Friday, June 26, 2015

Potentially Painful Programs Promising Pirated Products

A major source of PC compromise doesn't come from targeted APT campaigns or Exploit Kits, but user's clicking things that they simply shouldn't. A common practice for adware and spyware writers is hosting large numbers of seemingly legitimate files that users might trust from an unknown source. Users know trusted download locations for common packages like Flash Player or Skype, but when searching for pirated software or media, any link that promises results becomes a trusted source. ThreatLabZ has been monitoring a large campaign of two well known adware/spyware packages, namely OutBrowse and MultiPlug.

ThreatLabZ has observed filenames purporting to be popular software applications, PC games, movies, TV series, car repair guides, etc. being used to trick users into downloading and running spyware packages. Below is a sample list of filenames from this month:
  • Colin McRae Rally 2.0 Full Version - FullRip   Download Low Spec PC Games   RataMap   Download Low End PC Games.exe
  • adobe acrobat 8 standard serial number generator.exe
  • dell bluetooth headset bh200 driver.exe
  • Wii dance revolution.exe
  • Besiege Free Download Game.exe
  • Tropico Reloaded   Free Download PC Game Full Version.exe
  • Minecraft 1.8 Crack Full Free Download.exe
  • Dragon Ball Complete Series Episode1.exe
  • Home.2015.720p._-DL.MaZiKa2daY.CoM.mkv.exe
  • visual studio 2012 crack torrent.exe
  • LEXUS LS 460 user guide provided through
Once installed, the user is shown unsolicited advertisements and experiences a substantial increase in browser tracking activity. We noticed the cyber-criminals involved in these campaigns heavily leverage .info TLD domains as seen in the table below:

Adware Family
MultiPlug Adware
Outbrowse Adware
MultiPlug Adware
MultiPlug Adware
Outbrowse Adware
MultiPlug Adware
MultiPlug Adware
Outbrowse Adware
MultiPlug Adware
MultiPlug Adware
MultiPlug Adware
MultiPlug Adware
Outbrowse Adware


The OutBrowse family authors leverage popular TV shows, software applications and trending news to deliver custom payloads that monitor the user's browsing activity. Their business model is to direct users to a pay site that provide various services.

Didn't I just download Tony Hawk Pro Skater2.Crack.CDKEY.exe?
The phone home communication for OutBrowse also provides excessive information to the advertisers. This data often includes the system's MAC address, IP address, different browser versions installed, and the machine GUID.

Data Collection from the victim's system.

OutBrowse beacons to several domains to share machine details and send aggressive advertisements. We have been monitoring this activity to the following domains for several months:
  • srv.dmdataserver[.]com
  • static.revenyou[.]com
  • srv.desk-top-app[.]info
Consistent traffic to known Outbrowse beacons

OutBrowse is normally found on the victim's machine by inspecting the user's C:\Documents And Settings\user\Local Settings\Temp\ directory for any suspicious files. It's common for OutBrowse to also install other bundled software packages as well. Users should check their autostart programs and Browser Helper Object (BHO) entries for software that is suspicious.

OutBrowse installed MiniGet as a BHO and Content Menu in Internet Explorer


MutliPlug is another adware package that is installed as part of this campaign. The purpose of this package is to provide a custom executable to the victim that leads to additional bundleware. After a successful MultiPlug infection, we noticed applications like LightningDownloader, SeekerFoobar, WeatherBug, and EasyAutoRefresh getting dropped on the victim machine.

Silent Installers seen to download additional adware packages.
Once MultiPlug is installed, it starts downloading and installing additional packages in the background while displaying unsolicited advertisements.

A common location-targeted advertisement seen from a package installed by MultiPlug
Highly aggressive advertisements attempting to lead the victim to buying software.

The best way to remediate this attack is to review all installed programs through Windows Control Panel and odds are good that MultiPlug installed at least multiple unwanted software packages. Once this is done, users should review their autostart job files in the C:\WINDOWS\Tasks\ directory for anomalous entries. Installed Browser Helper Objects should also be checked using applications like HiJackThis or X-rayPC.

