Posts

Showing posts from September, 2017

Fake CS:GO Cheat Tool

Image
[Imported From X-Sec Blog, just for backup]

As all we know, CS:GO is a famous online game, and lots of cheat tools for CS:GO are also available online, some of them is true(you' ll get VAC ban soon~), but some of them are malwares.

Here is a sample.


After loaded into Exeinfo PE, we can find that the file is a Rar Sfx Archive, so just using WinRAR to extract it, and we will got a file named "file.exe". From its icon, we can guess that the file is still a Rar Sfx Archive, but when we extract it, we are asked to give a password.


The former file is a Rar Sfx Archive, it may contain self-extract script, so let's load the former file into WinRAR to find if any script contained.

Here is the script:

Setup=file.exe -pB7%s?LNmnAndbRN{
TempMode
Silent=1
Overwrite=1
Update=U

From this script, it's clear that the password is "7%s?LNmnAndbRN{", now we can extract the password-protected archive.

After extracted, we found the files inside are hidden, we have to remove …

nRansom

Image
nRansom v2 Analysis: http://blog.xsecantivirus.com/2017/09/nransom-v2/
nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html

A very funny "ransomware", but I think we can only call it "LockScreen"(or WinLock).

PureBasic Compiler? After I saw this, I would like to guess it was wrapped with "BAT2EXE"
Now, let's run it in Sandboxie.
Well, what I guess is right. It seems that the actual malicious file is written by .NET, let's load it into decompiler.
Oh, the unlock code is hardcoded, its value is "12345", seems like a joke.

Malware Sample URL: http://bbs.kafan.cn/thread-2103564-1-1.html

Related MD5:
9A60890FC062D10D826C31D049706AB7
773776263762568ED199228579FE4A54
X-Sec Antivirus Detection:
Cloud Engine: Cloud:Trojan.Win32.LockScreen
Local Engine: Trojan.Win32.nRansom.A!GEN(Only for the final payload)
Required Virus Definition Version: 2017.09.25.01(Not released when this blog published)

nRansom v2

Image
[Imported From X-Sec Blog, just for backup]

nRansom v1 Analysis: http://xywcloud.blogspot.com/2017/09/nransom.html

nRansom v3 Analysis: http://xywcloud.blogspot.com/2017/10/nransom-v3.html

As you can see from the title, the new ransomware called "nRansom" has been updated. But after a full analysis of nRansom v2, we only found few changes(but some of them are important)


After loaded into FFI, we can find that the file is packed with UPX, so just unpack it with UPX Shell.


PureBasic Compiler? In fact, if you run it in Sandboxie, you can easily find that the file is just wrapped with "BAT2EXE", the same as nRansom v1 did.


From the temp directory inside sandbox, we can got these files.

As for the first batch file, here is its content:

@shift /0
@shift /0
@shift /0
@echo off
md C:\Users\%USERNAME%\Desktop\nRansom2
copy nLocker2.exe C:\Users\%USERNAME%\Desktop\nRansom2
copy "C:\Users\%USERNAME%\Desktop\nRansom2\nLocker2.exe" "C:\Users\%USERNAME%\AppData\Ro…

Chinese Trojan Downloader

Image
[Imported From X-Sec Blog, just for backup]

From July to now, we have collected lots of Chinese backdoor samples from a special source.

Sometimes they are encrypted, so they need a loader to download & decrypt.

We're very lucky to get the full source code of this family of backdoor(Including source code, server module, client module and payload builder), so it's easier for us to create signature.

Here is a downloader sample.


Seems that the file is not packed, let's open it with Notepad ;-)


It's clear that we have found two interesting things, the first one seems like a PDB path(path contains Chinese), the other one is something encoded with base64.

Finally we found this:


If you just decode the string with base64, you will only see a messy code.

The downloader will decrypt URL from strings embedded, download the encrypted payload(in this case, the downloaded payload just need a string reverse), decrypt & load them into memory then run the code.

Related MD5: 1886…

X-Sec Antivirus开发者日志 - 病毒名里的小秘密

或许部分用户在进行样本集测试(至少在目前我愿意相信目前使用这款软件的用户都是Advanced User)的时候会发现X-Sec Antivirus的病毒名风格和目前的主流风格差异不大,只不过部分病毒名里面带有一个特殊符号“$”,在其他的病毒名里都没有,就那几个有。
作为目前唯一拥有本地病毒库更新权限的人,我在部分病毒名里加入这个特殊标记只是为了纪念一款已经GG的安全软件,它的名字叫Baidu Antivirus。
我曾是这款软件的忠实粉丝,几乎陪伴它走完了它的整个生命周期,甚至与它背后的研发团队共事过一段时间。很遗憾这款软件目前已被百度“战略性抛弃”,它的研发团队成员也散落到了各大公司(腾讯:难怪那段时间有很多百度的人过来...)
“$”这个符号是Baidu Antivirus本地引擎报毒的病毒名的一个特有标记,在病毒名里看到这个标记,你就可以100%确认这个病毒是本地引擎报的。在它还没正式宣告GG但是内部已经确认GG的时候,我总想着要留下些什么,始终没有想到好的方案,直到想起这个特有标记。
“不如给部分病毒名加上这个标记吧!”
如果你们还保留着这款软件的安装包,还愿意安装并扫描样本包的话,你会有概率发现部分病毒,X-Sec Antivirus和Baidu Antivirus的报毒名完全一致。想让这个概率提升的话可以尝试着扫描下感染型病毒。

