- Feb 22, 2007
- 16,240
- 7
- 76
I came across some malware last night that was pretty hard to detect. I never would have caught it if it had not been for reading the network log and seeing the extra traffic.
MSE, malware bytes, GMER, Avast,AVG, Norton, hijack this, rkill, ccleaner said there was nothing hidden running on the system.
This was on windows 7 x86
I knew there was though because of the network log, so I used process hacker to watch the network and when the traffic started again I got the process id.
It was linked back to svchost . I hate svchost because it allows lots of things to run inside it and makes finding bad programs harder. I checked out svchost though and
there wasn't a single process running that wasn't authentic. I checked every registry, directory, system file I could find till I found the hosts file had been changed.
I changed it back and set up a monitor for the file to notify me if anything accessed the file and nothing did. Normally malware will change back anything you try to correct but this didn't try.
The only thing left to do was run the program that had started the problem. I went through all the exe that had been run that day until I found the culprit by looking at each exe in a hex editor for anything suspicious.
It was inside an install shield installer for a legitimate software release (author contacted and that has been fixed now), it was an obscure program so not many downloads luckily.
The only way I was able to find out what it put where was to run the malware inside a sandbox and record everything it did.
If you want to see the list of all files affected I have included them in a rar file below along with a list of the various files it created. All the exe are renamed to .BAD so you have to purposely rename them to run them( not advised), but included for those that want to take a look.
http://rapidshare.com/files/379703147/OUT.rar.html
After getting a copy of the files from the sandbox I uploaded to virus total to see if it could detect.
For jcf.exe ,BitDefender,F-Secure,GData,nProtect,Sophos,Sunbelt,VBA32
For JCG.exe , Avast,Avast5,BitDefender,F-Secure,GData,nProtect,Sophos,Sunbelt
For jtamua.exe, BitDefender,F-Secure,GData,nProtect,Sophos,Sunbelt,VBA32
Starts with a small program called out.exe, 52KB in size. Out.exe was detected by virus total for about half the AV, the problem is AV has to running all the time to catch it. In my test it took out.exe about 5-10 seconds to grab the other exe files off the net. At which point it unloads itself, encrypts itself and hides in print spooler.
out.exe attaches to these files:
After accessing those files it downloads 3 files:
Jtamua.exe disables chrome and firefox browsers so user has to use IE.
out.exe copies itself to C: \Windows\system32\spool\PRTPROCS\W32X86 and stores itself as a .tmp file looking like a print job that is spooled.
Jtamua.exe then modifies host file to:
Those are used to re-direct to a fake google site. It looks identical to the google site.
Next it creates SSL certificates in user/current/AppData/LocalLow/Microsoft/CryptnetUrlCache/Content & user\current\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
It then begins to download content with the user agent string : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)
Other malware that are downloaded are stored in edb.chk inside \system32\CatRoot2 and appear as a chkdsk file
It access sites in the background without launching any browser, mainly ad sites that generate money on clicks. It does this for about 30 seconds, then stops and unloads itself from the OS relying on the tasks it scheduled to restart it. I'm guessing so that a virus scanner will only catch it if the program is active. When it unloads from the OS it encrypts the exe files and renames them as tmp and chk files.
It will go online and download content about 5 times then stop for a length of time, guessing to prevent someone from catching on.
I'm just going to re-image the pc this was on , this is one I don't trust to be removed correctly.
MSE, malware bytes, GMER, Avast,AVG, Norton, hijack this, rkill, ccleaner said there was nothing hidden running on the system.
This was on windows 7 x86
I knew there was though because of the network log, so I used process hacker to watch the network and when the traffic started again I got the process id.
It was linked back to svchost . I hate svchost because it allows lots of things to run inside it and makes finding bad programs harder. I checked out svchost though and
there wasn't a single process running that wasn't authentic. I checked every registry, directory, system file I could find till I found the hosts file had been changed.
I changed it back and set up a monitor for the file to notify me if anything accessed the file and nothing did. Normally malware will change back anything you try to correct but this didn't try.
