We are tracking the trails of this fake "System Defragmenter" software since its first appearance last October 2010, and have warned our customers in our earlier post about this trojan software. In this follow-up post, we give an update including a new variant worth noting for our customers.
The fake system defragmenter family (FakeSysdef) is similar to rogue software in many ways, such as presenting forced installations, a polished user interface, false and annoying errors and a request (requirement) that users buy a license. This ultimately is the goal of the scammers – to extract money.
“Brands” or aliases
Common strategies of fake software include branding or use of different names and aliases, and this family is no different, releasing 2 or 3 rebranded variations every week. Many of them are listed in the table below, including the recent “WinScan” that we dissect in this post later on.
| System Defragmenter |
Smart HDD |
Scanner |
| Check Disk |
Win Defragmenter |
Full Scan |
| Win HDD |
Win Defrag |
HDD Scan |
| HDD Plus |
Win Defragmenter |
HDD Diagnostics |
| HDD Low |
Quick Defragmenter |
HDD Repair |
| HDD Tools |
Smart Defragmenter |
Win Scanner |
| HDD Doctor |
HDD Defragmenter |
Quick Defrag |
| HDD Rescue |
Scan Disk |
HDD Fix |
| Disk Doctor |
HDD Control |
Memory Fixer |
| Disk Repair |
Hard Drive Diagnostic |
My Disk |
| Easy Scan |
Disk Ok |
Fast Disk |
| HDD Ok |
Disk Optimizer |
Memory Optimizer |
| Good Memory |
Memory Scan |
Windows Scan |
| Disk Recovery |
Win Disk |
WinScan |
The Packers
FakeSysdef uses a few different packers. Figure 1 shows the custom-packer used by this rogue. FakeSysdef uses a relatively simple custom packer that in turn, uses an anti-emulation trick in its bid to thwart emulators.
Figure 1 – Illustration of packing layer and obfuscation by FakeSysdef
Perhaps, what is important to note about this packer is that it’s being used by other malware such as Rogue:Win32/Sirefef, Rogue:Win32/FakeRean, some variants of TrojanDownloader:Win32/Harnig and Rogue:Win32/Winwebsec and, recently, Rogue:Win32/FakeSpypro as well. It is not uncommon for malware to share packers; identifying the packer can be sufficient to classify the packed file as malicious. (See “Standards and Policies on Packer Use”, our blog post about the use of “taggants” to identify a packer family).
The packer layer decrypts the code and copies the decrypted code to the newly allocated memory before jumping to the second layer, or the injector stub. The injector stub can be easily recognized by the starting code similar to that shown below:
The first two calls just get the base addresses of KERNEL32.DLL and NTDLL.DLL. With the base addresses in hand, the injector can now easily retrieve other needed APIs by parsing the DLL’s Export Address Table, including the RtlDecompress() API, to uncompress the embedded executable using COMPRESSION_FORMAT_LZNT1:
00A41D21 push edx ; RtlDecompressBuffer
00A41D22 mov eax, [ebp+_NTDLL_]
00A41D28 push eax
00A41D29 call _getprocaddress
00A41D2E mov [ebp+var_204], eax
00A41D34 lea ecx, [ebp+var_90]
00A41D3A push ecx
00A41D3B mov edx, [ebp+arg_0]
00A41D3E mov eax, [edx]
00A41D40 push eax ; CompressBufferSize
00A41D41 mov ecx, [ebp+arg_0]
00A41D44 add ecx, 4
00A41D47 push ecx ; CompressedBuffer
00A41D48 mov edx, [ebp+arg_4]
00A41D4B push edx ; UncompressedBufferSize
00A41D4C mov eax, [ebp+var_19C]
00A41D52 push eax ; UncompressedBuffer
00A41D53 push COMPRESSION_FORMAT_LZNT1 ; Format
00A41D55 call [ebp+var_204] ; RtlDecompressBuffer
The injector then fixes the PE image in memory after stuffing the now-decompressed code into the host’s own address space. Finally, it jumps to the final entry point of the malicious program, and begins the installation:
00A42957 mov [ebp+var_1C], ‘A’
00A4295B mov [ebp+var_1B], ‘l’
00A4295F mov [ebp+var_1A], ‘l’
00A42963 mov [ebp+var_19], ‘ ‘
00A42967 mov [ebp+var_18], ‘d’
00A4296B mov [ebp+var_17], ‘o’
00A4296F mov [ebp+var_16], ‘n’
00A42973 mov [ebp+var_15], ‘e’
00A42977 mov [ebp+var_14], ‘.’
