'
00A4295B                 mov     [ebp+var_1B], 'l'
00A4295F                 mov     [ebp+var_1A], 'l'
00A42963                 mov     [ebp+var_19], ' '
00A42967                 mov     [ebp+var_18], 'd'
00A4296B                 mov     [ebp+var_17], 'o'
00A4296F                 mov     [ebp+var_16], 'n'
00A42973                 mov     [ebp+var_15], 'e'
00A42977                 mov     [ebp+var_14], '.'
00A4297B                 mov     [ebp+var_13], 'C'
00A4297F                 mov     [ebp+var_12], 'a'
00A42983                 mov     [ebp+var_11], 'l'
00A42987                 mov     [ebp+var_10], 'l'
00A4298B                 mov     [ebp+var_F], 'i'
00A4298F                 mov     [ebp+var_E], 'n'
00A42993                 mov     [ebp+var_D], 'g'
00A42997                 mov     [ebp+var_C], ' '
00A4299B                 mov     [ebp+var_B], 'O'
00A4299F                 mov     [ebp+var_A], 'E'
00A429A3                 mov     [ebp+var_9], 'P'
00A429A7                 mov     [ebp+var_8], 0
:
00A429BD                 mov     edx, [ebp+arg_0]
00A429C0                 add     edx, [ecx+10h]
00A429C3                 mov     [ebp+_final_entry_point], edx
00A429C6                 mov     esp, [ebp+arg_8]
00A429C9                 xor     eax, eax
00A429CB                 mov     edi, [ebp+arg_14]
00A429CE                 mov     esi, [ebp+arg_10]
00A429D1                 mov     ebx, [ebp+arg_C]s
00A429D4                 jmp     [ebp+_final_entry_point]

New variant?
Earlier in February, we received an attention-getting new sample of FakeSysdef from a customer. At first we thought it was different malware, but looking closely and analyzing the sample, it was indeed a major modification to the FakeSysdef family.

For comparison, previous variants use the same interface and logo with an icon similar to a trojan horse:

Figure 2 – Various branding for FakeSysdef

Figure 2 – Various branding for FakeSysdef


This most recent FakeSysdef sample is using a new interface, though you can tell that it’s part of this family because the menu, texts and (fake) errors messages are still the same (see Figure 3):

 

Figure 3 – New FakeSysdef GUI

Figure 3 – New FakeSysdef GUI

The new variant is armored with a new shiny GUI and its scareware tactics are rather alarming and more aggressive, leaving the computer virtually useless until the user pays for the license to fix the bogus errors.

It is packed with UPX, a packer that is plain and simple without complex obfuscation that would make analysis more difficult. This is an indication that it’s in the early stages of development and still lacks emphasis on malware “hardening” intended to hide the malware from scanners and malware researchers alike.

The Loader
The main executable component arrives as an EXE file and acts as a loader. It first terminates the Internet Explorer process if found running. On computers running Windows Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following:

"C:\Documents and Settings\All Users\Application Data\aJnsgXnTGrqWD.DLL”

It injects the DLL to the specific process name EXPLORER.EXE. After a while, it starts to display a fake error message:

Figure 4 – Fake error message

Figure 4 – Fake error message

 

FakeSysdef injects the DLL file into processes (upon reboot) with the following registry change:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls, “AppSecDll” = "<DLL_PATH>"

The DLL code is kind of selective by only allowing itself to run under specific target processes, so it effectively injects itself only to Explorer.exe, Winlogon.exe and userinit.exe processes.  After injection, it tries to connect to a hardcoded URL, perhaps to phone home its affiliate ID for a pay-per-install scheme:

<site>/404.php?type=stats&affid=487&subid=new05&awok

As of this writing, the associated site “findcopper.org” and URL requested is no longer available.

Scaring the user
The DLL component creates a black BMP file on the fly based on the operating system (Productname) and service pack number queried from registry data, and sets the created BMP as the desktop background (see Figure 5). This BMP file is dropped in the Temporary files folder and will appear to be an authentic “Safe Mode” boot background which will be used later on after a forced reboot by the trojan.

FakeSysdef also disables the background tab options of the Windows desktop configuration to make sure that the new desktop background will not be altered, with the following registry modification:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, “NoChangingWallPaper”=”1

It may terminate more active processes and will, finally, force the machine to reboot. Once rebooted, the malware begins its assault by showing a fake Windows boot failure error dialog box at the background, with the BMP created earlier on top of it, simulating Safe Mode:

Figure 5 – Fake Safe Mode and Windows Boot Failure dialog after reboot

Figure 5 – Fake Safe Mode and “Windows Boot Failure” dialog after reboot

This is followed by a disk diagnostics dialog that will request permission to diagnose the “disk problems”. Annoying disks and memory errors will pop-up to assert its presence and create more panic for the user. Eventually, the malware will offer a module to download and “fix” those errors. If the user doesn’t accept the fix, the malware will again reboot the computer and the process repeats itself again and again, until the user might just give up and allow the “fix” module to run.

The machine appears useless now and will not allow any application or program to be executed, leaving the hapless user seemingly no choice but to accept the fix and repair offered from the rogue authors (see Remediation at the end of this blog). Yes, that’s the scareware tactics.

The remainder of symptoms by this trojan variant are already similar to previous variants – before it fixes the errors, you need to activate the module by purchasing a software license from these malware makers. It opens a simple, custom browser showing a very legit-looking “secure and verified” webpage.

Rogue Call-back and Affiliate Sign In
This trojan family phones home to a remote website to record its installation stats such as how some other malware is installed and the affiliated ID, presumably for pay per install business transactions. This network communication and behavior makes it possible to write IDS/IPS signatures to detect and block its network activity. Our data shows that FakeSysdef has the following outbound connection string formats:

<website>.com/dfrg/dfrg
<website>.com/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/customers/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/404.php?type=stats&affid=<AFFID>&subid=<SUBID>&

Example URLs:

<website>readdatagateway.php?type=stats&affid=427&subid=01&version=5.0&adwareok
<website>/customers/readdatagateway.php?type=stats&affid=427&subid=02&version=5.0&installok
<website>/404.php?type=stats&affid=484&subid=t01&version=5.0&installok

Some of the sites contacted by this family include (edited):

<string>across.org
<string>finddivide.org
<string>findexchange.org

At least one of the sites involved allows the malware affiliate to log on as displayed below:

Figure 6 – Example of the affiliate logon portal

Figure 6 – Example of the affiliate logon portal

 

Remediation
There is a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.

The DLL is identified by reviewing the registry data “<DLL_PATH>”:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
“AppSecDll” = "<DLL_PATH>"

The bitmap is stored as either “wall.BMP” or “<random>.BMP“ in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”. Windows customers requiring additional help can get assistance from our online support site http://support.microsoft.com/ or via phone by calling 1-800-PC-SAFETY (1-800-727-2338).

Conclusion
Despite its simplistic approach, and with its recent code modifications, FakeSysdef tells us two things: (1) the malware authors are getting a reasonable amount of money from their operation, and (2) it seems we will be seeing more of this trojan in the coming months.  The hardcoded strings – Uniform Resource Identifier (URI), filenames, etc. -- suggest that the scammers are using a toolkit or builder to compile new releases.

Hopefully, you found this post helpful. MMPC will continue to track and haunt them until the game is over.

-- Rex Plantado, MMPC