Skip to content

Digitally Signed Rogues: As Dumb As The Rest

2012-01-12

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Both the installer and payloads of a rogue system utility named System Restore (a type of fraudulent software that, in this case, is named exactly like the Windows system utility) sport an unusual characteristic: a digital signature. Digitally signed Trojans such as these are less rare than they used to be, but still unusual, so it was notable that the entire soup-to-nuts infection package being delivered to victims since November uses signed executables.

The rogue installer was delivered by a spam email claiming to originate with the US postal service. The message’s attachment is, allegedly, a PDF document with details about a failed delivery. Of course, as you can see at right, the “PDF documents” are just executable files with an Adobe Reader icon (from the Adobe Reader program, not the icon used by a real PDF document).

One theory that attempts to explain why they’d go to the trouble goes something like this: Some network admins set security policies that only permit digitally-signed executable files to traverse the networks they control. But these policies don’t actually check the validity of the certificates, only that the code itself is signed. Therefore, even invalidly-signed code could, in this hypothetical situation, bypass this rudimentary policy check.

I’m not sure I buy into that. I want to believe that CSOs and IT admins know that such a policy is brain-dead, but you have to assume there’s a reason the malware creator would go to the trouble to generate crypto keys and go through the signing process. However, because we’re talking about subgenius-class malware creators here, it’s not as if this new “feature” bypasses any real security checks. In fact, the certificate is demonstrably false, but it’s only clear this is the case if you go looking for the information.

We’ve been seeing System Restore propagate using two common methods: Spam email containing a link to a malicious Web site; and spam email with a zipped, executable file attachment. Follow the link or trigger the attachment and it starts the ball rolling.

Here’s the not-so-cool-story, bro story: Two months ago, I found myself standing in a hotel lobby, waiting to speak to a hotel staffer, when another guest, standing at the hotel’s public-access computer, cursed the computer’s inability to print a boarding pass. I leaned over and saw my first System Restore infection, and recommended that the guest use a different computer, because that one really didn’t look right.

What I saw looked a bit like this. A nested stack of error dialogs, all saying the same thing:

Failed to save all the components for the file \\System325604. The file is corrupted or unreadable. This error may be caused by a PC hardware problem.

Just as a rogue antivirus app elaborately mimics the effects and consequences of a (hoaxed) malware infection, System Restore elaborately mimics the effects and consequences of a failure of multiple hardware devices, with improbable and (sometimes) laughable dire warnings of imminent disaster. In the rogue AV paradigm, we’d call this fake error-generating component the fakealert. The warnings this thing generates, on the other hand, puts it in a class by itself. Call it a fake-fail.

20111109_report_sysrestore-1stscam-n_crop

By the time you see this list of “problems,” you’re already well on your way to having an infected PC.

The program displays all manner of popups and error dialogs, some of which have a cancel button in them, but it doesn’t matter what you click because the program will, in any case, download at least one payload and execute it. In our test scenario, it downloaded two: the rogue (downloaded twice, from different locations, but helpfully named roge.exe for easy identification), and a Zeus keylogger/data theft Trojan (labeled 531-direct in the screenshot of network traffic shown above).

It’s hard to argue the description when the creator himself calls his file roge. Who am I to argue?

20111109_report_sysrestore-files_in_appdata

The rogue payload sets itself up in the %appdata% directory with a really long, random filename, and gets to work with its initial “scan.”

20111109_report_sysrestore-notdoinganything_h_cropcrop

Only, as you can see here, it isn’t actually using even a millicycle of CPU time. The screen above shows the System Restore rogue running, while Process Explorer watches its activity in the background. The entire fake scan takes about as much processing power to render as an animated GIF, which is why the uncompleted “scan” shown above looks like it’s doing zero work. It really is doing zero work. The red box, above, is where you would see how much work this ‘repair’ is actually doing, if it were doing anything. This is what it claimed to be doing:

20111109_report_fakereport-hotandslow

I love the conceit that moving data around in memory can somehow reduce the temperature of the physical RAM chips, or that a mechanical device that’s moving slower than normal would generate more heat than something that is moving faster. Yet that’s exactly what the error report displayed by the System Restore rogue says. It’s not just a blatant fraud; the errors it claims to correct violate fundamental laws of physics.

20111109_report_samples_crop

The file properties for the rogue’s initial downloader, the rogue executable, and another payload reveal another intriguing detail: The copyright information field for several installers and payloads contain the text ifsystems Corp but in each case, the capitalization of the word ifsystems was randomized, and the creators placed a copyright © symbol in a random position within the ifsystems name, as well.

20111109_report_zbotpayload

The Properties sheet for this payload, which returns mostly Zeus botnet results on Virustotal, also has this bizarre ifsystems nomenclature, but it looks like the malware creators may have misspelled their own ‘company’ name. The rest of the data populated into the Properties sheet seems to be random nonsense.

20111109_report_sysrestore-hook_crop

Of course, the key to this scam is convincing a victim to willingly hand over card payment details. The fraud hook loads what looks like a Web page that appears to come from the domain technocago.com, but the page is framed in a fake browser window, and is actually loaded from paymenbit.com, a domain that was only registered two weeks before the rogue was being distributed in earnest. Even this reveals additional information: the rogue’s payment processor refers to the program as Defrag Pro Basic, but the particular version of Defrag Pro Basic that it wants you to purchase is called System Restore.

Bottom line, the fraud is the same, and the only difference is the digital signature. These kinds of incremental improvements in technology don’t come along in every revision of a rogue, but it’s quite possible that, from now on, we’ll only see digitally signed versions of this family of rogues. If your network security policies blindly permit signed executables to traverse the network, without validating those signatures, I’m putting you on notice that, as of at least two months ago, your policy is broken and will not block this highly intrusive, destructive, and dangerous fraudware.Solera blog stats

Comments are closed.

%d bloggers like this: