Friday, November 20, 2009

Is this a Rogueware?

When looking through the MySharewareSite.com, I found the following tool and thought of finding more info about the tool.



[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
When trying to click on the following site links:
hxxp://w w w.internetsecurity2.com/?id=avanquest_system_suite
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
hxxp://w w w.internetsecurity2.com/shots/avanquest_system_suite.gif
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
hxxp://w w w.internetsecurity2.com/suites/avanquest_system_suite_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

When throwing it into JSunpack we received the following response:

Sections ( CODE .rsrc )
File: MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, PECompact2 compressed
Packer: PECompact V2.X-> Bitsum Technologies,PECompact 2.xx --> BitSum Technologies,ExeShield Protector V3.6 -> www.exeshield.com,
Size: 193536 bytes,
MD5: 161f2a3e3c41dbd451021a3cc1fd2577

Based on the MD5, VirusTotal gave the following results:

LINK: http://www.virustotal.com/analisis/6bba141f45e25ea9c5cbdf910310114de7be4f97ce7572976a1b1c4c5f1ec6dc-1251400950



PrevX had a report for the same MD5:
http://info.prevx.com/aboutprogramtext.asp?PX5=48A52DBD003CF3E7F47D02C51A2AB30007864133

File size: 193536 bytes
MD5 : 161f2a3e3c41dbd451021a3cc1fd2577
SHA1 : 7fb29202fab964bcd48f1b5309021876e5175784
SHA256: 6bba141f45e25ea9c5cbdf910310114de7be4f97ce7572976a1b1c4c5f1ec6dc
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x2A425E19 (Sat Jun 20 00:22:17 1992)
machinetype.......: 0x14C (Intel I386)

( 2 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x80000 0x2A200 8.00 414b946f666a25e9a9ead73ea1dd1403
.rsrc 0x81000 0x5000 0x4E00 5.21 6d690ad7615832e8c76b28a3f017c377

( 11 imports )

> advapi32.dll: RegQueryValueExA
> comctl32.dll: ImageList_SetIconSize
> gdi32.dll: UnrealizeObject
> kernel32.dll: LoadLibraryA, GetProcAddress, VirtualAlloc, VirtualFree
> ole32.dll: CreateStreamOnHGlobal
> oleaut32.dll: SysFreeString
> shell32.dll: ShellExecuteA
> urlmon.dll: URLDownloadToFileA
> user32.dll: GetKeyboardType
> version.dll: VerQueryValueA
> wininet.dll: DeleteUrlCacheGroup

When opening in Firefox v3.0.15, I got the following response. It is good that Firefox caught this:



Norton Safeweb gives the following results:



DIRECT LINK: http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.internetsecurity2.com%2F%3Fid%3Davanquest_system_suite&x=15&y=12

[COPIED AND PASTED FROM ABOVE REPORT, JUST IN CASE THE ABOVE LINK FAILED]
Threat Report

Total threats found: 11

Small-whitebg-red Viruses (what's this?)

Threats found: 10
Here is a complete list:
Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/avanquest_system_suite_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/trendmicro_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/registry_sweep_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/kaspersky_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Trojan Horse
Location: hxxp://www.internetsecurity2.com/suites/zonealarm_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/norton_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/registry_easy_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Downloader
Location: hxxp://www.internetsecurity2.com/suites/panda_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/ca_internet_security_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Threat Name: Suspicious.MH690
Location: hxxp://www.internetsecurity2.com/suites/registry_cure_webinstaller.exe
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]

Small-whitebg-red Security Risks (what's this?)

Threats found: 1
Here is a complete list:
Threat Name: HTTP Malicious Toolkit Variant Activity
Location: hxxp://www.internetsecurity2.com/
[DO NOT CLICK, IT IS POTENTIALLY MALICIOUS]
[COPIED AND PASTED FROM ABOVE REPORT, JUST IN CASE THE ABOVE LINK FAILED]

DNS Graph:



DNS Records:



DNS Analysis Report:



Conclusion:
In conclusion, the site it is being hosted on "internetsecurity2", hosts many malicious malwares as listed above. Watch out for what you download, and never think that the HASH listing is only for the geeks. All the above data, were solely derived from the MD5 generated from the EXE.

Couldn't load the EXE into Anubis, as Anubis is having heavy delay for some reason. But yeah, if you have any further analysis that you wish to share with us, that would be awesome. Contact us at contact.fingers @ gmail. com if you have any queries or concerns.


- EF

No comments: