Bagle Malware appears to be making a comeback lately. Not as much in the US but more so in Europe, although that’s subject to change as it can spread fast.

Bagle is not necessarily new, although new variants are constantly being developed. Usually nastier with each version. This new version is absolutely nasty. Some symptoms of the infection are browser closing, system lags, system security and security tools (such as AntiVirus and Firewall) functions disabled, and the inability to run most any security tools.

Technical Analysis:

Please note that the analysis here should not be used as a removal guide for this or any other Malware. If you think you’re infected you should either go to the forums for help, bring it to a pro, or reformat the PC (which is what the pro will probably do).

Static Analysis:

On the date that the sample was captured I ran it by Virus Total and almost 60% of the scanners identified it as Malware. Not bad, but not great either and I’m sure that will get better with time.

Virus Total Results

The sample I tested was packed with Themida, which is a commercial grade packer. This pretty much rules out any real static analysis with my limited unpacking skills at this point. Note that the packing is used to help avoid detection and prevent this type of analysis.

Dynamic Analysis:

Here is where the fun begins for me…

I was able to get this sample to run in VMWare which is nice for analysis.

Upon execution of the sample the system pauses for a few seconds then generates this window:

Well, I don’t know what that means but I know what OK! means. So I proceed with that and see this next:

What looks like some kind of a Windows logon screen or something. Well again….OK is good for me.

After that not much and was wondering if it really ran in the VM. I tried to run some basic system analysis with HijackThis and a rootkit scan with GMER and neither would run. Soon after the system rebooted by itself. At this point I was pretty confident that the Malware took to the VM.

Looking at the file/folder/registry modifications with InstallWatch and RegShot showed several folders and registry entries created, very similar to the report from Threat Expert.

Threat Expert Report

As we can see quite a bit of activity and this is starting to look like some nasty stuff, but more will be revealed…

After reboot I tried HijackThis and GMER again (without success). I also tried running MalwareBytes and that would not go.

I was able to get both Old Timers OTL and sUBs DDS tools to run which showed some interesting entries (definitely Malware).
OTL:
Processes:
PRC - [2009/11/10 14:05:13 | 00,899,076 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\downld\62359.exe
Driver Services:
DRV - [2009/11/10 14:04:59 | 00,119,188 | ---- | M] () -- C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys -- (srosa)
Pseudo HJT:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)

DDS showed the same process, run key, and driver that OTL did.

Now, making sure that hidden files are showing in XP, I looked for those files and registry entries but none of them were visible. The only thing I could see was a file called srosa2.sys in the drivers folder.

Now, we can pretty much deduce from these findings that there is no doubt a well planted rootkit running here. The presence of srosa (which is a well known rootkit) and the fact we cannot see anything with the normal Windows tools confirms this.

So since we cannot run my favorite rootkit tool GMER, we’ll try some others. Tried running SysProt ARK but no success there. Next tried RootRepeal and was able to run.

Hidden/Locked Files
-------------------
Path: C:\Program Files\Movie Maker\Shared
Status: Invisible to the Windows API!

Path: c:\windows\system32\ntkrnlpa.exe
Status: Allocation size mismatch (API: 24576, Raw: 2060288)

Path: C:\WINDOWS\ime\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\downld
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\wfsintwq.sys
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\shared
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Administrator\Local Settings\Temp\000058cb\autorun.inf
Status: Invisible to the Windows API!

Processes
——————-
Path: C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe
PID: 236    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\drivers\winupgro.exe
PID: 472    Status: Hidden from the Windows API!

Path: C:\Documents and Settings\Administrator\Application Data\m\flec006.exe
PID: 1376    Status: Hidden from the Windows API!

Hidden Services
——————-
Service Name: srosa
Image Path: system32\DRIVERS\sr.sys

I tried removing the hidden service, sr.sys, but RR would not do it. I then was able to wipe several of the hidden files and was subsequently able to run GMER. To try and bring some brevity to an already way too long post I’m not going to show everything GMER found (which was a lot!). Here is a summary:

It confirmed the Malware we have already seen with the other tools, but it found much more.