ThreatLabZ has been closely monitoring these campaigns for the past few months and the trend shows no sign of slowing down as seen in the time chart below:

Several sites are phishing users with the promise of illegally obtained content

The bulk of these attacks are hosted in the United States.

The moral of this story is to not trust seemingly legitimate content if you are attempting to obtain it illegally. Users show a distinct lapse in judgment when they believe the desired content is available for free. We recommend not attempting to pirate content and simply paying for the media desired.

Thursday, June 11, 2015

Gamarue dropping Lethic bot

The Gamarue (aka Andromeda) botnet is a highly modular botnet family that allows attackers to take complete control of an infected system and perform a range of malicious activity by downloading additional payloads. In this blog, we will cover a recent Gamarue infection that we looked at, which downloads and installs the Lethic bot on an infected system.

The Lethic botnet has been known to be involved in pharmaceutical and replica spam since it's inception as was detailed by Arbor Networks here. Neither of these botnets are new and have both survived takedown attempts by authorities. The Gamarue infection in our case was leading to the download of Lethic bot from the following URLs: 

Lethic Bot URLs
(MD5: F909BE6B96C10E36F3C5B9E676F49C7E)

During our analysis, we noticed that the Gamarue and Lethic payloads involved in this infection were both packaged using the same custom packer. Below is the comparison of the code snippet from the packer routine:

Quick Analysis of Lethic bot 

The payload first checks the current running path. If the path does not contain “RECYCLER\S-1-5-21-0243556031-888888379-781862338-1861771”, it will create a new folder in “C:\RECYCLER” with a name of “S-1-5-21-0243556031-888888379-781862338-1861771” and then drops a copy of itself with the name “gBvhieXlS1.exe”. It also changes the attributes of the file to make it a system and hidden file.

Creating Path For Dropping File

It then creates “Run” and “RunOnce” registry keys with “fBvhieXlS1” as key name.
  • HKEYCURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce”
RunOnce Key Created

Remote Process Injection

Depending on the system CPU architecture, it utilizes one of these two methods to inject itself into explorer.exe:
  • For a 32-bit CPU architecture, it attempts to get the handle to the existing explorer.exe process and injects a malware module into it. It executes the injected code by calling “CreateRemoteThread” and terminates itself.
  • For a 64-bit CPU architecture, it creates a new explorer.exe process in suspended mode and then injects the malicious code into it. It follows this method if the processor architecture is x64 (AMD or Intel) or Intel Itanium-based. 

The following screenshot shows the instructions that the payload uses to identify the correct path to the explorer.exe file, taking into account both 32-bit and 64-bit versions of the Windows Operating System:

Function to get the path of explorer.exe

Network communication

The Lethic bot connects to a predetermined Command and Control (C&C) server at on port 9900. We noticed several connection failures before a successful connection attempt to the C&C server. We believe that this is the malware author's attempt to evade automated analysis systems. Shown below is a snapshot of the network communication:

Command from C&C server

Lethic bot uses the infected machine as a SMTP proxy as evident in the network communication below:
SMTP proxy traffic
Gamarue & Lethic malware families have both survived takedown attempts and continue to be active in the wild. ThreatlabZ is actively monitoring these two malware families and ensuring coverage for our customers.

Analysis by:  Amandeep Kumar and Nirmal Singh

Thursday, June 4, 2015

Signed CryptoWall 3.0 variant delivered via MediaFire


Ransomware has evolved immensely over the past few years, with CryptoLocker being the ground breaking strain reaping huge profits for cybercriminals. According to a report in December 2013, the CryptoLocker malware authors collected 27 million USD worth of bitcoins from their victims over a period of 3 months. Looking at the success enjoyed by the CryptoLocker strain, it's not surprising that many new copy cat variants including CryptoWall emerged in the wild starting in late 2013.

CryptoLocker suffered a major setback and the number of infections were reduced to nearly zero post Operation Tovar. This gave way to a worthy successor in CryptoWall, which has since evolved into one of the nastiest and most successful strains of Ransomware in the wild today.

