Say Hi To Cuckoo Sandbox!

Cuckoo is an open source automated malware analysis tool. Cuckoo can execute files and monitor the behaviour. And if you are running FreeFixer, your suspicious files will also be analysed by the sandbox. For free.

I’ll try to explain what Cuckoo can do more in detail by using examples from the Cuckoo reports on files listed here at freefixer.com:

One of the most useful features is that Cuckoo can trace API calls. Here’s an example from RunBoosterUpdateTask64.exe, where you can see that it calls CreateServiceW to register a driver named WinDivert64.sys. This is pretty useful if you are trying to find out what a particular file on your system is doing.

"call": {
  "category": "services",
  "status": 1,
  "stacktrace": [],
  "api": "CreateServiceW",
  "return_value": 4536928,
  "arguments": {
    "service_start_name": "",
    "start_type": 2,
    "service_handle": "0x0000000000453a60",
    "display_name": "WinDivert1.2",
    "error_control": 1,
    "service_name": "WinDivert1.2",
    "filepath": "C:\\Windows\\System32\\drivers\\WinDivert64.sys",
    "filepath_r": "C:\\Windows\\system32\\drivers\\WinDivert64.sys",
    "service_manager_handle": "0x0000000000453a00",
    "desired_access": 983551,
    "service_type": 1,
    "password": ""
  },
  "time": 1576385586.79675,
  "tid": 2436,
  "flags": {}
}

Cuckoo also monitors host resolving. Here’s another example from the log where RunBoosterUpdateTask64.exe tries to get the IP address for update.updinfo.xyz:

"resolves_host": [ "update.updinfo.xyz" ]

And the list goes on. Cuckoo detects anti-virtualisation tactics. For example, Cuckoo will notice if the file under test checks for existence of VMware/VirtualBox registry keys or files.

Here’s an example from armsvc.exe where Cuckoo notice that the process is trying to detect if it is running in VMware using an instruction:

{
  "markcount": 1,
  "families": [],
  "description": "Detects VMWare through the in instruction feature",
  "severity": 3,
...

Cuckoo will detect potential compressed or encrypted data in the executable files by measuring the entropy in the file. Cuckoo can also step through installation wizards and takes screenshots during the analysis. It will also log UDP and TCP connection.

I’m impressed by all the features.

So, I’ve set up a Cuckoo installation that freefixer.com will use to analyse files. The approach is simple. Freefixer.com will upload files to sandbox and after a while the analysis will be displayed on the web site. I’ve decided to display the Summary, Generic, Dropped, Signatures, Yara, and Network sections from the sandbox report. Here’s an example report for armsvc.exe:

I’ve been running Cuckoo for some time now, and it has analysed more that 6000 files. I’m pretty happy with the result so far. Cuckoo just keeps on running, analysing one file after another.

I’ve identified a number of issues that needs to be addressed:

  • Lots of noise! The reports from Cuckoo can be quite verbose and it can be difficult for users to identify the most interesting parts of the log. This is pretty difficult problem that I’m not sure how to fix. An automated approach is needed to pinpoint the most interesting parts of the log.
  • Identical screenshots. The sandbox generates screenshots that are almost identical. I’m currently using ImageMagick to compare images for similarity but it does not work good enough. I think the code needs another round of tuning.
  • The web site needs to explain what the items in the log means. For example, what does UPD packets sent from the local host to 224.0.0.255 at port 5355 mean? (It’s a name resolution for hosts on the same local link)
  • The JSON reports are shown in fixed size text-areas (<pre></pre>) with vertical and horizontal scrollbars. Works OK when the amount of JSON data is small. Works terrible when dealing with large amount of data. Please let me know if you have some ideas on how to present the JSON data in smart ways.

I’m hoping, now that you have another tool to analyse files, that this will help you to track down and remove that malware running on your machine.

GoogleBot, BingBot – Is That Crawler Real or Fake?

I’m currently running FreeFixer.com on a shared Dreamhost server. Dreamhost has a monitoring service that  keeps an eye on the total resource usage for each user account. If some user consumes to much resources on the server, the monitoring service starts killing off processes for that user and an email report is sent. This is great since it saves me much of the performance problems caused by other users on the same server.

