A Trojan Startpage Bundled Promo

Trojan Startpage is a type of trojan that forcefully changes the default start page of a web browser.

This version of startpage found in the wild sometime early December 2013 is noticeably interesting. Unlike most of its predecessor where previous versions uses the registry hack [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main] “Start Page” to change the start page of internet explorer, this one incorporates the use of a modified antivirus software to alter the start page of the browser. Together with the modified antivirus software, this version also includes many other non-malicious game software downloaders all squeezed/bundled (hence the title) together with the trojan using an NSIS (Nullsoft Scriptable Install System) installer in an attempt to conceal its execution to the user.

A step by step procedure of how this trojan operates is revealed below.

1. Creates %PROGRAMFILES%\rayying directory.
   

2. Creates “%ALLUSERSPROFILE%\Desktop\ Intornat   Explarer .lnk" which is a shortcut link to rayying.exe. Rayying.exe is a chinese web browser and is not malicious.
   

3. Creates a quick launch icon to rayying.exe in “%APPDATA%\Microsoft\Internet Explorer\Quick Launch” using Intornat Explorer again as shortcut name.
   

4. Creates a directory %PROGRAMFILES%\soft275710 and drops the following files:

• 300.bat - this will execute 300.reg file and forcefully restarts explorer.exe process
• 300.reg - this will add "Attributes"=dword:0133EC20 to registry keys pertaining to different explorer.exe functions like:
• • Default Navigator ({871C5380-42A0-1069-A2EA-08002B30309D})
  • Computer Search Results folder ({1F4DE370-D627-11D1-BA4F-00A0C91EEDBA})
  • Network Search Results ({E17D4FC0-5564-11D1-83F2-00A0C90DC849})
• 275710.txt - a non-malicious txt file
• b_2710.vbe - an encoded VB script that will execute 300.bat
• w_2710.exe - an NSIS compiled dropper/installer of smes.exe (this NSIS is the trojan that is responsible for modifying the start page of web browsers)

The VB script (b_2710.vbe) can be further decoded using the following tool found in http://www.greymagic.com/security/tools/decoder/.

Here is the decoded version of the script:

'1020111003101004571027101010

Dim WSHShell

Set WshShell = WScript.CreateObject("WScript.Shell")

strDesktop = WshShell.SpecialFolders("Desktop") :'ÌØÊâÎļþ¼Ð¡°×ÀÃ桱

Favorites = WshShell.SpecialFolders("Favorites") :'ÌØÊâÎļþ¼Ð¡°×ÀÃ桱

on error resume next

strttWinDir = WshShell.ExpandEnvironmentStrings("%ProgramFiles%")

createobject("wscript.shell").run """300.bat""",0

Dim fso

Set fso =CreateObject("Scripting.FileSystemObject")

fso.DeleteFile WScript.ScriptFullName

5. Runs internet explorer with the following address “http://www.qq937.com/yxyz/cp12/index.html?cid=50789”. While this site loads, it continues its malicious activities to the unsuspecting user in the background.
   

6. The trojan will then attempt to execute b_2710.vbe but since this VBscript is still encoded, the operating system will just return an error. At this point, the trojan’s system infection routine is halted for a moment and will only continue if and only if the user closes the error message. It is possible that this flaw was unintentionally created by the malware author.
   

7. Attempts to download and execute other components
   

8. Executes downloaded file %PROGRAMFILES%\soft275710\wl06079.exe detected by vipre as Trojan.Win32.Generic!BT
9. Executes %PROGRAMFILES%\soft275710\w_2710.exe (which installs smes.exe) detected by vipre as Trojan.NSIS.Startpage.aen (v)
10. Executes downloaded file %PROGRAMFILES%\soft275710\JJmatch_11494.exe a non-malicious game installer
11. Executes downloaded file %PROGRAMFILES%\soft275710\pipi_dae_381.exe a non-malicious game installer

An In Depth Analysis to w_2710.exe - Trojan.NSIS.Startpage.aen (v)

The file w_2710.exe; that came in bundled with other softwares using NSIS installer, is also compressed using an NSIS installer. Executing w_2710.exe will create two new directories in %ALLUSERSPROFILE%\Application Data as “kingsoft\kws” and “smes”.

For %ALLUSERSPROFILE%\Application Data\kingsoft\kws directory, the following files were added:

• kws.ini
• spitesp.dat
• spot.ini

For %ALLUSERSPROFILE%\Application Data\smes directory, the following files were added:

• smes.exe
• kswbc.dll
• kswebshield.dll
• kwssp.dll
• kwsui.dll
• u.bat

It will then execute the batch file u.bat which in turn executing three commands smes.exe -install (installs smes.exe as a service), smes.exe - start (starts the service of smes.exe)  and del %0 (deletes u.bat).

Smes.exe has 5 command line available and these are:

-install

• installs Kingsoft Antivirus Webshield Service

-run

• executes smes.exe as a normal process

-uninstall

• removes Kingsoft Antivirus Webshield Service

-start

• executes smes.exe as a service process

-console

• executes smes.exe as a normal process with verbose logging enabled

A service named Kingsoft Antivirus Webshield Service is created that starts smes.exe everytime the system boots up.

