Michal Krejdl

13 September 2011

Three strikes and you're out

Don't worry, this article is not about baseball, something which I find boring (well, reading sporadic gossip from Virus Lab might be boring as well). We are talking about "unwise" people here. Frankly, I would like to use some harder adjective (unwise is a real euphemism), but it's up to you to give them a proper name :-). So, let me show you the chain of events that resulted in these strikes -- and let you make your own decision.

It all started when three avast! users had a virus alert on their computers and sent us the offending binaries with a a protest note: These can't possibly be malicious!

We know that each of the three submitted samples shown above differ from the original binaries which are distributed through legit/vendor site(s). It is clear that the users must have gotten these particular setups somewhere else. Why on earth would someone download freeware in a grey zone or even at an illegal site? The fishy source triggers the first: Strike One!

Just for the record: when we looked at the binaries, we can see that not one of them is properly signed. All setups are encapsulated in an UPX layer and contain a password-protected zip archive with the original content attached at the end of stub. We can, of course, unpack the stub from UPX and look deeper inside. In fact, a short look at the original entry point is enough here - there's a zero-byte padding followed by regular code (a well-known trick from the LockScreen and Zbot malware families) and the first referenced API is advapi32.dll->GetCurrentHwProfileW, which is quite unusual. All in all, this is suspicious as hell.

But the users who sent us these samples don't trust their antivirus solution. C'mon, we're doing our best to protect you and you don't believe us? Strike Two!

Furthermore, they want us to remove our detection of it. Gosh, someone who downloads fishy binaries from fishy sources wants to be smarter than our detection. But, you know, we're quite conceited - Strike Three, Strikeout! You're outta here :-D

What do you think? Does an user deserve the "gift" inside such a setup (whatever it does) if he downloads suspicious binaries from suspicious sources and ignores warnings from his AV? It's your turn, you be the umpire.

BTW: all samples from this group/family were in Russian and the majority of them were related to Lovivkontakte (probably quite popular in Russia), but there were also such setups for Skype or WinRAR.

VT results: http://www.virustotal.com/file-scan/report.html?id=ac19d64b3249c8688d581eccfcb7e7baa96b8190e188dc1f6069fb0346588c11-1315915470

Threat Research, Security News