Some time ago, the resource usage for freefixer.com started hitting the limit but I didn’t notice any additional traffic when I examined the Google Analytics report. This led me to investigate Apache’s access.log file. Here are two example entries from the log:

157.55.39.252 - - [25/Jun/2019:02:37:05 -0700] "GET /library/file/UninstallTP.exe-154295/ HTTP/1.1" 200 17986 "-" "Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)"
163.172.64.171 - - [25/Jun/2019:02:37:10 -0700] "GET /b/tag/fake-flash-software/ HTTP/1.1" 200 18719 "-" "Barkrowler/0.9 (+http://www.exensa.com/crawl)"

The first entry (157.55.39.252) claims to be the bingbot and the second (163.172.64.171) is a crawler called Barkrowler (exensa.com).

When examining the access.log a bunch of questions are raised:

  1. Let’s say the crawler claims to be BingBot or GoogleBot, but is it the real one coming from one of Google’s or Microsoft’s data centers, or is it a bot that falsely set its user agent to GoogleBot or BingBot?
  2. What about all the other bots out there? Their crawling uses quite a lot of resources, but do they bring any value or users to your web site.
  3. What about all the other high usage IP-numbers that claims to be ordinary users? Are their claims correct, or are they just bots in disguise?

How To Determine If a Bot is Fake

Let’s say you see an entry in the log coming from 157.55.39.252 and it claims to be bingbot. How can we determine that the traffic is from a real bingbot? We can do this using the following two steps:

1) First we do a reverse DNS lookup using the IP from the log.

$ host 157.55.39.252

252.39.55.157.in-addr.arpa domain name pointer msnbot-157-55-39-252.search.msn.com.

The DNS responds with [msnbot-157-55-39-252.search.msn.com].

2) Then we do a forward DNS lookup on the hostname we got from the reverse lookup.

$ dig +short msnbot-157-55-39-252.search.msn.com

157.55.39.252

So, to summarise: 157.55.39.252 points to [msnbot-157-55-39-252.search.msn.com] which is owned by Microsoft. And the [msnbot-157-55-39-252.search.msn.com] hostname resolves back to 157.55.39.252 which we started with. Excellent, we now know that we are dealing with a legitimate bingbot.

Another way to check if an IP belongs to bingbot, if you don’t have the host and dig command line tools available, is to use Bing’s Verify Bingbot Tool. You simply type in the IP address, in this case 157.55.39.252, and solve the captcha.

Verify bingbot tool reports 157.55.39.252 is a real bingbot
Verify bingbot for 157.55.39.252

I’m not aware of web verification tools for the other search engines such as Google or Yandex. If you know about such a tool, please let me know.

What’s Hiding Behind Bing’s Ads?

Something that always bugged me is some of the content promoted by search engine ads. I’m talking about the ads that appear at the top of the search results. Here’s an example where I search for “download firefox” on the Bing search engine:

The first four items above the fold are ads. Let’s click on the first ad (fir.updatechecker.club).

The fir.updatechecker.club web site shows a faked Windows GUI pretending to be the Firefox Installer (built inside the browser’s viewport) and they want me to pay 50 SEK to install the free Mozilla Firefox browser by sending an SMS! The fact that 50 SEK is charged when sending the SMS appears with a small font in grey in the lower left corner. When refusing to pay 50 SEK I get an setup file, which is detected by many of the security scanners:

The installer appears to be build using InstallCore and shows a sponsored offer to install Avast AntiVirus, which I declined. (Though it would be interesting to see if Avast would go ahead and remove the bundler. As you can see in the scan result above, Avast is detecting the installer file, giving it the detection name “FileRepMalware [PUP]”).

The installer file also installs a piece of software called UpdateChecker:

Should Bing block these ads? What do you think?

 

KB4074588 Update Fails to Install with 0x80070bc2 Error Code on Windows 10

I just ran into a problem installing the KB4074588 update on Windows 10 and would like to share how I solved the problem. The error code for the failed installation was 0x80070bc2.

The problem started when Windows Update reported that KB4074588 was available with the “Awaiting restart” status.

windows updates KB407588 awaiting restart

After restarting, I got the “We couldn’t finish installing updates” notification message.

we couldnt finish installing updates

When I want back and checked for Windows updates, KB4074588 started to download again and reported “Awaiting restart”. This loop kept going on and on…

When I checked the update history, I could see that update failed with error code 0x80070bc2.

0x80070bc2 error code

The problem seems to be that a Windows service called TrustedInstaller, or Windows Modules Installer is not configured to start automatically after a reboot. If it doesn’t start up automatically after the reboot, it does not finish the update.

