Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


May 9th, 2012

“Fix your hard disk” with fake S.M.A.R.T. Repair tool

Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer.  It’s just there, wanting to trick you to buy a license.

Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.

Figure 1

 

If we execute the “S.M.A.R.T. Repair”, it disappears from its original location and copies itself into “Documents and Settings” under a randomly generated name, for example “@t)f9K70Sh&Z^.exe” (see figure 2) – this is the first sign of a suspicious behavior.

Figure 2

 

The second suspicious sign is that you are not able to exit the application in a normal way. If you press the ‘X’ in the top right corner, it only minimizes. If you right click “S.M.A.R.T. Repair” icon in the tray, there is no exit option (see figure 3).

Figure 3

 

When the main window appears, the program immediately starts scanning your hard disk (see figure 2). After a while, the scan finishes and a diagnosis report displays.  Then, some users might get scared from the possibility of losing their data, so they click “Repair 7 Issues” and the screen in figure 4 appears.

Figure 4

 

Ideal for malware creators, the user often clicks “Buy license now”, gives his/her credit card number, gets an activation key, clicks “I already have an activation code. Click here to activate” and enters the activation number.

Anyway, people, who are fans of reverse engineering already know there is another (cheaper :-) ) way. We skip the “Buy license now” step and go directly to “I already have an activation code”. Enter arbitrary email and activation number (in our case email: aaa, activation number: 123456), press “Activate” and, not surprisingly, a red message displays “The code is invalid. Please contact the support service” (figure 5).

Figure 5

We open our favorite debugger (tool used to test and debug other programs), attach it to the weirdly named program “@t)f9K70Sh&Z^.exe”, set breakpoint at USER32.GetWindowsTextA/W (OS function, which is able to read contents of text fields), then click “Activate”.  The debugger stops once (to read the email text field), then stops again to read the activation key field, then it displays a message that says the activation code is invalid. After the first debugger stop, we may see the same screen as in figure 6.

Figure 6

Then we step through the program until we find something like in figure 7. There is a call to “strstr” function which according to documentation “returns a pointer to the first occurrence of a search string in a string”. In our case, it tests whether string “08869246386344953972969146034087” is contained within string “123456” (the string we entered to activation key field).

Figure 7

Therefore, try to guess what happens when we insert “08869246386344953972969146034087” into the activation key field (figure 8). Yes, we are registered now.

Figure 8

 

After successful registration, the program also opens notepad with the following text:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thank you for purchasing Data Recovery!

Your activation code: 08869246386344953972969146034087

You can always download your activated program through this link: http://www.backup-download-license.com/support/backup/download/setup_data_recovery.exe (for example, if you need to reinstall your operating system).

Also you can use it to install on any other computer.

For any questions please contact us at Customer Support section or call +1-888-717-7595 (USA/Canada tollfree number), +44-186-552-1441 (UK landline number for international calls).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the above displayed text snippet, we can see the reference to www.backup-download-license.com – it is hosted at IP address 31.184.244.15. According to various IP location tools, this server is located in United Arab Emirates, but belongs to ISP Petersburg Internet Network, Saint-Petersburg, Russia. However, not only one address is hosted at this IP address. There are several more – download-backup-license.com, license-backup-download.com, licensepos.com, licenseres.com, licensetoc.com, ns1.yourordergete.com. All domains were registered on the dates 2012-04-25 or 2012-04-02, by registrar BIZCN.COM, which is a Chinese fraudulent domain registrar. License-backup-download.com also contains an interesting information in Registrant Contact – “Privacy-Protect.cn”, which is a known domain related to a fake antivirus program.

Anyway, these are not the only URLs that we encountered during our research. The application tries to connect to several more URLs, which are hidden from users without a special monitoring tool. The following table shows URL, date of registration, name of domain registrar, and the last column shows in which country the actual server that the domain points to is located.

meijeroneca.com                           10-apr-2012         BIZCN    Netherlands

whatisadebima.com                      16-apr-2012         BIZCN    Sweden

pliesamdalu.com                            26-apr-2012        BIZCN    Moldova

psardcreator.com                           22-mar-2012       BIZCN    Romania
nardelfire.com                                17-apr-2012         BIZCN    Switzerland

 

After entering the correct activation key and pressing “OK”, the program “fixes” all problems with your hard disk (figure 9), asks you to restart your computer (figure 10), after reboot scans your computer again, and now finds no more errors (figure 11). It even becomes possible to exit the application by right-clicking the tray icon (figure 12).

Figure 9

Figure 10

Figure 11

Figure 12

 

Now, you can click “Quit” and get rid of this annoying piece of software.

 

Conclusion:

S.M.A.R.T. Repair is fake scanning tool often detected as Win32:FakeSysdef. It pretends to scan your computer and fix errors, but in reality it does nothing – it only displays something on the screen. You can’t exit the application normally if you don’t have an activation key. Through the analysis above, we have seen that its protection scheme is not very strong. An activation key can be seen in plain text. It is important to mention that these activation keys change very often, so it does not have to work for all FakeSysdef samples. However, the method for obtaining activation keys is always more or less the same. S.M.A.R.T. Repair contains references to several domains, which are registered by a suspicious Chinese domain registrar and are hosted on servers all around the world. Our recommendation: STAY AWAY FROM THIS APP.

Categories: analyses, Virus Lab Tags:
  • Tech

    Nice reading. I wish I could debug like you :)
    Thanks for protecting us.

  • http://www.luminagroupinc.com Nneuromancer

    This popped up while I was gone for lunch. I do run at least 2 antivirus on my computers as no one is 100%, but to me it seems like they have been bad in the last month. Without having a webpage open, having outlook open, windows 7 Pro 64 bit, Immunet, and windows defender, and behind Sonicwall Firewall, with Black list enabled I got this, can you help me understand how they are coming in and how to stop this better?

    Thanks in advance.

  • http://www.avast.com Michal Krejdl

    Tech :
    Nice reading. I wish I could debug like you
    Thanks for protecting us.

    It’s never too late to start learning ;-)

  • http://www.majauskas.com Giedrius Majauskas

    The best part is that they rarely change the code. Though I believe this one is relatively fresh one, only for this version.

  • chechu

    There is another varient of this nasty its called data recovery see u can see the VT report here:
    http://www.virustotal.com/file/cee9f6fb3bab45bf0ab7bf4f1b8dc9bbfd436ef4566c3464253b95661611b043/analysis/1336887258/

  • Tech

    Michal Krejdl :

    It’s never too late to start learning ;-)

    Maybe you can teach me something by email or suggesting some tools for that :)