The following are some of the notable features responsible for the success enjoyed by CryptoLocker and CryptoWall variants:
  • Asymmetric (public-key) encryption to encrypt user documents, making recovery infeasible
  • Holding user files hostage with a timer that increases the ransom amount over time
  • Ransom collected in bitcoins or as pre-paid cash vouchers
  • Usage of anonymizing networks like Tor & i2p

Recent 'crypt4' campaign - CryptoWall 3.0

CryptoWall has been known to arrive via spammed e-mail attachments, exploit kits and drive-by downloads. Recently, we started seeing a new campaign involving multiple signed CryptoWall 3.0 samples in our Cloud Sandboxes being downloaded from a popular file hosting service, MediaFire.

A quick Open Source Intelligence (OSINT), search lead us to this e-mail campaign where the attachment contains a Microsoft Compiled HTML help (CHM) file that leads to the download and execution of the the latest CryptoWall 3.0 variant hosted on MediaFire. The CHM file downloads and executes the CryptoWall executable from a hardcoded MediaFire location as seen in screenshot below:

Malicious CHM file - Extracted HTML code

Some of the file names we have seen in this campaign:
  • IPv6_updater.exe
  • IPv4_updater.exe
  • flashplayer17_ga_install.exe
Analysis of the new variant

The CryptoWall 3.0 payloads that we saw getting downloaded as part of this campaign were all signed by a valid certificate belonging to MDG Advertising as seen in the screenshot below:

Valid MDG Advertising certificate used to sign CryptoWall 3.0

The malware performs following file system changes to ensure persistence:
  • Dropped files
%USER%\APPDATA\7cc6cc79.exe [random alphanumeric name]
%USER%\Start Menu\Programs\Startup\7ddfa86e.exe [random alphanumeric name]
  • Registry entry
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run dd574bd = "%USER%\APPDATA\7cc6cc79.exe"
It also deletes the original copy of itself.

The malware then attempts to connect to the Command & Control (C&C) server to report the infection via a POST request as seen below:

C&C communication - Register infection

It uses RC4 encryption for the data being sent in the POST request. The original data is of the format
- "crypt4" string represents the Campaign ID
- "UniqueMD5Hash" is calculated from Computer Name, Volume Serial Number, Processor & OS information
The RC4 key is generated by doing a simple alpha-numeric sort on a string stored inside the binary as seen in the screenshot below. The unsorted RC4 key is also sent as part of the POST request.

RC4 Key encrypted POST request to C&C server

The malware then performs another POST request and in response it gets RC4 encrypted Tor domain & public key to use for encrypting the victim files. The Tor domain is leveraged for the decryption instruction. Screenshots below, show the original communication & decrypted response:

C&C communication - Requesting Public Key

C&C communication - Decrypted response with public key

Upon successful encryption of the files on the victim machine using the public key, it reports back the number of files that were encrypted to the C&C server. The information collected by the C&C server is leveraged to present a more personalized decryption instruction page that includes user's operating system, public IP address, and the number of files encrypted as seen below.

Personalized ransom payment page
The ransom amount requested in our case was $500 USD and to prove authenticity, the malware authors also offer the victim a "Decrypt 1 file for FREE" option, which is limited to a 512 kilobyte file.

Below is the geo distribution of the CryptoWall C&C servers we oberved in the past week:

CryptoWall C&C servers

CryptoWall C&C country distribution

Compromised WordPress sites used for C&C communication

We are also seeing an increase in the number of compromised WordPress sites being used for CryptoWall C&C communication. Below are some of the locations where the malicious scripts are being hosted on these servers:
  • /wp-content/plugins/revslider/temp/update_extract/
  • /wp-content/uploads/wpallimport/uploads/
  • /wp-content/themes/pptitan/
You can get full list of the Compromised WordPress sites that we have oberved in past one week here.


CryptoWall remains a potent threat to enterprises and individual users alike. Traditional AntiVirus applications continue to struggle against this nasty strain of ransomware, as once the infection is successful, there is very little AV vendors can do, even by adding signatures reactively. A hybrid and multi-layered security approach is required to counter this threat.

Taking regular backup remains the most effective counter measure against ransomware.