So, here’s how I solved the KB4074588 and 0x80070bc2 problem:

  1. I went into Windows Update and check for updates and waited until the status said “Awaiting restart”.
  2. Then I opened the Services list and and located “Windows Modules Installer” and changed Startup type to Automatic. Remember to click the OK button.trustedinstaller set automatic
  3. Then I restarted the machine. After logging in and waiting for a minute or so, the update kicked in and displayed the following: installing stage 2 of 2
  4. Then I restarted the machine again, and verified that the KB4074588 was successfully installed: KB4074588 installed

Hope this helped you finish the KB4074588 update.

Please let me know if this worked for you too, or if you had to use some other procedure to get the update installed.

 

 

 

“Vitaly Rules Google” – Twitter Referrer Spam in Google Analytics – How To Remove

I recently released a new version of FreeFixer, and as usual after a new release I spend too much time looking at Google Analytics Real-Time stats to check out what my visitors are doing on the web site.

While doing this I noticed traffic with Twitter as the referrer under “Top Social Traffic”:

twitter-referer-spam-google-adsense

Happy times, the users are talking about the new FreeFixer release on Twitter, I thought.

The traffic appeared to be to be originating from Russia and Google Analytics claimed that the page title was:

“Vitaly rules google”

vitaly-rules-google-analytics

I have no such title anywhere on my site. So, this is obviously spam 🙁

So, how can the Twitter referral spam be stopped?

There are a bunch of methods to remove Analytics referer spam such as this one. One way  is to add the spammer’s IP address in the web server’s .htaccess file.

If you don’t have access to the spammers IP or the .htaccess file, you can filter out Twitter referrals in Google Analytics, with these steps:

  1. Click on the Admin tab.admin-tab-google-adsense
  2. Click All Filters in the Account column to the left.all-filters
  3. Click the ADD FILTER button to create a new filter. This filter can be used for all your sites that you have hooked up on Analytics.add-filter
  4. Give the filter a name, set Custom as the filter type and select Campaign Sourcefilter-name-custom-campain-source
  5. Now we need write a regular expression to block the unwanted referrers. In this example, I’ve blocked two sites, twitter.com and motherboard.vice.com. As you can see, each site is separated by the | character. twitter-com-filter
  6. Add the filter to the view where you are experiencing the referrer spam problem, and click Save.apply-filter-and-save

And that’s it. The Twitter.com referrer spam should now disappear from the Google Analytics Real-Time stats, and all the other statistics pages that can be shown.

In my case, I had to wait for a few minutes in order for the filter to take effect.

Did this help you remove the “Vitaly Rules Google” Twitter referral spam?

Did the spam you were getting also originate from Russia?

Thank you for reading!

WMI Commandline Utility Malware Pop Ups – Click NO!

I was helping out a FreeFixer user this morning, trying to track down some malware in his FreeFixer log that he sent me.

While searching for information about a .DLL file, I found a spam post on imgur.com, which linked to another web page that started a download of an executable file.

And this one is pretty nasty. Look at the executable file. As you can see the file is digitally signed by Free Sky Business LP.

exe-free-sky-business-lp

Typically, when you double-click on a file like this, Windows pops up an User Account Control dialog asking if you trust “Free Sky Business LP”. However, this one manage to pop-up and UAC for Microsoft’s WMI Commandline Utility.

wmi-commandline-utility-pop-up

If you click no, the UAC dialog will pop-up again and again and again…

Until you click Yes, which starts the installation of FileFinder.exe.

filefinder

So watch out! Don’t click Yes if the Microsoft’s WMI Commandline Utility UAC dialog pops up.

 

Ocsp.NetSolSSL.com Connections While Browsing? – That’s Network Solution’s OCSP Server

If you see connections to ocsp.netsolssl.com while browsing some web site, there’s no need to worry. This connection is done when the browser needs to talk to Network Solution’s Online Certificate Status Protocol (OCSP) server, while getting a the revocation status of an digital certificate.

Here’s how ocsp.netsolssl.com showed up in my network log:

ocsp.netsolssl.com

I think ocsp.netsolssl.com can appear in the browser’s status bar to saying something like “Waiting for ocsp.netsolssl.com” or “Connecting to ocsp.netsolssl.com”.

ocsp.netsolssl.com was created back in January 31st 2005. The domain expires January 31st 2019.

