Safety Center Malware Analysis

How This Infection Occurs

There are many ways users can become infected. These include the usual ways such as email attachments, file sharing sites, drive-by downloads, and fake video codecs.

The Malware sample that was tested here was picked up from a malicious web page that looks like it is scanning your system for Malware, and finding it. It will then prompt you to download a setup.exe file (or something similar) to install the rogue software. If you stop and this point and just close everything down without installing or running the file, you are probably okay. Once the file has been run, you will likely see some type of error message, or maybe even nothing at all.

That is until the pop-ups start prompting you to update, disinfect, and hand over your $79.95 to do so (but hey, it's a lifetime license so it must be a good deal right? NOT).

Malware Description

Safety Center is another rogue security product in a long line of Scamware. Once installed it will prompt you with false alerts telling you that you're infected with "such and such" Malware. It will also try to get you to fork over your credit card information and steal your money. Who knows what they do with your CC details once they've charged you.

This Malware roots itself deep into your PC in both the file system and registry. Partial removal will only result in the Malware returning in full force.

Analysis Preview

We are going to take 2 different looks at this Malware.

Static Analysis
Dynamic Analysis

Static analysis is the process of analyzing the suspect malware without actually running the file. There are many tools and techniques that are used in this area and the process can be very difficult and complex. In this analysis I will do some rudimentary analysis and save most of the fun for the dynamic analysis.

Dynamic analysis is where we actually execute the suspect Malware. As we do this we look at several different areas of the system including file/folder changes, registry modifications, and network activity. We attempt to capture all the modifications made by the Malware and track all network activity. I use VMWare workstation software and safely isolate it from the rest of my network and most importantly, the internet.

Personally I find much more information through dynamic analysis. For one, static analysis requires skills that I do not possess. Things such as being able to read assembly code, unpacking of the various ways that the files can be compressed by the Malware authors, and limited programming knowledge in general. I'm working on getting better in this area.
But dynamic analysis comes relatively easy to me. My work in the Anti-Malware forums helping users clean their PC's and analyzing thousands of logs gives me a good background in this area. It is also just more intuitive for me, so this is where I have my fun and focus primarily. But there is much to be learned through static analysis even with limited resources, as you will see here.

Static Analysis

First, the file was uploaded to 3 different online "sandboxes".

Virus Total Results:

As of the date of analysis, 9/16/09, only 4 out of the 41 scanners actually found malware.
Results here
This is pretty scary and shows how "fresh" this malware sample really is. Keep in mind that by the time you read this the security programs may have signatures that will detect this. But this is just an example of the game of cat and mouse that the Malware authors and the Malware fighters face daily.

Norman Sandbox:
Not much here. Shows that the file is packed with UPX and has a reference to "safety manager".
[ DetectionInfo ]
* Filename: C:\analyzer\scan\setup.exe.
* Sandbox name: NO_MALWARE
* Signature name: NO_VIRUS.
* Compressed: YES.
* TLS hooks: YES.
* Executable type: Application.
* Executable file structure: OK.
* Filetype: PE_I386.
[ General information ]
* Decompressing UPX3.
* File length: 32256 bytes.
* MD5 hash: 013c3bf929e22575c4114ec0b3c17759.
[ Process/window information ]
* Modifying executable headers.
* Creates a window with name "Safety manager".

Anubis:
Now here we get some serious results! Anubis gives a very thorough evaluation and analysis of the malware sample. This has become one of my favorite new tools. You can download the analysis in several formats including text, HTML, and PDF. I have provided a link to the PDF file below here for those who want to really dig in and understand this malware (warning, very long but professional report),
PDF File Here

Strings Analysis

Strings is a small utility that is included in the Malware Analysis Pack and can read ascii strings from within the file. Most of what is found turns out to be "jibberish" but there are a few tidbits we can pull out.
File: setup.exe
MD5: 013c3bf929e22575c4114ec0b3c17759
Size: 32256
Ascii Strings:
---------------------------------------------------------------------------
This program must be run under Win32
UPX0
UPX1
.rsrc
3.03
UPX!
wOFTWARE\Borland\Delph
sys32.exe
pps.bat
HSafety Center
trncpyWINHTTP.DLL
Again, we can see that it's packed with UPX. It also appears to be written in Borland Delphi programming language. This would definitely help to know if we were to disassemble the file. You can also see some other strings that appear to be possible files. We will see later that some actually are.