Deepen Desai & Avinash Kumar

Monday, June 1, 2015

More Porn clicker malware masquerading as Dubsmash on Google Play store


Dubsmash is a mobile app to create short "selfie" videos dubbed with famous sounds. It is extremely popular and is currently ranked #10 under Top free Android apps. The users of this app include many well known celebrities who eventually post the dubbed videos on popular social networking platforms like Facebook and Twitter.

The popularity of this app has caught the attention of the malware authors too, which is evident with a string of Trojan Porn Clicker apps disguised as Dubsmash posted on the Google Play Store in the past month (covered in ESET and AVAST blogs). The malicious apps mentioned in those blogs were quickly taken down by Google. However, we continue to see newer variants of the same malware family being uploaded to the Google Play store with the latest one posing as Dubsmash V3.

Google Play - Trojan Porn Clicker app
Although the malicious app poses as Dubsmash, the icon that the user sees upon installation imitates Settings, Memory Game, or a Flappy Bird app. The newest iteration of this malicious app has already been downloaded nearly 5,000 times.

Fake App Icon
The malware automatically removes the icon once the user quits the application for the first time, however it continues to run in the background as seen below.
Porn Clicker Process

Porn Clicker analysis

The purpose of this malware is to generate revenue for the malware author by generating clicks on the adult porn websites. While this may be good news that the user's credentials or sensitive information are not being stolen, it can still lead to financial loss for the end users through increased mobile data usage.

The Porn Clicker variants described in the previous blogs involved hardcoded, encrypted porn URLs in the malicious APK, whereas we are now seeing the newer variant dynamically retrieving the porn URLs from a remote server.

Clicking activity
The malicious app in our case contained two hardcoded URLs shown in the screenshot below:
Porn Clicker remote servers
Preconfigured URLs:
  • memr[.]  - The malicious app will get a new porn URL to visit from this location.
  • memr[.] - This location currently serves JavaScript code that will result in a random click on the porn site that gets visited by the app.
Screenshots below show the porn URLs that are dynamically retrieved  by the malicious app from the first location.
Porn URL1

Porn URL2

Porn URL3
JavaScript leveraged by the malicious app from a remote location to perform click fraud is shown in the screenshot below.

JavaScript - Random Click
It appears that the malware author keeps uploading and removing the same app on the Google Play store under different accounts. During the course of this write up, we saw the following two variations:

  • Dubsmash V3 [Package name: com.memr.gamess] - has been removed
  • Dubsmash 2    [Package name: com.jet.dubsh] - still active


The first variant of the Porn Clicker app masquerading as Dubsmash was reported in April, 2015 and it is concerning to see newer variants of the same malware slipping through Google's app vetting process even today.  The malware authors are still targeting Dubsmash as a disguise to trick end users into downloading the malicious app.

It is highly recommended for users to check the reviews & ratings of the apps, even when downloading them from official Google Play store. If you are infected with such an app, you can delete it by going to Settings >Apps > (AppName).

Write-up by: Viral Gandhi & Deepen Desai

Thursday, May 28, 2015

Android Ransomware - Porn Droid

Recently, we came across a new variant of Porn Droid - an Android ransomware variant claiming to be from the FBI, which accuses people of watching child porn and then demands a fine of USD 500.

File information:
  • Dropped URL : hxxp://sbqujqosyw[.][.]apk
  • MD5 : 857b887982f11493b4a1db953161e627
  • Virustotal Detection : 5/56
It initially appears to the user as if they are downloading a pornographic video, but once the user clicks on the file, it masquerades as the Google patch update and tricks the user into installing the application.
Disguise as patch application
After clicking "Continue", the malware asks for administrator access to the device requesting permissions such as "Erase all data", "Set storage encryption", "Change the screen-unlock password" as shown in screenshot below.
Admin access
Once the user clicks on the "ACTIVATE" button, the malware gets administrator control of the device and locks it while displaying a fake FBI warning as seen below. It locks the user's phone by disabling keyguard and sets top priority for the malware application which ensures that no other application or user activity can override the malware application's activity.

FBI warning message
FBI warning - Payment tab
FBI warning screen with user information
The FBI warning screen also contains dynamic information relevant to the infected device such as the browser history, IMEI number, phone number and victim's picture, which has been taken by the malicious app. This is done to intimidate the end user as a warning message suggests that the information will be used by the FBI to identify the user if the fine is not paid.