Remove promo3.c-rewards.com Pop Up Ads

Sound familiar? You see pop-up ads from promo3.c-rewards.com while browsing web sites that generally don’t advertise in pop-up windows. The pop-ups manage to evade the built-in pop-up blockers in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Perhaps the promo3.c-rewards.com pop-ups show up when clicking search results from Google? Or does the pop-ups appear even when you’re not browsing?

Here’s a screenshot of the promo3.c-rewards.com pop-up ad when it showed up on my computer:

promo3.c-rewards.com pop up

(Sorry for the watermarks. Need to add them to prevent the most blatant attempts of other bloggers using my screenshots without attribution)

If this sounds like what you are seeing on your computer, you almost certainly have some adware installed on your machine that pops up the promo3.c-rewards.com ads. So there’s no idea contacting the owner of the website you currently were browsing. The ads are not coming from them. I’ll do my best to help you remove the promo3.c-rewards.com pop-up in this blog post.

Those that have been spending some time on this blog already know this, but here we go: Recently I dedicated some of my lab computers and knowingly installed some adware programs on them. Since then I have been tracking the actions on these systems to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself, or if it downloads and installs additional unwanted software on the machines. I first noticed the promo3.c-rewards.com pop-up on one of these lab computers.

promo3.c-rewards.com resolves to the 209.15.247.29 IP address and c-rewards.com to 209.15.247.40.

So, how do you remove the promo3.c-rewards.com pop-up ads? On the machine where I got the promo3.c-rewards.com ads I had gosearch.me, SmartComp Safe Network, Windows Menager and Live Malware Protection installed. I removed them with FreeFixer and that stopped the promo3.c-rewards.com pop-ups and all the other ads I was getting in Mozilla Firefox.

If you are wonder if there are many others out there also getting the promo3.c-rewards.com ads, the answer is probably yes. Check out the traffic rank from Alexa:

promo3.c-rewards.com traffic

The problem with this type of pop-up is that it can be popped up by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

Anyway, here’s my suggestion for the promo3.c-rewards.com ads removal:

The first thing I would do to remove the promo3.c-rewards.com pop-ups is to examine the programs installed on the machine, by opening the “Uninstall programs” dialog. You can find this dialog from the Windows Control Panel. If you are using one of the more recent versions of Windows you can just type in “uninstall” in the Control Panel’s search field to find that dialog:
Uninstall a program search

Click on the “Uninstall a program” link and the Uninstall programs dialog will open up:
Uninstall a program dialog

Do you see something suspect in there or something that you don’t remember installing? Tip: Sort on the “Installed On” column to see if something was installed approximately about the same time as you started getting the promo3.c-rewards.com pop-ups.

The next thing to check would be your browser’s add-ons. Adware often show up under the add-ons menu in Google Chrome, Mozilla Firefox, Internet Explorer, Safari or Opera. Is there anything that looks suspicious? Something that you don’t remember installing?
Firefox add-ons manager

I think you will be able to track down and remove the adware with the steps outlined above, but in case that did not work you can try the FreeFixer removal tool to identify and remove the adware. FreeFixer is a freeware tool that I started develop about 8 years ago. It’s a tool designed to manually find and uninstall unwanted software. When you’ve tracked down the unwanted files you can simply tick a checkbox and click on the Fix button to remove the unwanted file.

FreeFixer’s removal feature is not locked like many other removal tools out there. It won’t require you to purchase the program just when you are about to remove the unwanted files.

And if you’re having problems determining if a file is safe or unwanted in the FreeFixer scan result, click on the More Info link for the file. That will open up a web page which contains additional details about the file. On that web page, check out the VirusTotal report which can be very useful:

FreeFixer More Info link example
An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did you find any adware on your machine? Did that stop the promo3.c-rewards.com ads? Please post the name of the adware you uninstalled from your machine in the comment below.

Thank you!

Remove millionaires-blackbook.com Pop Up Ads

Did you just get a pop-up from millionaires-blackbook.com and ask yourself where it came from? Did the millionaires-blackbook.com ad appear to have been initiated from a web site that under normal circumstances don’t use advertising such as pop-up windows? Or did the millionaires-blackbook.com pop-up show up while you clicked a link on one of the big search engines, such as Google, Bing or Yahoo?

Here’s how the millionaires-blackbook.com pop-up looked like when I got it on my machine:

millionaires-blackbook.com pop up

(I’m sorry for the many watermarks. If I don’t add them, the screenshot always show up at some copy-cat blogs.)

