Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Paltalk Rogue Trojan Loader From Palnet Ad Server

1,812 views

Published on

This is how I analyze root cause for rogue trojans on ad servers aggregated for many clients like Paltalk.

  • Be the first to comment

Paltalk Rogue Trojan Loader From Palnet Ad Server

  1. 1. Paltalk Rogue Trojan loader from PalNet Ad Server Captured by Sunny Sky50m @PCTECH
  2. 2. Reason for This report Popup below produced by Paltalk Today Ad. 27 March-2010 <ul><li>For the last 6 months PCTECH has been fighting this same Trojan acquired by innocent Paltalk users. </li></ul><ul><li>Sometimes they complain of this “fake” Trojan warning and say they did nothing, then attempting to cancel the alarming message. Some users thought their System Security was prompting them to perform an online scan, others new it was a bad sign but were infected anyways. </li></ul><ul><li>We call this a Rogue Virus by Phishing or pretending to be a bonfire security warning. Any response OK or cancel triggers a fake online scan shown in a Paltalk Today window, then a click anywhere on that window triggers an executable Trojan to be automatically downloaded by “paltalk.exe” from a “rogue” server with no domain name. </li></ul><ul><li>The evidence in this report shows that paltalk.exe and hence AVM Software, Inc. (PALTALK) care of Network Solutions, is 100% responsible for this Trojan Worm which contradicts their public statements of the same. </li></ul><ul><li>Unfortunately the most common security packages employed by PC users do not detect this Trojan, until it is too late. (See VirusTotal results) For experienced PCTECH @admins, it is easy to prevent. </li></ul><ul><li>Incidentally clicking [OK] or [Cancel] or even [x] triggers a repeat popup window and fake security scan shown on the next page. </li></ul><ul><li>We want Paltalk to take corrective action immediately, as we enjoy the service and hope to prevent the anxiety and frustration that this problem causes to many users. </li></ul><ul><li>Not to slight the painstaking efforts PCTECH admins, who freely help any Paltalk users rid their computers of infections or other PC confusions, we could do with fewer infected pro bono “customers”. </li></ul>
  3. 3. The Rogue Online Scanner The Paltalk Today window popped up from the background to the top of the desktop. It behaved like any webpage but without an address bar. In this window, it shows a fake Windows System Task on the left with fake Explorer folders and fake trojan scanner results. It looked like an active animated online program, but was actually a harmless animated GIF or PNG file, thus going undetected by any AntiMalware software. In this case just pretending to be an online Security Scan but with an embedded hyperlink supplied by PALNET server and if clicked went straight to the resulting Trojan server to initiate a download.. “ to Fix your Infected Computer! (not!) <<< Clicking anywhere on the Paltalk Today window triggers the Trojan download . ”inst.exe”
  4. 4. Where does the Trojan come from? whois 85.12.44.148? inetnum:        85.12.44.128 - 85.12.44.255 netname:        XS-24 descr:          XS-24 international ltd country:        nl admin-c:        PL2400-RIPE tech-c:         TW1148-RIPE status:         ASSIGNED PA mnt-by:         EUROACCESS-MNT source:         RIPE # Filtered person:         PC Leurink address:        EuroAccess Enterprises Ltd. address:        Alsacelaan 5 address:        5627 CA Eindhoven, The Netherlands phone:          +31 (0)20-7173209              +31 (0)20-7173209       fax-no:         +31 (0)40-2488764 e-mail:                                                                                             mnt-by:         EUROACCESS-MNT nic-hdl:        PL2400-RIPE source:         RIPE # Filtered person:         TA Westervoorde address:        EuroAccess Enterprises Ltd. address:        Alsacelaan 5 address:        5627 CA Eindhoven, The Netherlands phone:          +31 (0)20-7173209              +31 (0)20-7173209       fax-no:         +31 (0)40-2488764 e-mail:                                                                                             mnt-by:         EUROACCESS-MNT nic-hdl:        TW1148-RIPE source:         RIPE # Filtered