Porn Droid Static Analysis

The screenshot below shows the malicious app accessing the browser history and bookmarks to display on the ransom screen. 

Browser history
It then appends the hard coded fake FBI warning message asking for ransom.

Ransom screen text code
The code below shows the malware author's attempt to evade string pattern matching based antivirus (AV) heuristic detection by leveraging a string concatenate function. This is one of the reasons why this sample has a very low (5/56) AV detection rate at the time of our analysis.

"concate" usage to evade AV detection
Another unique functionality that we observed in this mobile ransomware, that we more commonly see in PC malware, involves checking for the presence of installed AV applications such as ESET, Avast and DrWeb. It then attempts to terminate any AV applications identified.

AV Application check & terminate
In order to stay active on the screen and lock out the phone, it disables the keyguard so the user cannot exit the application.

Disable keyguard
We also observed the following commands that the malicious app may receive from a remote server:
  • destroy - wipe all user data
  • unlock - deactivate the Admin access and unlock the device
The app is also capable of taking pictures using the front facing camera  that it can then display on the ransom screen:

Front facing camera picture
The malware's Command & Control (C&C) server information is hardcoded in the configuration class as seen below.

Bot configuration
C&C message parameters
  • Server :  ""
  • URI:  "/pafumokat/bloqyxpn.php"
  • paramString1 : random number in the range of 1 to 3 
  • paramString2 :  String made of BotID, network, location, phone number, bot version, SDK.
  • paramString3 : "Protection"
  • paramStrong4 : "Bot"
Below is a sample C&C POST request that we captured during our analysis:

C&C request
The best way to avoid such malware is to stick with installing Android apps only from 'official' app stores such as Google Play or the Amazon Appstore.

Tuesday, May 26, 2015

Machine Translators May Leak Confidential Information

One challenge for enterprises dealing with confidential information in conjunction with cloud-based systems is that they must exercise due diligence to ensure that it remains confidential. The steps are beyond the scope of a technical blog, but generally it involves making sure that everyone processing the confidential information understands that it is sensitive and has agreed to protect it.

For cloud services like Enterprise Resource Planning (ERP), Human Resources, Video Conferencing and so on, the confidentiality issues are very well understood, but there are exceptions like machine translation. When we think of data leaks, we rightly look primarily to malicious software (worms, viruses, customized zero-days from Advanced Persistent Threats (APT's), etc.) when seeking to prevent confidential data from leaving a network.

Machine translation tools are an interesting member of the “other” category of legitimate tools that can result in confidential data leaks without malicious intent from user or developer. Machine translation tools range from simple web sites like “youdao” pictured above or Google Translate, where it is pretty clear that information is leaving, up to integrated desktop applications, where the movement of data is not nearly as obvious.

The Youdao Dictionary application is installed like any other and operates like any other, except that the translation engine is remote and the application sends it’s lookups in plain text via insecure HTTP GET's. The fact that the translation tool is an application running on a user’s PC, makes it less likely that the person making use of it would realize that they are leaking information because the appearance is that their computer is doing the translation, not a web site.

In the above dissection of a URL retrieved by the tool, we see the word “information” being queried in the “q” field, but it could just as well be that someone isn't entirely sure what “Лечение герпеса Боба Джонса не будет хорошо” means, and would highlight it and click translate. That act results in the application enerating something similar to the plaintext query above, except with that chunk of Russian. The user will then learn that the string translates to “Bob Jones' herpes treatment is not going well.” Unfortunately, the request and the translation are transferred in plaintext form, which can be learned by passive interception.

The application that we use as an example is from Youdao (有道), a major Chinese Internet company that, according to Wikipedia (, ships an offline and free online version of their translation tool. Through some limited experimentation, Youdao's site does seem to support the same functionality over the more secure, encrypted HTTPS protocol. We have observed insecure communication in the wild for versions ranging from 2.2.16 to 5.4.43, but it would be unfair to discuss the tool without looking at the latest version. The latest version of the Youdao tool we could find, version, was downloaded from and tested on a Windows 7 machine and there was no significant difference in behavior.