Service Name: Kingsoft Antivirus WebShield Service

Display Name: Kingsoft Antivirus WebShield Service

Service Type: SERVICE_INTERACTIVE_PROCESS, SERVICE_WIN32_OWN_PROCESS

Service State: SERVICE_RUNNING

Binary Path: C:\_target\smes\$APPDATA\smes\smes.exe

Once the service is started, you cannot stop it in Windows’ Services Management Console because smes.exe grays out the STOP button as seen in the figure below.

However, you can manually terminate the running process id of smes.exe using Windows Task Manager or Sysinternal Process Explorer which in turn also stops the service.

Also on a note; once smes.exe starts to execute, the start page of internet explorer visibly changes to http://www.hao144.info/1/. And when terminated, the start page reverts back to the original.

In our analysis, smes.exe proves to be non-malicious by itself; however, malware authors can exploit its features (like changing the start page of web browsers) to their advantage.

In order to fully know how the process of modifying the start page of web browsers was done, we proceed in analyzing smes.exe’s component dlls.

kwssp.dll

exports:

DllCanUnloadNow

DllGetClassObject

- non-malicious

- responsible for reading settings found in kws.ini file and passes the parameters read to kswebshield.dll module.

- attempts to establish connection to labs.duba.net which is the website of kingsoft

kwsui.dll

exports:

DoDisplayLog

GetClassObject

GetHookStatus

SetWindowStyle

Startup

Stop

DllGetClassObject

- non-malicious

- injected to all running processes by using SetWindowsHookEx in order to monitor WH_CBT (http://msdn.microsoft.com/en-us/library/windows/desktop/ms644977(v=vs.85).aspx) and WH_GETMESSAGE (message queue). A good read about windows hooks plus two more other process injection techniques is found in this article http://www.codeproject.com/Articles/4610/Three-Ways-to-Inject-Your-Code-into-Another-Proces

- responsible for injecting kswebshield.dll to running processes

- verifies if it is injected to the following list of process

• KSWebShield.exe
• kxeserv.exe
• kxfwsserv.exe
• winlogon.exe
• explorer.exe
• kugoo.exe
• iexplore.exe
• 360se.exe
• maxthon.exe
• theworld.exe
• ttraveler.exe
• greenbrowser.exe
• MyiQ.exe
• myie.exe
• tmshell.exe
• flashget.exe
• SogouExplorer.exe
• setask.exe
• firefox.exe
• chrome.exe
• gsfbwsr.exe
• opera.exe
• tango.exe
• SaaYaa.exe
• Safari.exe
• MxCore.exe
• AcroRd32.exe
• tango3.exe
• tangoweb.exe

kswbc.dll

exports:

DllCanUnloadNow

DllGetClassObject

DllRegisterServer

DllUnregisterServer

- non-malicious

- injected to iexplore.exe only by kswebshield.dll

kswebshield.dll

exports:

MatchingUWUrl

MatchingUrl

ProcessUWUrl

RegisterUrlProcessor

UnregisterUrlProcessor

UrlProcess

- non-malicious

- injected to running processes using SetWindowsHookEx API

- the culprit responsible for replacing the start page of internet explorer to whatever website is set under “sp” tag under its ini file (kws.ini).

In this figure, kswebshield.dll is already injected to process memory of iexplore.exe and starts to load http://www.hao144.info/1/.

- also hooks the following list of APIs in order to route execution to itself:

• WS2_32.WSASend
• WS2_32.Send
• NTDLL.ZwCreateProcessEx
• NTDLL.ZwCreateProcess
• WININET.HttpOpenRequestA
• WININET.HttpOpenRequestW
• WININET.InternetConnectA
• WININET.InternetConnectW
• WININET.InternetReadFile
• WININET.InternetQueryDataAvailable
• WININET.InternetOpenUrlA
• WININET.InternetOpenUrlW
• WININET.InternetCloseHandle
• KERNEL32.CopyFileExA
• KERNEL32.CopyFileExW
• KERNEL32.CopyFileA
• KERNEL32.CopyFileW
• KERNEL32.LoadLibraryA
• KERNEL32.LoadLibraryW
• KERNEL32.LoadLibraryExA
• KERNEL32.LoadLibraryExW
• KERNEL32.CreateProcessInternalA
• KERNEL32.CreateProcessInternalW
• KERNEL32.CreateProcessW
• KERNEL32.CreateProcessA
• KERNEL32.WinExec
• OLEAUT32.SysAllocStringByteLen
• OLEAUT32.SysAllocStringLen
• SHELL32.ShellExecuteExA
• SHELL32.ShellExecuteExW
• OLE32.CoGetClassObject
• OLE32.CoRegisterClassObject
• OLE32.CoCreateInstance
• SHLWAPI.SHRegGetUSValue
• ADVAPI32.RegQueryValueExA
• ADVAPI32.RegQueryValueExW
• NSPR4.PR_LoadLibrary
• URLMON.CoGetClassObjectFromURL
• URLMON.URLDownloadToCacheFileA
• URLMON.URLDownloadToCacheFileW
• URLMON.URLDownloadToFileA
• URLMON.URLDownloadToFileW

Figure below demonstrates how hooking is done by replacing the first 5 bytes of the target API with a jump offset to the arbitrary code.