  5. 5. How is Paltalk infecting users? <ul><li>Paltalk Today ads change every so often, depending on tab selections, logon time and user paid subscription “ads enable”. (paid Paltalk users may select an option to hide Paltalk Today and setting to “opt out” or hide ads.) </li></ul><ul><li>The contents are outsourced to various ad servers, some hosted as hypertext, others in the Adobe Flash player frame. </li></ul><ul><li>Most security minded users PC users have a HOSTS file which blocks known bad domains. .. However, some ads persist to come thru even from blocked ads such as “a.trialfusion.com” This implies the Palnet server determines which ads are displayed and not the client application. In this case, when the “Warning” Ad occurred simulateously with the Paltalk Today page being forced to the foreground desktop but with a blank white page, implying it was intending to display an ad but this client PC had blocked the request with the HOSTS file. However, a subsequent click on the warning prompt responded with the animated Fake Trojan scanner on Page 3 implying the ad came from an unblocked site or a direct domain IP address. </li></ul>
  6. 6. Which AV missed detecting this Malware? inst.exe was saved, and was sent to www.virustotalcom for analysis. The results showed this file could kill processes, read & write files using in the kernel32.dll ( 2 imports ) > USER32.dll: CreateWindowExA, GetTaskmanWindow, MessageBoxA, GetMessageExtraInfo, UpdateWindow, CreateWindowExW, SendMessageA > KERNEL32.dll: ExitProcess, CreateFileW, WriteFile, ReadFile, GetVersionExW, GetModuleHandleW, DuplicateHandle, CloseHandle VIRUS-TOTAL RESULTS File inst.exe received on 2010.03.27 21:49:18 (UTC) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 8/42 (19.05%) {detected by 8 of 42 malware software types} Version Last Update Result a-squared 4.5.0.50 2010.03.27 - AhnLab-V3 5.0.0.2 2010.03.27 - AntiVir 7.10.5.241 2010.03.26 - Antiy-AVL 2.0.3.7 2010.03.26 - Authentium 5.2.0.5 2010.03.27 - Avast 4.8.1351.0 2010.03.27 - Avast5 5.0.332.0 2010.03.27 - AVG 9.0.0.787 2010.03.27 - BitDefender 7.2 2010.03.27 - CAT-QuickHeal 10.00 2010.03.27 - ClamAV 0.96.0.0-git 2010.03.27 - Comodo 4407 2010.03.27 - DrWeb 5.0.1.12222 2010.03.27 - eSafe 7.0.17.0 2010.03.25 - eTrust-Vet 35.2.7391 2010.03.26 - F-Prot 4.5.1.85 2010.03.27 - F-Secure 9.0.15370.0 2010.03.27 - Fortinet 4.0.14.0 2010.03.27 - GData 19 2010.03.27 - Ikarus T3.1.1.80.0 2010.03.27 - Jiangmin 13.0.900 2010.03.27 - K7AntiVirus 7.10.1004 2010.03.22 - Kaspersky 7.0.0.125 2010.03.27 Packed.Win32.Krap.ai McAfee 5933 2010.03.27 FakeAlert-KW.e McAfee+Artemis 5933 2010.03.27 FakeAlert-KW.e McAfee-GW-Edition 6.8.5 2010.03.27 Heuristic.BehavesLike.Win32.Packed.K Microsoft 1.5605 2010.03.27 Trojan:Win32/Winwebsec NOD32 4978 2010.03.26 - Norman 6.04.10 2010.03.27 - nProtect 2009.1.8.0 2010.03.27 - Panda 10.0.2.2 2010.03.27 - PCTools 7.0.3.5 2010.03.27 - Prevx 3.0 2010.03.27 - Rising 22.40.05.04 2010.03.27 - Sophos 4.52.0 2010.03.27 - Sunbelt 6101 2010.03.26 FraudTool.Win32.SecurityTool (v) Symantec 20091.2.0.41 2010.03.27 Suspicious.Insight TheHacker 6.5.2.0.246 2010.03.27 Trojan/FakeAV.gen TrendMicro 9.120.0.1004 2010.03.27 - VBA32 3.12.12.2 2010.03.27 - ViRobot 2010.3.27.2248 2010.03.27 - VirusBuster 5.0.27.0 2010.03.27 -
  7. 7. Here is a summary of Paltalk’s Infection trigger mechanism <ul><li>Using Procmon.exe from http://live.sysinternals.com to capture events </li></ul><ul><ul><li>(20MB was too big to fit here) </li></ul></ul><ul><li>A trace log was captured that shows paltalk.exe activity as follows; </li></ul><ul><ul><li>requesting TCP send and receive from 64.40.10.75:17760 (get url) </li></ul></ul><ul><ul><ul><li>Server name from whois.sc NetRange: 64.40.0.0 - 64.40.15.255 </li></ul></ul></ul><ul><ul><ul><li>CIDR: 64.40.0.0/20 OriginAS: AS18505 NetName: PALNET-01 </li></ul></ul></ul><ul><ul><li>Read file inst.exe from 85.12.44..148 (rogue Dutch host) </li></ul></ul><ul><li>This occurrence is infrequent but occurs roughly once per day or so. </li></ul><ul><li>I decided to delete my large HOSTS file and Restricted Site lists to capture this event </li></ul><ul><li>It took 4 days to see the popup event occur. </li></ul><ul><li>Other PCTECH admins saw it on the previous week perhaps once every 2 days on a PC setup to wait for the Trojan Scan Ad. </li></ul><ul><li>Closing the Paltalk Today window stopped the subsequent file download. </li></ul><ul><li>(novice users were not so lucky) </li></ul>