In this hidden folder:
C:\Documents and Settings\Administrator\Application Data\drivers\downld\
There were about 30 files similar to the following, 311109.exe. All random numbers.

Then the real find and the main goal of this Malware:
C:\Documents and Settings\Administrator\Application Data\hidires\WDIR\000-484 – Enterprise Connectivity with J2EE Practice Exam Questions 1.0 (KeyGen).zip
C:\Documents and Settings\Administrator\Application Data\m\shared\12Ghosts Timer 9.0.52.5740.zip

There were about 100 zip archived files in each of the WDIR and shared hidden folders. These are not keygen files or game files like they are all labeled. Analysis showed that in each of those archives the same Bagle dropper is packed up and ready for someone to download and infect themselves. So you’re saying, how are they going to get them off my PC? Well, this entry:
O4 - HKCU..\Run: [flec003.exe] C:\Documents and Settings\Administrator\Application Data\hidires\flec003.exe (http://www.emule-project.net)


Starts up an Emule P2P host right off your machine every time it starts. Yes, as my kids say, you and your PC have been Pwnd. Your PC is serving up Malware to the world.

The scary thing with this Malware is the only real indication of its’ presence is it slows down system performance (those CPU cycles are busy serving up Malware). There are no pop-ups or redirects, and your security software has been disabled so it knows nothing. You’re browser will shut down if you try to surf to any security sites, and many tools won’t run. So if you have these symptoms I would suggest getting help.

It is possible to remove this Malware. But again, unless you really know what you’re doing I would suggest heading over to the forums and posting the required logs so an expert can take a look.

Sorry for such a long post here, but I left a lot out, trust me. This one was also real fun to play with and analyze. I hope this provides some insight into how this stuff spreads itself around. Also it should alert you to the dangers of P2P file sharing.

WARNING: The material presented here may be offensive to some readers. It relates to the promotion of online porn and other questionable practices. If you are not comfortable with it then please surf away from here.

In follow up discussions and investigations of IObit, it has been discovered that part of their marketing plan is to use questionable search terms to drive traffic to their sites and products. NOTE: This has nothing to do with the alleged theft of intellectual property by IObit.

I have issues with at least 2 pages that they are currently hosting (note that I made sure the links below are not “clickable” and would need to be copy and pasted into your browser if you want to see them, just so it doesn’t happen by accident).

http://www.iobit.com/porn-games.html

http://www.iobit.com/naruto-hentai.html

While these pages do not explicitly host porn, they are promoting their products by directing users from those pages back to the main IObit pages. Note also that it has been proven that these pages have been up for some time now, long before the property theft scandal, and they have not been hacked.

Searching Google on very (I would assume) common terms used for folks who search on this stuff such as “hentai porn” or “porn games”, puts these pages in the top 10 or 20 rankings. Not bad, if you’re IObit. That will direct a lot of people your way, using very questionable methods.

Another product they are promoting, P2PTurbo, claims to greatly enhance and speed up peer2peer client performance. Now again, not illegal, but highly questionable.

Here is why I state that. Both online porn and P2P use are probably the number 1 and 2 ways that users get infected with Malware in the first place. I see it every day in helping folks in the forums. Many have P2P clients installed and admit to using them. And while I have no direct proof on porn I think we can all agree that the practice, while not illegal, is questionable. Tech note: If you ever want to get yourself infected (and I’m not suggesting or promoting this), fire up your favorite search engine, search on some porn keywords, click some links, and in no time you will have the opportunity to pick up some great, fresh Malware.

As far as I know, IObit has not even responded to questions on these tactics and the pages are still live as of today. In the main discussion thread at IObit I have asked that they be pulled and have adamantly voiced my opinion. The mods and the supporters have been patient and very active in this thread, but as far as I can tell no official representation from IObit has been made. Even some of its’ most emphatic supporters and losing patience and showing less support.

IObit accusation thread (warning, 33 pages of posts in 3 days).