X-Sec Antivirus开发者日志 - X-Sec Antivirus被误报的那些日子以及盗版的那些事儿

在很早的时候,X-Sec Antivirus的所有DLL都是被加了强壳的,用的是VMProtect v2.07 Ultimate(好像是这个版本)。当然,当时用的是破解版,破解版的制作者我认识(见过真人的那种,见过真人之后我才知道破解版是他做的)。
不出我所料,被加了破解壳的DLL被部分安全软件往死里杀。只不过当时我并不是特别在意,毕竟加了强壳,部分安全软件直接杀是可以理解的,而且我的一个朋友和诺顿那边的人交情甚好,每次发新版被诺顿误报了,我总会要他帮忙给我提交,然后诺顿也差不多每次在2天内解除了误报。
直到有一天...
我在Tawk.to上收到了一个网页在线交谈的请求,相关的聊天记录我这边没有留存,大致的内容就是,那位用户下载了我的软件,但是软件解压后就被他电脑上的Sophos报毒了。我回复他说这是误报,因为我们这边加的软件保护壳强度很高,但是他并没有理会,说他不希望使用一款被大量杀毒软件报毒的软件。
这件事稍稍的触动了我,只不过我的想法并没有完全被动摇,但是后面的一件事就有点恐怖了。
在某一次更新之后,我照例把所有更新的DLL上传到VirusTotal进行扫描,令我瞬间爆炸的一幕出现了——卡巴斯基报毒了,而且报的还不是壳,病毒名:Backdoor.Win32.Miancha.****(最后四位字母不记得了)【P.S. Miancha系列后门是咱们国人制造的后门,好像是病毒体内带有“miansha”(免杀)字符串,于是卡巴就给这类后门取了个这样的名字】
我已经看到了结局...
过了一天,VT上果然炸开了锅,当时在做杀毒的朋友跟我说:“孩子,你中大奖了”
于是我开始疯狂地发邮件请求各厂商解除误报,很遗憾的是,部分厂商并没有同意解除误报,坚持报毒,而且请求卡巴斯基解除误报的过程也颇为曲折,由于不是我这篇日志的重点,就不再过多展开。
当能做的事情做得差不多的时候,我开始留意起各家杀毒软件的报毒,其中Sophos的报毒名引起了我的注意:Mal/VMProtBad-A
名字有点奇怪对不对?再联想起之前的那段对话,以及早期被报毒的记录。
于是我去Sophos的病毒百科里搜索了相关病毒名,得到的信息是:Sophos杀了程序加的保护壳,但是是因为保护壳用的是破解版才杀的。
然后我又前往VMProtect的官网查询了相关资料,其中有这样一段话:
“So, as soon as w…

X-Sec Antivirus开发者日志 - 信任列表实现方案的选择

这段时间,除了日常的病毒库维护之外,也在周末的时候写一下新版UI和一些新功能,只不过进度挺慢的。
之所以把“信任列表”这玩意单独提出来说,也是因为这玩意在不同的安全软件上实现的方案有差异,目前大致分为三种:

文件路径文件哈希值文件路径+文件哈希值(我们最终选择的) 首先来说第一种——文件路径,许多像我这样的小团队(233333333)开发的安全软件,以及极个别的在大家认知范围内的厂商(比如瑞星),采用了这个方案。
这个方案非常简单,给用户的展示也很直观。但是如果文件内容发生改变,路径并没有改变的话,文件仍然会被安全软件信任,而文件内容的改变可能并不是用户所知或者所期望的,这将带来一定的安全风险。于是厂商多半都会在信任列表界面加入明显的提示,告知用户相关风险(变相甩锅系列)

接着来说第二种——文件哈希值,文件内容出现更改时将不再被信任。
只不过...给用户展示的时候不可能只展示个哈希值吧?(用户:mmp)
如果选择给用户展示添加时的文件路径,然后后台的判断机制只使用文件哈希的话,那么以下的这个场景就有点尴尬:多份不同路径的文件拥有同一个哈希值,用户把它们全部加入信任列表,不久后用户移除了对其中一项的信任...

最后是第三种——文件路径+文件哈希值,这种方案许多安全软件厂商都在使用,规避了前面两个方案出现的种种问题。只不过这个信任列表的限制是挺严的,用户把文件移动就意味着要重新设置白名单。但整体来说算是个不错的选择。

PC Tuneup & SysTweak

Image
After saw the post related to this sample, I think X-Sec Antivirus will detect it. An interesting thing is Windows Defender's detection name: PUA:Win32/Systweak
But after I downloaded samples, I found that the digital signature is not in database
Signer: SYS SECURE PC SOFTWARE LLP

So, just install it in Sandboxie, let's see how it looks


Don't you think it looks like another PUA?

Well, I think they are nearly the same.
RegClean Pro belongs to SysTweak Software.
So, it's clear that why Windows Defender gave it such a detection.

Malware Sample URL: http://bbs.kafan.cn/thread-2102821-1-1.html
P.S: KaFan Forum is a well-known Chinese computer forum, it also provide fresh malware samples.

Related MD5: E8F36C18527B370CB951E25677F3D8F3
X-Sec Antivirus Detection:
Cloud Engine: Cloud:PUA.Win32.SysTweak
Local Engine: PUA.Win32.SysTweak!BS
Required Virus Definition Version: 2017.09.13.01