  8. 8. Paltalk.exe file creation log with trojan <ul><li>Procmon.exe was used to capture paltalk.exe file access activities for a few hours. </li></ul><ul><li>Note Files in reverse order: inst.exe (=trojan) , alert.png (=animated fake online scan picture), ErrorPagesScripts, (animated) Progress bar…gif </li></ul>
  9. 9. No signs of Paltalk or PC being Infected Event <ul><li>This user conducted number scans to ensure PC was free of any active trojans or even dormant ones in any temporary internet folders using A-Squared, MSE, Avast, HJT, RunScanner, Spybot S&D, etc etc </li></ul><ul><li>During the event, Paltalk active threads were recorded and shown to the right </li></ul><ul><li>none of the Paltalk Threads look suspicious as well; </li></ul>
  10. 10. What does VirusTotal call this trojan? <ul><li>Antivirus Version Last Update Result </li></ul><ul><li>Sunbelt 6101 2010.03.26 FraudTool.Win32.SecurityTool (v) </li></ul><ul><li>Symantec 20091.2.0.41 2010.03.27 Suspicious.Insight </li></ul><ul><li>TheHacker 6.5.2.0.246 2010.03.27 Trojan/FakeAV.gen </li></ul><ul><li>Kaspersky 7.0.0.125 2010.03.27 Packed.Win32.Krap.ai </li></ul><ul><li>McAfee 5933 2010.03.27 FakeAlert-KW.e </li></ul><ul><li>McAfee+Artemis 5933 2010.03.27 FakeAlert-KW.e </li></ul><ul><li>McAfee-GW-Edition 6.8.5 2010.03.27 Heuristic.BehavesLike.Win32.Packed.K </li></ul><ul><li>Microsoft 1.5605 2010.03.27 Trojan:Win32/Winwebsec </li></ul><ul><li>Fraud Security Tool seems to best describe Paltalk Today Ad which was used to display the Fake Trojan (PNG file) but later fetches a real Trojan (inst.exe) using Paltalk.exe fetched from a rogue server after the user clicks the page to attempt to cancel or accept a repair action. </li></ul>
  11. 11. What do we expect from Paltalk? <ul><li>Estimate completion date for Corrective Action on preventing the Rogue Trojan infection </li></ul><ul><li>Confirmation of the above action by cut-in date </li></ul><ul><li>Some recognition to PCTECH @Admins for making Paltalk safer and users happier by assisting thousands of users each year with PC security and audio setup issues. (Other rooms also assist in this effort, as much as they can) </li></ul>
  12. 12. What else could be done? <ul><li>Problems: </li></ul><ul><li>1) Users have no idea how loud their audio is </li></ul><ul><li>2) The audio level changes even after they calibrate or test it </li></ul><ul><li>3) Quieter talkers followed by MegaLOUD talkers can be painful </li></ul><ul><li>4) Muted experienced Talkers are often embarassed when they have no useful visual or audio feedback </li></ul><ul><li>5) Paltalk’s lame audio meter has only 2 bars and since it detects DC offset it is often at 2 bars for users the high gain and DC offset (codec issue), leaving little or no visual feedback of mic level. </li></ul><ul><li>6) Paltalk slider’s are global and shared with other Windows rather than DirectX independent (except win7) </li></ul><ul><li>7) Audio sliders are often wrong.. (show zero when not) due to shared interference or errors. </li></ul><ul><li>8) The bandwidth wasted on poor quality audio has significant room for improvement </li></ul><ul><li>Suggestions; </li></ul><ul><li>Make the audio use as easy as Skype, new device enabled for audio is optional (cam or usb or analog) </li></ul><ul><li>Restore the old audio VU icons for mic level which were more effective than current useless ones </li></ul><ul><li>(current VU meter is useful for very few) </li></ul><ul><li>Include a real VU meter to normalize the listening & broadcast experience </li></ul><ul><li>Make Music room setup for audio cards easier to setup with tools like Andrea recorder </li></ul><ul><li>I could fill out another 20 pages, but shall stop here for lack of time…. Tony Stewart P Eng EE’75 (aka Sunny Sky50m) </li></ul><ul><li>Keep the good times rolling and restore the faith in Paltalk by taking Corrective Action. </li></ul>

×