Things just keep getting worse for IObit. MalwareBytes may have shoveled a bit of a hole for them, but they had already brought the heavy equipment and put in the foundation.

In the forums we are often asked “How did this happen? How did I get infected?” I would like to detail just one of the ways this can happen. Now keep in mind this is only one way. There are many others, such as through file sharing sites, cracks and keygens, and email attachments.

You are surfing away, maybe checking out some news, or looking for some online games. Then all of a sudden boom! You see what looks very much like a common Windows screen. It appears to be actively scanning your PC and finding all kinds of problems. A typical page will appear like a Windows page and look like it’s scanning your PC.

Some pages I’ve seen lately even appear to be giving you the dreaded Blue Screen of Death (BSOD).

This is certainly enough to alarm and concern many a knowledgeable PC user. Typically a few seconds after these pages load and appear to do their scanning you will get a prompt to download a file.

Now, the image on the left is from Internet Explorer and the image on the right is from Firefox. Aside from the screenshots being taken from different OS’s, what is the main difference here? IE has the dreaded “Run” button. When this is clicked it will download and run the file, in one shot. While at least with Firefox it will only download it first. This will not infect you. You would then have to go run the file after the download, giving you at least a few more seconds to come to your senses and not execute the file.

So, how do you prevent this from happening? Good prevention tools, the right knowledge, and a little common sense. I have covered a good prevention plan here. Also, using Firefox instead of IE (even though IE has done much to improve its’ security) will go a long way to keep you from arriving at one of these pages. Firefox versions 3.x also include the Google Safe Browsing Service by default. With sites that have been reported and blocked you will see a screen like this:

This gives one more layer of defense against this type of attack.

Bottom line….when and if you see a page like this don’t panic. You have not been infected, yet. Don’t click anything on the page. Close down the browsing session as soon as possible by using Task Manager to stop the browser process(es), as most often clicking “no” or “abort” on the page will just makes things worse.

Safe surfing,

Dave aka IndiGenus

I’m going to break away from any analysis here and feel compelled to write about this. The information here has been widely publicized and battles in the forums/blogs have ensued.

A thread was started yesterday at MalwareBytes with accusations that IObit has stolen their intellectual property.

IOBit Steals Malwarebytes’ Intellectual Property

The forums, blogs, and news sites have been going crazy with various reports and findings and things are quite heated right now.

To sum up, MBAM is accusing IObit of stealing their Malware database for use with their products. They have been watching IObit for some time now and were suspecting foul play. With that, they created a fake Malware sample and did not release it to the public. IObits’ product also detects the sample as Malware, with the SAME NAME! Coincidence? I don’t think so. IObits defense has been that samples are submitted to their database from users all over the place. How would this be submitted? It was never released!

I’m sure the debates and flaming will continue across the internet, but hopefully the real truth will come out. I’ll be the first to say I was wrong if they submit some real proof or an explanation of how this happened, but that has yet to come. Some are even accusing the “accusers” of racism. The following is from one post I’m participating in at the IObit forums.

It is clear that most of this kerfuffle is just racist against Chinese……..

Please…the full thread can be read here.

In time the truth will come out and we’ll see right?

UPDATE (11/4/09): Unbelievable! IObit removed almost all of the accusatory posts from the thread I had linked to and posted in. Now the only ones left are from them and the thread is closed. They have done this with other threads also, including the original thread that started this. Note that there while there were some heavy accusations posted, all people were asking for was a valid reason how this could happen, and they were not able to do that. Arhhggg…..

UPDATE (11/6/09): Testing was just completed on a comparison between the new version of IObit360 just released (1.2) and the previous version (1.1). On over 1800 fresh malware samples (pulled within last 24 hours) here are the results:

Ver 1.1: 1427/1857 = 76.8%

Ver 1.2: 367/1857 = 19.7%

IObit is claiming the version update was for “language updates”. These are the exact same files tested between updates. Wonder how this could be???

Source of this information from MalwareBytes forum thread here.