Today I was hit by the Spyware, "XP Antispyware 2012". It looks very genuine and quite advanced to trick any naive user. It kick starts an intuitive interface. It pretends to Scan your PC for Trojans/Viruses/Rootkits/Malwares/Spywares and provides you various options to remove them and clean your PC though it's doing the exact opposite.
So, this is dangerous and had to be removed as soon as possible. I wanted to find this one manually and take it down. After around, 1 hour of research, I fixed it myself without the use of any Spyware Removal Kits.
Below are the details about this Spyware:
It copies itself into the Application Data directory. It updates some really important Windows Registry Keys. To summarize, it binds itself to the Operating System Subroutine which is used to open and run any Executable File.
The name of the Spyware was: kts.exe
If you remove it from the Application Data folder and place it somewhere else or even delete it. The result would be, you won't be able to run any executable on your PC.
It was time to check the registry for all the occurrences of this Spyware.
A comprehensive listing below which can be used as a reference by anyone here:
Key Path: HKEY_CLASSES_ROOT\.exe\shell\open\command:
{Default} - "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "%1" %*
Key Path: HKEY_CLASSES_ROOT\exefile\shell\open\command
{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "%1" %*
Key Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3793153621: C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe
Key Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe kts
Key Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe"
Key Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
{Default} "C:\Documents and Settings\My computer\Local Settings\Application Data\kts.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe"
Key Path:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command
As you can see, it prefixes the Key values with the path to the kts.exe spyware. Now, if you delete the spyware manually, you should be able to make out from the above Key Values, why no executable runs.
After editing all the above Registry keys, the executables were running as expected.
However, the interesting part would be to do some reverse engineering on this spyware and see what it really does.
Ofcourse, it wasn't designed to scan your PC for Spywares/Malwares and protect it, right? Lulz!
Is there any sort of Network Activity exhibited by it. What are the DLLs it loads into the Process Memory and a bunch of other stuff needs to be checked.
I need to copy over this spyware from my Host Machine to the Virtual Machine and attach it to a debugger like Immunity Debugger. Then we can start with the analysis.
Listening Now: Adema - Giving In
Yep, that's right! I am running an old generation, Intel P4 Processor clocked at 3 Ghz. It's a single core processor and in this modern age when we have real fast processors like Quad Core, I am still on an old single core processor. But hey, that's my baby and he's going to turn 7 years old this October :)
But being a Security Enthusiast, I gotta invest more on technology. One of the main reasons I haven't been able to do that is, due to instability in my life. I am relocating to a new place so this is not the right time for me to invest. But I already have a long list of stuff to buy. Among the processors, it's going to be an Intel Core i7 2600k. And an Extreme GPU for which I have the budget.
But before I decide the vendor of GPU, I have to decide, whether I want CUDA or OpenCL. Based on that it's going to be either, Nvidia GTX 590 or an ATI Radeon 6970.
Anyway, this topic is about, Decryption Processes heating up my Baby! yep! I have accidentally caused my machine to shutdown several times by running the Decryption Process for a long duration at a stretch. It's max operating temperature according to Intel is somewhere around 75 degrees. Which means, it can operate safely at that temperature. Also, the new processors are designed in such a way, that they can slow themselves down to bring down the temperature.
In any case, making my machine shutdown as a result of heating up beyond operating limits is not good. It reduces the lifeline of it. So, I need something to monitor my CPU/Motherboard/HDD temperature. I got Everest Home Edition for this purpose. It's a freeware and really good to quickly monitor some essential performance parameters of your PC.
Grab it from here: hxxp://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml
If you have an Intel Core Based Processor, then you can go for Realtemp. Pentium 4 Processors are not supported by it.
Grab it from here: hxxp://www.techpowerup.com/realtemp/
There are sensors on the Core Processors called DTS (Digital Thermal Sensors) which are probed by this software to gather statistics of several parameters. Of the key significance to us are:
- Motherboard temperature
- CPU
- HDD
- Cooling Fan Speed
I have observed on my Intel P4, 3 Ghz processor, that anything below 70 degrees is safe. So, I usually run the decryption process at a stretch till the temperature doesn't hit that mark. If it does, I stop the process for a while.