Does this sound like what you see your machine, you probably have some adware installed on your machine that pops up the millionaires-blackbook.com ads. So there’s no idea contacting the owner of the website you were browsing. The ads are not coming from them. I’ll try help you to remove the millionaires-blackbook.com pop ups in this blog post.

For those that are new to the blog: Some time ago I dedicated some of my lab systems and intentionally installed a few adware programs on them. Since then I’ve been observing the behaviour on these computers to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads additional unwanted software on the computers. I first observed the millionaires-blackbook.com pop-up on one of these lab systems.

millionaires-blackbook.com was created on 2015-11-17. The site is located at 107.154.116.14.

So, how do you remove the millionaires-blackbook.com pop-up ads? On the machine where I got the millionaires-blackbook.com ads I had SmartComp Safe Network, Windows Menager, Live Malware Protection and gosearch.me installed. I removed them with FreeFixer and that stopped the millionaires-blackbook.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The issue with this type of pop-up is that it can be launched by many variants of adware. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done to solve the problem? To remove the millionaires-blackbook.com pop-up ads you need to review your machine for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Check what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see anything that you don’t remember installing or that was recently installed?
  2. How about your browser add-ons. Anything in the list that you don’t remember installing?
  3. If that didn’t help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your computer at lots of locations where unwanted software is known to hook into your machine. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Did this blog post help you to remove the millionaires-blackbook.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!

Remove swedishmethod.com Pop Up Ads

Does this sound familiar? You see pop-up ads from swedishmethod.com while browsing web sites that mostl of the time don’t advertise in pop-up windows. The pop-ups manage to circumvent the built-in popup blockers in Mozilla Firefox, Google Chrome, Internet Explorer or Safari. Perhaps the swedishmethod.com pop-ups show up when clicking search results from a Google search? Or does the pop-ups show up even when you’re not browsing?

Here is a screenshot on the swedishmethod.com pop-up from my machine:

swedishmethod.com popup

If you also see this on your machine, you probably have some adware installed on your computer that pops up the swedishmethod.com ads. Contacting the owner of the web site would be a waste of time. They are not responsible for the ads. I’ll do my best to help you remove the swedishmethod.com pop-up in this blog post.

Those that have been following this blog already know this, but for new visitors: Some time ago I dedicated some of my lab computers and deliberately installed some adware programs on them. Since then I have been following the behaviour on these machines to see what kinds of advertisements that are displayed. I’m also looking on other interesting things such as if the adware updates itself automatically, or if it downloads and installs additional unwanted software on the computers. I first observed the swedishmethod.com pop-up on one of these lab machines.

swedishmethod.com resolves to 104.27.130.234.

So, how do you remove the swedishmethod.com pop-up ads? On the machine where I got the swedishmethod.com ads I had Live Malware Protection, gosearch.me, SmartComp Safe Network and Windows Menager installed. I removed them with FreeFixer and that stopped the swedishmethod.com pop-ups and all the other ads I was getting in Mozilla Firefox.

The problem with pop-ups like the one described in this blog post is that it can be popped up by many variants of adware, not just the adware running on my machine. This makes it impossible to say exactly what you need to remove to stop the pop-ups.

So, what can be done? To remove the swedishmethod.com pop-up ads you need to review your computer for adware or other types of unwanted software and uninstall it. Here’s my suggested removal procedure:

  1. Examine what programs you have installed in the Add/Remove programs dialog in the Windows Control Panel. Do you see something that you don’t remember installing or that was recently installed?
  2. You can also review the browser add-ons. Same thing here, do you see something that you don’t remember installing?
  3. If that didn’t help, you can give FreeFixer a try. FreeFixer is built to assist users when manually tracking down adware and other types of unwanted software. It is a freeware utility that I’ve been working since 2006 and it scans your machine at lots of locations where unwanted software is known to hook into your computer. If you would like to get additional details about a file in FreeFixer’s scan result, you can just click the More Info link for that file and a web page with a VirusTotal report will open up, which can be very useful to determine if the file is safe or malware:

    FreeFixer More Info link example
    An example of FreeFixer’s “More Info” links. Click for full size.

Here’s a video tutorial showing FreeFixer in action removing pop-up ads:

Did this blog post help you to remove the swedishmethod.com pop-up ads? Please let me know or how I can improve this blog post.

Thank you!