00A4297B mov [ebp+var_13], ‘C’
00A4297F mov [ebp+var_12], ‘a’
00A42983 mov [ebp+var_11], ‘l’
00A42987 mov [ebp+var_10], ‘l’
00A4298B mov [ebp+var_F], ‘i’
00A4298F mov [ebp+var_E], ‘n’
00A42993 mov [ebp+var_D], ‘g’
00A42997 mov [ebp+var_C], ‘ ‘
00A4299B mov [ebp+var_B], ‘O’
00A4299F mov [ebp+var_A], ‘E’
00A429A3 mov [ebp+var_9], ‘P’
00A429A7 mov [ebp+var_8], 0
:
00A429BD mov edx, [ebp+arg_0]
00A429C0 add edx, [ecx+10h]
00A429C3 mov [ebp+_final_entry_point], edx
00A429C6 mov esp, [ebp+arg_8]
00A429C9 xor eax, eax
00A429CB mov edi, [ebp+arg_14]
00A429CE mov esi, [ebp+arg_10]
00A429D1 mov ebx, [ebp+arg_C]s
00A429D4 jmp [ebp+_final_entry_point]
New variant?
Earlier in February, we received an attention-getting new sample of FakeSysdef from a customer. At first we thought it was different malware, but looking closely and analyzing the sample, it was indeed a major modification to the FakeSysdef family.
For comparison, previous variants use the same interface and logo with an icon similar to a trojan horse:
Figure 2 – Various branding for FakeSysdef
This most recent FakeSysdef sample is using a new interface, though you can tell that it’s part of this family because the menu, texts and (fake) errors messages are still the same (see Figure 3):
Figure 3 – New FakeSysdef GUI
The new variant is armored with a new shiny GUI and its scareware tactics are rather alarming and more aggressive, leaving the computer virtually useless until the user pays for the license to fix the bogus errors.
It is packed with UPX, a packer that is plain and simple without complex obfuscation that would make analysis more difficult. This is an indication that it’s in the early stages of development and still lacks emphasis on malware “hardening” intended to hide the malware from scanners and malware researchers alike.
The Loader
The main executable component arrives as an EXE file and acts as a loader. It first terminates the Internet Explorer process if found running. On computers running Windows Vista and later, it makes sure that it runs as an elevated privilege process. Then it drops a DLL file such as the following:
"C:\Documents and Settings\All Users\Application Data\aJnsgXnTGrqWD.DLL”
It injects the DLL to the specific process name EXPLORER.EXE. After a while, it starts to display a fake error message:
Figure 4 – Fake error message
FakeSysdef injects the DLL file into processes (upon reboot) with the following registry change:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls, “AppSecDll” = "<DLL_PATH>"
The DLL code is kind of selective by only allowing itself to run under specific target processes, so it effectively injects itself only to Explorer.exe, Winlogon.exe and userinit.exe processes. After injection, it tries to connect to a hardcoded URL, perhaps to phone home its affiliate ID for a pay-per-install scheme:
<site>/404.php?type=stats&affid=487&subid=new05&awok
As of this writing, the associated site “findcopper.org” and URL requested is no longer available.