The only thing left to do was run the program that had started the problem. I went through all the exe that had been run that day until I found the culprit by looking at each exe in a hex editor for anything suspicious.
It was inside an install shield installer for a legitimate software release (author contacted and that has been fixed now), it was an obscure program so not many downloads luckily.
The only way I was able to find out what it put where was to run the malware inside a sandbox and record everything it did.
If you want to see the list of all files affected I have included them in a rar file below along with a list of the various files it created. All the exe are renamed to .BAD so you have to purposely rename them to run them( not advised), but included for those that want to take a look.
http://rapidshare.com/files/379703147/OUT.rar.html
After getting a copy of the files from the sandbox I uploaded to virus total to see if it could detect.
For jcf.exe ,BitDefender,F-Secure,GData,nProtect,Sophos,Sunbelt,VBA32
For JCG.exe , Avast,Avast5,BitDefender,F-Secure,GData,nProtect,Sophos,Sunbelt
For jtamua.exe, BitDefender,F-Secure,GData,nProtect,Sophos,Sunbelt,VBA32
Starts with a small program called out.exe, 52KB in size. Out.exe was detected by virus total for about half the AV, the problem is AV has to running all the time to catch it. In my test it took out.exe about 5-10 seconds to grab the other exe files off the net. At which point it unloads itself, encrypts itself and hides in print spooler.
out.exe attaches to these files:
Code:
C:\Windows\System32\ieframe.dll
C:\Windows\system32\MLANG.dll
C:\Windows\System32\mshtml.dll
C:\Windows\System32\msls31.dll
C:\Windows\system32\ntmarta.dll
C:\Windows\system32\WLDAP32.dll
C:\Windows\system32\msimtf.dll
C:\Windows\system32\rasman.dll
C:\Windows\system32\sensapi.dllAfter accessing those files it downloads 3 files:
Code:
JCF.exe stored in C:\Users\testpc\AppData\Local\Temp\Jcf.exe
JCG.exe stored in C:\Users\testpc\AppData\Local\Temp\Jcf.exe
both exe then add themselves to task in c:\windows\tasks
Jtamua.exe stored in c:\windows\jtamua.exeJtamua.exe disables chrome and firefox browsers so user has to use IE.
out.exe copies itself to C: \Windows\system32\spool\PRTPROCS\W32X86 and stores itself as a .tmp file looking like a print job that is spooled.
Jtamua.exe then modifies host file to:
Code:
91.121.82.175 google.co.uk
91.121.82.175 www.google.co.uk
91.121.82.175 google.com
91.121.82.175 www.google.com
91.121.82.175 google.fr
91.121.82.175 www.google.fr
91.121.82.175 google.de
91.121.82.175 www.google.de
91.121.82.175 google.nl
91.121.82.175 www.google.nl
91.121.82.175 google.ca
91.121.82.175 www.google.ca
91.121.82.175 google.com.au
91.121.82.175 www.google.com.au
91.121.82.175 google.it
91.121.82.175 www.google.it
91.121.82.175 google.be
91.121.82.175 www.google.beNext it creates SSL certificates in user/current/AppData/LocalLow/Microsoft/CryptnetUrlCache/Content & user\current\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
It then begins to download content with the user agent string : Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; Tablet PC 2.0)
Other malware that are downloaded are stored in edb.chk inside \system32\CatRoot2 and appear as a chkdsk file
It access sites in the background without launching any browser, mainly ad sites that generate money on clicks. It does this for about 30 seconds, then stops and unloads itself from the OS relying on the tasks it scheduled to restart it. I'm guessing so that a virus scanner will only catch it if the program is active. When it unloads from the OS it encrypts the exe files and renames them as tmp and chk files.
It will go online and download content about 5 times then stop for a length of time, guessing to prevent someone from catching on.
I'm just going to re-image the pc this was on , this is one I don't trust to be removed correctly.
Facebook
Twitter