none
I found this

    Question

  • Disassembling and decompiling some malare I found on a client's computer revealed some alarming information.

    The program had code to harvest serial numbers that includes but not only the Windows CD key.

    This means my client's computer may be a victim of software theft.



    Developer / IT / Web http://contract-developer.dyndns.biz
    Sunday, October 05, 2008 2:32 PM

Answers

  • Vegan,

    WoW!!! This sounds interesting. Curious do you have any idea how your customer became infected with the maleware which is harvesting serial numbers? Please provide us with this information if possible and I will forward to the appropriate office. 
    Please call our PC Safety line at 1-866-PCSAFETY or (1-866-727-2338).  This phone number is for virus and other security-related support free of charge. It is available 24 hours a day for the U.S. and Canada. Detailed information including selecting various regions for support can be located at: http://www.microsoft.com/protect/support/default.mspx


    Thank you and will await your feedback.


    Stephen Holm, MS
    WGA Forum Manager

    Stephen Holm
    • Marked as answer by Stephen Holm Monday, October 06, 2008 8:59 PM
    • Unmarked as answer by Vegan FanaticMVP Monday, October 06, 2008 11:47 PM
    • Marked as answer by Stephen Holm Tuesday, October 07, 2008 5:24 PM
    Monday, October 06, 2008 8:56 PM
  • My client's workstation is setup with Windows Vista ultimate and he contacted me when his machine wanted to reactivate but he could not. I ended up removing his disk and scanning with a second machine that is secure and that is how I detected the malware.

    Keep in mind that commercial vendors all failed to detect the malware.

    It seems he became infected by a so-called drive by infection as he does not use any program that is not already installed in the machine.

    I use proprietary tools to secure client's computers including strict veto of unauthorized software. I have to know the program to be sure its safe.

    The program attacks the hive in the Windows core and sends it to a site that traces to Russia. Then where I do not know.

    The program also has key logger hooks as well. There are modules to attack Adobe, Autodesk and many other smaller vendors over and above Microsoft. I have contacted all involved.

    It seems as though zombie like attacks are getting more aggressive. Curiously there was no code for DoS attacks or Spam. This is much more subversive spyware.

    My client is now clean, I had to purge his system. Unfortunately his CD-Key has been compromised and while I was able to get him reactivated after cleaning his system I cannot help but wonder what is next.

    In the code for the malware, it shows evidence of being coded with Visual C++ 2005 (no service pack or SDK) express version based on the run-time library in use. It is encrypted but I was able to decrypt the program and reveal the true nature of the code. It attempted to hide its nature with several techniques, obviously it was attempting to evade capture and analysis.

    I cannot help wondering if someone wants lots of Windows keys to try to make a keygen? I am aware of one from 2002 for Windows XP. The keygen really does to create keys, its not a random pick from a list.

    I have found massive amounts of rougeware on various underworld forums. Up dramatically in recent years. One post was 100% trojans all claimed to be keygens for hundreds of leading programs.



    Developer / IT / Web http://contract-developer.dyndns.biz
    Tuesday, October 07, 2008 12:22 AM

All replies

  • Vegan,

    WoW!!! This sounds interesting. Curious do you have any idea how your customer became infected with the maleware which is harvesting serial numbers? Please provide us with this information if possible and I will forward to the appropriate office. 
    Please call our PC Safety line at 1-866-PCSAFETY or (1-866-727-2338).  This phone number is for virus and other security-related support free of charge. It is available 24 hours a day for the U.S. and Canada. Detailed information including selecting various regions for support can be located at: http://www.microsoft.com/protect/support/default.mspx


    Thank you and will await your feedback.


    Stephen Holm, MS
    WGA Forum Manager

    Stephen Holm
    • Marked as answer by Stephen Holm Monday, October 06, 2008 8:59 PM
    • Unmarked as answer by Vegan FanaticMVP Monday, October 06, 2008 11:47 PM
    • Marked as answer by Stephen Holm Tuesday, October 07, 2008 5:24 PM
    Monday, October 06, 2008 8:56 PM
  • My client's workstation is setup with Windows Vista ultimate and he contacted me when his machine wanted to reactivate but he could not. I ended up removing his disk and scanning with a second machine that is secure and that is how I detected the malware.

    Keep in mind that commercial vendors all failed to detect the malware.

    It seems he became infected by a so-called drive by infection as he does not use any program that is not already installed in the machine.

    I use proprietary tools to secure client's computers including strict veto of unauthorized software. I have to know the program to be sure its safe.

    The program attacks the hive in the Windows core and sends it to a site that traces to Russia. Then where I do not know.

    The program also has key logger hooks as well. There are modules to attack Adobe, Autodesk and many other smaller vendors over and above Microsoft. I have contacted all involved.

    It seems as though zombie like attacks are getting more aggressive. Curiously there was no code for DoS attacks or Spam. This is much more subversive spyware.

    My client is now clean, I had to purge his system. Unfortunately his CD-Key has been compromised and while I was able to get him reactivated after cleaning his system I cannot help but wonder what is next.

    In the code for the malware, it shows evidence of being coded with Visual C++ 2005 (no service pack or SDK) express version based on the run-time library in use. It is encrypted but I was able to decrypt the program and reveal the true nature of the code. It attempted to hide its nature with several techniques, obviously it was attempting to evade capture and analysis.

    I cannot help wondering if someone wants lots of Windows keys to try to make a keygen? I am aware of one from 2002 for Windows XP. The keygen really does to create keys, its not a random pick from a list.

    I have found massive amounts of rougeware on various underworld forums. Up dramatically in recent years. One post was 100% trojans all claimed to be keygens for hundreds of leading programs.



    Developer / IT / Web http://contract-developer.dyndns.biz
    Tuesday, October 07, 2008 12:22 AM
  • Hey Vegan

    Which software did you use to detect the infection?

    Regards

    Len
    Tuesday, October 07, 2008 2:48 AM
  • My own custom tools. And 30 years of IT experience does have its advantages.
    Developer / IT / Web http://contract-developer.dyndns.biz
    Tuesday, October 07, 2008 2:50 AM
  • Kewl!

    Which commercial packages did you try that weren't able to detect it?  I'm having to clean more & more malware these days... helps to know what one should/or should not be packing!

    Regards

    Len

     

    Tuesday, October 07, 2008 3:37 AM
  • Use the free AVG is you are poorly financed, I don't like Symantec very much as their consumer software keeps malfunctioning, their corporate software is much better. McAffee is usable too.

    I keep a link in the forum on my site for Windows security for the free AVG.

    Developer / IT / Web http://contract-developer.dyndns.biz
    Tuesday, October 07, 2008 3:40 AM
  • Vegan,


    Thank you very much for taking valuable time and providing the indepth information. Did you contact our PC Safety line @ 1-866-PCSAFETY or (1-866-727-2338)? This type of information will be a GREAT benefit for customers. Should you have gain further information please let us know and contact PC Safety. 

    The tools you use sound very interesting as how you were able to extract and break down the root cause :-).



    regards,


    Stephen Holm, MS
    WGA Forum Manager
    Stephen Holm
    Tuesday, October 07, 2008 5:24 PM
  • Can you send them the link to this forum, I do not have time.
    Developer / IT / Web http://contract-developer.dyndns.biz
    Tuesday, October 07, 2008 6:31 PM
  • Will do. 


    :-)


    Stephen Holm, MS
    WGA Forum Manager
    Stephen Holm
    Tuesday, October 07, 2008 8:18 PM