Scaring the user
The DLL component creates a black BMP file on the fly based on the operating system (Productname) and service pack number queried from registry data, and sets the created BMP as the desktop background (see Figure 5). This BMP file is dropped in the Temporary files folder and will appear to be an authentic “Safe Mode” boot background which will be used later on after a forced reboot by the trojan.
FakeSysdef also disables the background tab options of the Windows desktop configuration to make sure that the new desktop background will not be altered, with the following registry modification:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop, “NoChangingWallPaper”=”1”
It may terminate more active processes and will, finally, force the machine to reboot. Once rebooted, the malware begins its assault by showing a fake Windows boot failure error dialog box at the background, with the BMP created earlier on top of it, simulating Safe Mode:
Figure 5 – Fake Safe Mode and “Windows Boot Failure” dialog after reboot
This is followed by a disk diagnostics dialog that will request permission to diagnose the “disk problems”. Annoying disks and memory errors will pop-up to assert its presence and create more panic for the user. Eventually, the malware will offer a module to download and “fix” those errors. If the user doesn’t accept the fix, the malware will again reboot the computer and the process repeats itself again and again, until the user might just give up and allow the “fix” module to run.
The machine appears useless now and will not allow any application or program to be executed, leaving the hapless user seemingly no choice but to accept the fix and repair offered from the rogue authors (see Remediation at the end of this blog). Yes, that’s the scareware tactics.
The remainder of symptoms by this trojan variant are already similar to previous variants – before it fixes the errors, you need to activate the module by purchasing a software license from these malware makers. It opens a simple, custom browser showing a very legit-looking “secure and verified” webpage.
Rogue Call-back and Affiliate Sign In
This trojan family phones home to a remote website to record its installation stats such as how some other malware is installed and the affiliated ID, presumably for pay per install business transactions. This network communication and behavior makes it possible to write IDS/IPS signatures to detect and block its network activity. Our data shows that FakeSysdef has the following outbound connection string formats:
<website>.com/dfrg/dfrg
<website>.com/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/customers/readdatagateway.php?type=stats&affid=<AFFID>&subid=<SUBID>&
<website>.com/404.php?type=stats&affid=<AFFID>&subid=<SUBID>&
Example URLs:
<website>readdatagateway.php?type=stats&affid=427&subid=01&version=5.0&adwareok
<website>/customers/readdatagateway.php?type=stats&affid=427&subid=02&version=5.0&installok
<website>/404.php?type=stats&affid=484&subid=t01&version=5.0&installok
Some of the sites contacted by this family include (edited):
<string>across.org
<string>finddivide.org
<string>findexchange.org
At least one of the sites involved allows the malware affiliate to log on as displayed below:
Figure 6 – Example of the affiliate logon portal
Remediation
There is a somewhat painless method to remove this trojan without giving in and paying the trojan. The basic steps are to start the computer in safe mode, delete the trojan DLL responsible as well as the scary bitmap wallpaper, then reboot and scan.
The DLL is identified by reviewing the registry data “<DLL_PATH>”:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
“AppSecDll” = "<DLL_PATH>"
The bitmap is stored as either “wall.BMP” or “<random>.BMP“ in the Temporary files folder. The trojan also sets a policy to prevent the user from modifying the desktop wallpaper via a registry setting named “NoChangingWallPaper”. Windows customers requiring additional help can get assistance from our online support site http://support.microsoft.com/ or via phone by calling 1-800-PC-SAFETY (1-800-727-2338).
Conclusion
Despite its simplistic approach, and with its recent code modifications, FakeSysdef tells us two things: (1) the malware authors are getting a reasonable amount of money from their operation, and (2) it seems we will be seeing more of this trojan in the coming months. The hardcoded strings – Uniform Resource Identifier (URI), filenames, etc. — suggest that the scammers are using a toolkit or builder to compile new releases.
Hopefully, you found this post helpful. MMPC will continue to track and haunt them until the game is over.
— Rex Plantado, MMPC