That's it for our static analysis. Much more could be gleaned with the right tools and knowledge, but we'll leave the rest of this report for the dynamic analysis of what this Malware really does.

Dynamic Analysis

For this analysis we actually execute the file and let it do it's thing. But we will get a baseline of the system first, then monitor activities while it loads, and take snapshots after. I employ several tools for this part of the work.

Baseline Tools: These tools will identify most every place that Malware would start up and/or hide.

HijackThis
OTL (by OldTimer who has develped this for use in the Anti-Malware forums
Process Explorer (Sysinternals)
Autoruns (Sysinternals)
Rootkit Scanners - I used 3 of the most commonly seen used today.
-GMER
-Sysprot
-Root Repeal

File and Registry Monitoring: These tools will provide a before and after snapshot of the system so we can track the changes made by the Malware.

RegShot
Install Watch
Network Analyzers: To analyze network traffic such as HTTP requests and open ports.
-Wireshark
-Fprot
-NetworkActiv

Files - Folders - Registry Entries Created

Registry entried created:
HKLM\SOFTWARE\Classes\CLSID\{2414A739-9651-441B-BC10-D773267CC19D} 
HKLM\SOFTWARE\Classes\CLSID\{5172ec55-e786-48a9-8fd9-c27c6a99f249}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyCenter   
HKLM\SOFTWARE\SafetyCenter
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2414A739-9651-441B-BC10-D773267CC19D}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SafetyCenter

Files/Folders Created:
C:\Documents and Settings\Administrator\Local Settings\Temp\install.exe   
C:\Documents and Settings\Administrator\Local Settings\Temp\ops.bat   
C:\Documents and Settings\Administrator\Local Settings\Temp\sys32.exe   
C:\Documents and Settings\Administrator\Local Settings\Temp\~D9.dll   
C:\Documents and Settings\Administrator\Local Settings\Temp\~D9.tmp    
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ESNWBK0T\30day[1].jpg
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ESNWBK0T\s_visa[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ETITTPLI\8732489273[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NNOFKRPO\install[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NNOFKRPO\Security[1].gif
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ZLHZQDSY\index_new[1].htm
C:\Program Files\SafetyCenter\main.ico
C:\Program Files\SafetyCenter\new.exe
C:\Program Files\SafetyCenter\protector.exe
C:\Program Files\SafetyCenter\sound.wav
C:\Program Files\SafetyCenter\start.exe
C:\Program Files\SafetyCenter\uninstall.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\ZPPD.bat

The following files were created during the infection process but then deleted after the infection occurred.
C:\Documents and Settings\Administrator\My Documents\frmpluginform.frm 
C:\Documents and Settings\Administrator\My Documents\GuardCenter1.dll 
C:\Documents and Settings\Administrator\My Documents\my_pussy.pif  
C:\Documents and Settings\Administrator\My Documents\s4helper.dll  
C:\Documents and Settings\Administrator\My Documents\_ftc.bat

Rootkit Activity

Running the rootkit tools I listed found no rootkits running, which is good as they will not block any tools from running and will not hide anything. Some of the most recent RansomeWare in the forums such as Windows Police Pro drop rootkits preventing users from running almost any typical tools.

Network Activity

The Malware almost immediately starts phoning home to the following IP addresses to download additional files and more Malware, yeah.

122.224.9.67
85.17.139.14
220.196.59.23

These IP's are all affiliated with urodinam.net, along with some other nasty, Malware ridden, sites.

The Malware also sets up a scheduled task (those at#.job files) to run every hour and download and updates and more fresh malware.

Removal

Bleeping Computer has a great guide for the removal of this Malware here. It advises the use of MalwareBytes' free Anti-Malware for removal. This tool does a great job of removal of many of the most recent Malware seen in the forums.

Unfortunately, it did not remove everything on my test machine. The .job files along with a batch file relating to them were still left on the machine. They are pretty harmless as for the most part they cannot do anything, but I like to make sure a machine is as completely clean as possible. Posting the appropriate logs in an ASAP approved forum you can get help from experts to make sure everything is gone. Each forum is a little different in the logs that they ask for, so be sure to read whatever material they have posted as instructions for posting. This will assure you get the right help, as quickly as possible. I am a helper at 2 of these forums:

I go by the same username I use here, IndiGenus, so look me up if you end up finding yourself there.

In the course of my anasysis I found 2 other pages with some great information relating to this infection.

Print Share it! — Rate it: up down flag this hub