The Cabinet which houses all these components doesn't have a proper cooling mechanism. Who cared much about the cooling mechanism anyway, 7 years back? :D
Now, you have cabinets with support for upto 6 fans. Yes, it makes sense, when you have power hungry components like Nvidia GTX GPUs and Intel Core i5 and i7 processors, you indeed need a proper cooling mechanism.
For now, I use external cooling, Bringing down the room temperature does have some effect on the processor temperature. So, I have to turn on the fan in my room at max speed while the decryption process runs.
This is one of the key reasons, I have caught the cold *sneezes*
But I have done a considerable amount of research on using JTR to crack MD5 and SHA-1 hashes, both raw and salted.
I have come up with some effective and quick ways to crack many hashes using JTR!
Cracked: 70994 hashes which includes a mixture of DES, raw-MD5, raw-sha1, SHA-1 Salted (SMF and VBulletin), MD5 (Unix) hashes.
That's a good result considering I am running my JTR on a P4 processor.
Listening Now: Tycho - Sunrise Projector
But being a Security Enthusiast, I gotta invest more on technology. One of the main reasons I haven't been able to do that is, due to instability in my life. I am relocating to a new place so this is not the right time for me to invest. But I already have a long list of stuff to buy. Among the processors, it's going to be an Intel Core i7 2600k. And an Extreme GPU for which I have the budget.
But before I decide the vendor of GPU, I have to decide, whether I want CUDA or OpenCL. Based on that it's going to be either, Nvidia GTX 590 or an ATI Radeon 6970.
Anyway, this topic is about, Decryption Processes heating up my Baby! yep! I have accidentally caused my machine to shutdown several times by running the Decryption Process for a long duration at a stretch. It's max operating temperature according to Intel is somewhere around 75 degrees. Which means, it can operate safely at that temperature. Also, the new processors are designed in such a way, that they can slow themselves down to bring down the temperature.
In any case, making my machine shutdown as a result of heating up beyond operating limits is not good. It reduces the lifeline of it. So, I need something to monitor my CPU/Motherboard/HDD temperature. I got Everest Home Edition for this purpose. It's a freeware and really good to quickly monitor some essential performance parameters of your PC.
Grab it from here: hxxp://www.softpedia.com/get/System/System-Info/Everest-Home-Edition.shtml
If you have an Intel Core Based Processor, then you can go for Realtemp. Pentium 4 Processors are not supported by it.
Grab it from here: hxxp://www.techpowerup.com/realtemp/
There are sensors on the Core Processors called DTS (Digital Thermal Sensors) which are probed by this software to gather statistics of several parameters. Of the key significance to us are:
- Motherboard temperature
- CPU
- HDD
- Cooling Fan Speed
I have observed on my Intel P4, 3 Ghz processor, that anything below 70 degrees is safe. So, I usually run the decryption process at a stretch till the temperature doesn't hit that mark. If it does, I stop the process for a while.
The Cabinet which houses all these components doesn't have a proper cooling mechanism. Who cared much about the cooling mechanism anyway, 7 years back? :D
Now, you have cabinets with support for upto 6 fans. Yes, it makes sense, when you have power hungry components like Nvidia GTX GPUs and Intel Core i5 and i7 processors, you indeed need a proper cooling mechanism.
For now, I use external cooling, Bringing down the room temperature does have some effect on the processor temperature. So, I have to turn on the fan in my room at max speed while the decryption process runs.
This is one of the key reasons, I have caught the cold *sneezes*
But I have done a considerable amount of research on using JTR to crack MD5 and SHA-1 hashes, both raw and salted.
I have come up with some effective and quick ways to crack many hashes using JTR!
Cracked: 70994 hashes which includes a mixture of DES, raw-MD5, raw-sha1, SHA-1 Salted (SMF and VBulletin), MD5 (Unix) hashes.
That's a good result considering I am running my JTR on a P4 processor.
Listening Now: Tycho - Sunrise Projector