Our test version also makes use of plaintext (HTTP) communication by default and appears to automatically translate whatever word is near the mouse pointer, whenever it stops moving, between Chinese and English. It also has an option where a small button appears that you can click (or hover over) to translate a highlighted piece of text. Having used the program, it is easy to imagine why this tool is popular with users who need to translate between Chinese and English. In addition to the translation features, it also keeps users from being bored by providing extra advertisements.

What the tool provides in features, it definitely does not provide in security – while it works as intended and does not appear to be up to anything overtly nefarious, it still sends all the translation requests via the insecure HTTP protocol to a back-end server where the translation takes place.


The conclusion for customers is simple: translation software might send data to networks / systems outside your realm of control – if it does, then exactly as would be the case for a cloud-based ERP or Human Resources system, it is important to know where it goes, how it gets there, and that the third parties processing the information do so in a manner that is compatible with your organization's policies and contractual obligations. Given that the messages to be translated are sent in clear text, anyone on the same network could easily intercept the communication by sniffing network traffic. Translated content could range from benign phrases to highly sensitive information.

Questions to which we do not yet have answers, like whether the translation can be “paused,” if HTTPS can be enabled through configuration, if Youdao's privacy policy prevents disclosure, if any HTTPS functionality is implemented securely, etc. should be answered before deploying YoudaoDict or similar cloud-based translation tools in a confidential setting. Naturally, we would recommend to Youdao that they at least make use of HTTPS by default in future releases of their software, due to the risk of inadvertently disclosing their users' confidential information.


The following experiment was performed to verify whether traffic is still passed in plaintext HTTP GET requests, as it was in previous versions. The setup is a fake letter being written in notepad by an associate at the law firm of Nerd, Geek, and Spaz, LLP, who are defending a client who is being sued for some reason…

When the two lines were highlighted, a little blue book popped up and hovering over the book results in a translation being executed. That translation is actually performed on a remote server and the following URL is visited by the software:

For convenience, we look at the same URL after decoding it and converting to pretty-printed JSON:

    "username": null, 
    "netloc": "", 
    "vars": {
        "appZengqiang": "0", 
        "vendor": "unknown", 
        "fytype": "AUTO", 
        "keyfrom": "deskdict.screentrans.http.0.stroke", 
        "dogVersion": "1.0", 
        "pos": "-1", 
        "doctype": "xml", 
        "q": "Bill%20Jones%20is%20getting%20sued%20for%20some%20really%20embarassing%0D%0Aporn%20that%20was%20found%20on%20his%20work%20computer.%20%20Please%20advise", 
        "le": "eng", 
        "appVer": "", 
        "client": "deskdict", 
        "in": "YoudaoDict", 
        "xmlVersion": "3.2", 
        "proc": "notepad.exe", 
        "id": "8bba3b7bdf465c61b", 
        "scrfrom": "stroke"
    "fragment": "", 
    "scheme": "http", 
    "hostname": "", 
    "params": "", 
    "query": "keyfrom=deskdict.screentrans.http.0.stroke&q=Bill%20Jones%20is%20getting%20sued%20for%20some%20really%20embarassing%0D%0Aporn%20that%20was%20found%20on%20his%20work%20computer.%20%20Please%20advise&pos=-1&doctype=xml&xmlVersion=3.2&dogVersion=1.0&client=deskdict&id=8bba3b7bdf465c61b&vendor=unknown&in=YoudaoDict&appVer=", 
    "path": "/fsearch", 
    "password": null, 
    "port": null

We can see the variables broken apart more easily in the JSON version and the sentence in our screen-shot it clearly visible with “%20” replacing the spaces and “%0A%0D” replacing the end of line. When decoded, the following is the result:

Bill Jones is getting sued for some really embarassing
porn that was found on his work computer.  Please advise

This is the exact content of the highlighted region of the Notepad application. Clearly, the fact that the firm cannot spell “embarassing” correctly could put some egg on their face, making this a potentially very damaging leak. The tool also passes information about the application where the translated text came from, which is indeed “notepad.exe,” version numbers, affiliate identifiers (for companies distributing the program to presumably share in ad revenues,) and other miscellaneous information.