What I found strange was the contents of the config.dat file, see attached image.
Worked the Chinese txt found there through Google translate and it is just a Chinese poetical txt about a first annual festivity !?!
Or just an unicode misrepresentation of the code…
What is this?
㜉 Კ 5 븯 knock, Ji-silver carp , Yang Da first birthday of a child ำ Nou tools Ping ꚗ SHYE Hui ᨢ ꈕ 䔀 ⯪ Biao 촙 㰭 ጒ Ben 䌡 돗 h. 鿹 every ᚡ ᭫ 궭 Jiu 㔆 㽴 Cheng 떥 ∓ 뒠 zero Chan 뾳 music ㏄ ┼ 벹 ᗹ public bathhouse Yang??? Wei 꺖??? 컶 䦠 䄼 ꥼ ⡰ 䂛 읤 䘱 䡒 㯻 ঐ heave 쵈뎳 ϋ 퇋 꺈??? 텫 Ming 䠞 ⾠ ൱ Lou not Ⱌ ꃃ ベtree knot 쨓 ع 곒 묙쵵 Yin 외 넍 ⷌ Tan E ± 첂 TSZ MUI 뒷꾊 ꮵ ᄫ 㓛 걭 㼢 ꉈ ꣪??? ዦ ㅠ Jie Bing 퉯 Kechuanxunzang Wu Inspectors 쟜 퐘뱏 ݨ chromium Vitex ⇓ Kazuhiko ditch ⺽ ꮲ 꼏 the [ 먍 늾뻈??? the ᦜ sound of water 㗞 Tao zinc 멒 dawn ꗄ 뜤 ь 왺 ꖽ 뙁 ㎱??? 솮 સ 㧙 ㏓ ممي Lu Zan Peng 됢틱 Tian 핔휔 Di 쵐 decrease Wei Jie ஐ mystery Dai Mo 䴳 ȍ 띞 bamboo with thin wide leaves 䶤 㠧 traduce Qi Zhu thulium 㼜 meet unexpectedly 솈뿄 boron ் Wo 쑼푑 door of an inner 엙 Sensing 턃 for Previous ో lin 䯡 Intellect 댷 platinum 듐 stern Wei ࣌ 돾 silver carp 䢅 䦘 䁣 servant 䲓 Ṿ DetailsStyleArtist ꇧ Nie 䝊 salt shy ᩯ ꪆ ॿ 㜼 촲 Alex ⟗ 럴 ꪚ etc. etc. 䲏 䎃
Sys file certification through Issuer: DigiCert High Assurance CA-3, www.digicert.com, DigiCert Inc, US
Well analyzed the loader executable (loader is the full version actually) of this stand-alone application written in Borland Delphi. SetProcessDEPPolicy is being checked against default winlogon, ScDebugPrivilegeWins and v.c tools site.exe, also the ative startup.state is being ascertained and Unknown Runtime check agains stack corruptions. Local writes are found up before being initialized, loss of data ascertained with Data Wsprint, SQuery User token and Output Debug Strings. It gets the Current Process checks Xpt Filter and looks for locks and unlocks with Debugscr. Use of API-hooks are disallowed to enhanced security…
See additional info here: https://www.virustotal.com/file/93b91c37f042f6a1c4a33929e804a0fdb9dfb04b4fafc042f2848453fe92ce60/analysis/1349350811/
and the analysis here: http://anubis.iseclab.org/?action=result&task_id=13fc8b69a988273c4417c8923d685549c&format=html
This last analysis gives Description Times Exception 0xc0000135 at 0x7c96478e 1. Sometimes is used for Anti-Anubis, it was found ON The crypter and the stub. OWNZ crypter being used. But the issue here is that the separate DLL was not found. https://www.virustotal.com/file/5c7114aa44eaa3295208fb86dfa6106722f7936d2ba92ee19a4cb15d4f9a0052/analysis/
But clamav gives a PUP warning for the dll…-> .http://anubis.iseclab.org/?action=result&task_id=14be0edbecfad675469658e01f0ea17bb&format=html
Aimbot like tmp code → .regsvr32.exe /c /s .\d1.tmp.dll found terminate the d2 process whenever they like it…spyware like code as
Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll, reads the shell folderts to the defaults.
Settings in a device control preset are used during logging, capturing, and output. Device\KsecDD 0x00390008 8 - Memory Mapped Files…
Observations given for what they are worth…later will give some additional binairy.txt viewer conclusions…
Damien,
Can you also explain this in a less technical term for those of us that are not as well versed with code as you but,
are still interested in following your dissection of this new tool ???
Thanks
Well the clever thing is that the sofware consists of three separate parts in the software folder and is a stand-alone application protection tool for certain third party software applications that could be vulberable to zero day exploits. The three parts are the shield executable, a separate shield dll and the loader executable. The one does not work without the other, so advanced security achieved there. Api’s are denied to run for security reasons. The processes that are being protected are constantly being monitored by the software against security breaches deep inside the OS on a kernel level, constantly being checked against the default situation. So when the malcode attempts to perform anything that seems specific performance of 0-day malcode, the ExploitShield software turns red for an alert, blocks and saves logs. Some protection gets locked as it is being protected when active, meaning when process is active. Adobe Reader is being protected, Foxit Reader, Microsoft Office Application, Windows Media Player, also VLC player, Winamp and QuickTime Player, Java, GoogleChrome, Firefox and Safari browsers and off course IE. The software is MS certified. When malware tries to write onto the computer without being initialezed by user intervention (typical gor malware performance) it is found up by the shield tool. Crypting and debugging is going on all of the time. It sits silently on the taskbar, a bit like you experienced with RUBotted. So all is contantly compared to a default situation and if not so alarm bells should ring. In my actual section on the computer 130 applications are being shielded. To early days to give a final verdict, but what I have seen is encouracing to try it out. Keep you all informed. You will sure like it.
