Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don't even know how it got installed on your computer. It’s just there, wanting to trick you to buy a license.
Have you ever wondered what happens when you "buy" the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called "S.M.A.R.T. Repair".
If we execute the “S.M.A.R.T. Repair”, it disappears from its original location and copies itself into “Documents and Settings” under a randomly generated name, for example “@t)f9K70Sh&Z^.exe” (see figure 2) - this is the first sign of a suspicious behavior.
The second suspicious sign is that you are not able to exit the application in a normal way. If you press the ‘X’ in the top right corner, it only minimizes. If you right click “S.M.A.R.T. Repair” icon in the tray, there is no exit option (see figure 3).
When the main window appears, the program immediately starts scanning your hard disk (see figure 2). After a while, the scan finishes and a diagnosis report displays. Then, some users might get scared from the possibility of losing their data, so they click “Repair 7 Issues” and the screen in figure 4 appears.
Ideal for malware creators, the user often clicks “Buy license now”, gives his/her credit card number, gets an activation key, clicks “I already have an activation code. Click here to activate” and enters the activation number.
Anyway, people, who are fans of reverse engineering already know there is another (cheaper :-) ) way. We skip the “Buy license now” step and go directly to “I already have an activation code”. Enter arbitrary email and activation number (in our case email: aaa, activation number: 123456), press “Activate” and, not surprisingly, a red message displays “The code is invalid. Please contact the support service” (figure 5).
We open our favorite debugger (tool used to test and debug other programs), attach it to the weirdly named program “@t)f9K70Sh&Z^.exe”, set breakpoint at USER32.GetWindowsTextA/W (OS function, which is able to read contents of text fields), then click “Activate”. The debugger stops once (to read the email text field), then stops again to read the activation key field, then it displays a message that says the activation code is invalid. After the first debugger stop, we may see the same screen as in figure 6.
Then we step through the program until we find something like in figure 7. There is a call to “strstr” function which according to documentation “returns a pointer to the first occurrence of a search string in a string”. In our case, it tests whether string “08869246386344953972969146034087” is contained within string “123456” (the string we entered to activation key field).
Therefore, try to guess what happens when we insert “08869246386344953972969146034087” into the activation key field (figure 8). Yes, we are registered now.
After successful registration, the program also opens notepad with the following text:
Thank you for purchasing Data Recovery!
Your activation code: 08869246386344953972969146034087
You can always download your activated program through this link: http://www.backup-download-license.com/support/backup/download/setup_data_recovery.exe (for example, if you need to reinstall your operating system).
Also you can use it to install on any other computer.
For any questions please contact us at Customer Support section or call +1-888-717-7595 (USA/Canada tollfree number), +44-186-552-1441 (UK landline number for international calls).
In the above displayed text snippet, we can see the reference to www.backup-download-license.com – it is hosted at IP address 188.8.131.52. According to various IP location tools, this server is located in United Arab Emirates, but belongs to ISP Petersburg Internet Network, Saint-Petersburg, Russia. However, not only one address is hosted at this IP address. There are several more - download-backup-license.com, license-backup-download.com, licensepos.com, licenseres.com, licensetoc.com, ns1.yourordergete.com. All domains were registered on the dates 2012-04-25 or 2012-04-02, by registrar BIZCN.COM, which is a Chinese fraudulent domain registrar. License-backup-download.com also contains an interesting information in Registrant Contact – “Privacy-Protect.cn”, which is a known domain related to a fake antivirus program.
Anyway, these are not the only URLs that we encountered during our research. The application tries to connect to several more URLs, which are hidden from users without a special monitoring tool. The following table shows URL, date of registration, name of domain registrar, and the last column shows in which country the actual server that the domain points to is located.
meijeroneca.com 10-apr-2012 BIZCN Netherlands
whatisadebima.com 16-apr-2012 BIZCN Sweden
pliesamdalu.com 26-apr-2012 BIZCN Moldova
psardcreator.com 22-mar-2012 BIZCN Romania
nardelfire.com 17-apr-2012 BIZCN Switzerland
After entering the correct activation key and pressing “OK”, the program “fixes” all problems with your hard disk (figure 9), asks you to restart your computer (figure 10), after reboot scans your computer again, and now finds no more errors (figure 11). It even becomes possible to exit the application by right-clicking the tray icon (figure 12).
Now, you can click “Quit” and get rid of this annoying piece of software.
S.M.A.R.T. Repair is fake scanning tool often detected as Win32:FakeSysdef. It pretends to scan your computer and fix errors, but in reality it does nothing – it only displays something on the screen. You can’t exit the application normally if you don’t have an activation key. Through the analysis above, we have seen that its protection scheme is not very strong. An activation key can be seen in plain text. It is important to mention that these activation keys change very often, so it does not have to work for all FakeSysdef samples. However, the method for obtaining activation keys is always more or less the same. S.M.A.R.T. Repair contains references to several domains, which are registered by a suspicious Chinese domain registrar and are hosted on servers all around the world. Our recommendation: STAY AWAY FROM THIS APP.