You know how difficult that really is to “translate” and popularize technical terms? This so all can grasp what is meant, more or less. I tried to explain to you and bob what I found out so far about the inner workings of this “amazing, innovative” protection tool. I do that firing the files up in a binairy txt viewer and going through the executables and dll of the software one by one and line after line of code. All that info translated from code is further been investigated with the best friend we all have online and that is Google’s search. Then I give the information integrated as I find it and so slowly and surely I come to the analyzing stage I have reached. I had several years here with a lot of good friends in the forums to learn to do this. !Donovan for instance has been a very inspiring friend, and also Pondus came up with a lot of inspiring information, etc. And I also have to mention our good friend schmidthouse who through his enthusiasm made me decide to beta test the tool.
A good searcher could do many times more than the best hacker can ever achieve, remember that lesson from me. Well I hope I have explained a couple of things about this software protection tool and users will get wise by asking. I do not know all the answers, but I try,
Been using it for several hours now and all’s well, doesn’t conflict with anything i have installed, only three items protected here for me IE which is my main reason for this added protection tool, Media Player and foxit but I run my systems very light - no java or unneccesary rubbish.
It’s also running quite light at 1.2Mb so other than the icon in the taskbar i dont notice it at all, it’s a better (smarter) and simpler solution to Emet imo.
Fourth (4th.) day installed with not an issue.
I have also done a XP repair because of unrelated issue and had to Reinstall IE8, SP3 and 107 updates with no interference from ‘Z’
Very nice. :o
I noticed this yesterday but it was only blocked for me, nothing was quarantined and right clicking the tray icon and stopping the shield allowed access for help support to work - but it all works fine for me today
I had one occasion that ExploitShield browser started up (as I experiened through Task Manager) but did not show up in the taskbar.
After a reboot everything went back to normal. Exploit Shield is the first to start up…
The log windows says Opera locked, but I have no Opera installed on my OS. Could this mean another user agent is being protected?
The normal logs from the program file does not mention any Opera,
polonus
P.S. Undertand Opera is just an example of what is being protected by the tool in general…
I also had one instance of ES not being visable in the task bar polonus, i killed the proccess though taskmanager and re-started it and has been fine ever since ???
schmidthouse i have noticed a few hangs here and there and by removing WinPatrol Plus this morning they seem to have disappeared, no hangs for at least 18 hours so i think iv solved my own hanging problems but wheather the same applies to any of the others ???
I also discovered on my other test system that if Kingsoft free AV is installed with ExploitShield that system will freeze and stay frozen, hard shutdown is all that worked and removed Kingsoft in safe mode.
I dont usually have to worry about being impatient on my system’s, i can sometime have over a hundred and twenty proccesses running with no slow downs ( hangs ) whatsoever, it’s purely conflicts causing it.
WinPatrol will go back on it time, just troubleshooting
You know what a beta stage is for. Going over the tool to just establish what essential functionality is missing. It is bare bones we are examining now.
If for bugs and fuzzing we have to consider Borland Delphi RTL for that the program-dll was written in. SysUtils is needed to examine the project further.
See: http://www.delphibasics.co.uk/ByUnit.asp?Unit=SysUtils
Madcodehook is being used and unfortunately this has been misused/abused in malware/adware/spyware etc. It is Win32.hooker and sometimes flagged as PUA/PUP. That is why they stopped the commercial version of that software. This could be a nuisance on uninstall for could be worse as to get rid of a virus with drivers removed (so in that phase we might need essexboy, jeffc etc. but it is too early to contemplate such routines), I just go on to report what I grasp from the code, my friends. Microsoft’s Detours API could be a good portable replacement if Madcodehook would give persistent problems.
Then we have a DEPprocessPolicy Chromium issue
With MITIGATION_DEP |
MITIGATION_DEP_NO_ATL_THUNK |
MITIGATION_SEHOP;
We should have
mitigations = MITIGATION_STRICT_HANDLE_CHECKS |
In order to stop malware programmers from misusing madCodeHook, I’ve added a number of security tricks to madCodeHook 3.0:
(1) You need to sign the kernel mode drivers yourself. Most malware programmers will probably lack a valid Verisign certificate. And even if they have such a certificate, it can be revoked if it’s used to create malware. And it can also be easily used as a search criterion for security applications.
(2) The driver strictly refuses to inject any dlls which were not made known to the driver at build/configuration time. This makes sure that a malware programmer can not misuse your driver to inject his own dlls.
(3) When your application tells the driver to inject a specific dll, the driver calculates a hash of your exe file and stores that together with the injection request information. The driver later only accepts a “stop injection” request from a process if the exe file has the same hash as the one which started the injection. This makes sure that a malware process can not simply hack into the application/driver communication to stop your dll from being injected.
(4) Even if you configure your driver to support being stopped (safely), a stopping request is only accepted by the driver if it was issued by the driver injection API. Stopping the driver through the normal service/driver OS APIs is blocked. Furthermore the driver accepts a stop request only if no dll injection requests are active. This should make sure that a malware process can not simply stop your driver behind your back.
Sys file checks the Microsoft Boot Up Kernel, known to be vulnerable to w32.bolzano malware and variants…
As Panda detects W32/Bolzano.5396.A cleanses this malware (a simple file infector indeed, this is the dropper, and avast detects as Win32:Bolzano-E, but some variants were missed by Nod32 as “probably unknown WIN32 virus”), and we deal here with two former Panda coders, so I could have expected ntosklm.exe to asppear in the proggie.
Yes, my good friends, we will go on with dissecting this stand-alone beta-tool,