Search this Blog


Thursday, February 6, 2014

Swedish newssite compromised

Today a Swedish and well-visited newssite, AftonBladet (, was compromised and serving visitors a fake antivirus or rogueware.

There are two possibilities as to the cause:
  • A (rotating) ad where malicious Javascript was injected
  • AftonBladet itself had malicious Javascript injected

Whoever the cause, the injected script may haven been as simple as:
document.write('< script src=http://');

When trying to reproduce, it appeared it already was cleaned up, fast actions there.

Thanks to my Panda Security colleague Jimmy from Sweden, I was able to obtain a sample.

File:    svc-ddrs.exe
Image icon:

Size:    1084416 bytes
Type:    PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5:     be886eb66cc39b0bbf3b237b476633a5
SHA1:    36c3671f37f414ad6e0954e094a1a7bd0dcc34fc
ssdeep: 24576:M2xJbbGmTvmN9BfQ0lc4Bt4Xsk2QkibF5BOWe8JH0:M6bb3MQ0lc434n2Qhh5kWe8JU
Date:    0x52F1C3E1 [Wed Feb  5 04:53:53 2014 UTC]
EP:      0x5a8090 UPX1 1/3 [SUSPICIOUS]
CRC:     Claimed: 0x0, Actual: 0x10eeb0 [SUSPICIOUS]
Packers: UPX 2.90 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser

When executing the sample

Windows Efficiency Master

Fake scanning results

Besides dropping the usual EXE file in the %appdata% folder, it also drops a data.sec file with predefined scanning results (all fake obviously). Here's a pastebin with the contents of data.sec:

It also performs the usual actions:
  • Usual blocking of EXE and other files
  • Usual  blocking of browser like Internet Explorer
  • Callback to C&C
  • Stops several antivirus services and prevents them from running
  • Reboots initially to stop certain logging and monitoring tools
  • Uses mshta.exe (which executes HTML application files) for the usual payment screen
  • Packed with UPX, so fairly easy to unpack
  • Connects to to determine your IP

This rogueware or fake AV belongs to the Tritax family, which has been going around for quite some time and has lots and lots of different names, but the design, concept and initial social engineering attack are all the same.
@ydklijnsma made an excellent post on this family, which you can read here:


In this case, no exploit -nor Java/Adobe, nor browser- was used. Only Javascript was injected.
  •     Install an antivirus and antimalware product and keep it up-to-date & running.
  •     Use NoScript in Firefox or NotScripts in Chrome.
  •     Block the above IP. (either in your firewall or host file)

  •  Perform a full scan with your installed antivirus and a scan with another antivirus or antimalware product. You can check on VirusTotal which antivirus applications already detect this malware.
  • If you are having issues doing this, reboot your machine in Safe Mode and remove the malware. For any other questions, don't hesitate to make a comment on this post or contact me on Twitter.


Remember the compromise? Although maybe not as big, the AftonBladet is still a very busy and frequently visited website. This shows that any website may have issues with malware or injected Javascript(s).

Follow the tips above to stay protected.

Information for researchers:

PCAP file with traffic (click)

Filename MD5
data.sec 2b55d02b2deed00c11fa7ddd25006cbc
svc-ddrs.exe  be886eb66cc39b0bbf3b237b476633a5
svc-ddrs.exe (unpacked) d667ffdd794fcc3479415ec57de35a58
svc-ejhy.exe (related) 803df2164a3432701aff3bbf0acd2bfe

Wednesday, February 5, 2014

Remediate VBS malware

I have developed a small tool that will aid you to remove VBS malware from a machine or in a network. I made this some months ago when I saw quite a lot of these doing the rounds. The tool is written entirely in batch, should you wonder.

The tool is simple and pretty much self-explanatory:

Remediate VBS worm
Remediate VBS worm

You should run the script in the following sequence, at least on a normal machine:
A, plug in your infected USB and choose B, C.
After these steps, perform a full scan with your installed antivirus product or perform an online scan.

Some tips and tricks:

  • Using option A, the tool will attempt to clean the infection. It will also fix any registry changes made by the malware. (for example it will re-enable Task Manager should it be disabled).
  • ! When you use option B, be sure to type only the letter of your USB drive!
    So if you have a USB drive named G:\, you should only type G
    This option will eradicate any related malware on the USB drive, as well as unhide your files (make them visible again).
  • I advise to end the script with Q as to ensure proper logfile closing. A logfile will open automatically, but is also created by default on the C:\ drive. (C:\Rem-VBS.log)
  • When the tool is running, do not use the machine for anything else.
    (it takes about 30 seconds to run)
  • Accidentally used an option and want to exit the script? Use CTRL + C to stop it.

You can use this to remedy the following malware:

  • Excedow
  • Jenxcus
  • Houdini/Dinihu
  • Autorun worms
  • Any other VBS (VBScript) or VBE malware
  • Any other malware that abuses the WSH (Windows Script Host)

Download the tool from here:

SHA1: d0946aefafe79f16740025d8cd20dbc6c2c2925e

Instructions in other languages are also available, namely Dutch and French:
VBS malware verwijderen
Remediate VBS Worm

Note: as of 03/03/2015, I've updated the tool - it is now version 3.0.0.:
ADDED: more information about attached drives & system
ADDED: root contents of removable drive will now be listed
FIXED: false positive
IMPROVED: general improvements

Note: as of 23/04/2014, I've updated the tool - it is now version 2.0.0:
ADDED: detections & disinfections will now be logged
ADDED: all attached drives are now listed
FIXED: False positive on unrelated files
FIXED: Issue with Read-Only files
IMPROVED: Registry fixes
IMPROVED: Scanning time
IMPROVED: Disinfection mechanism for USB-drives


In regards to autorun worms, you should follow these precautions:

  • Install all your Windows Updates.
  • Disable autorun. This should already be done by Windows Update, but if not you can use:
    • Panda USB Vaccine, download from CNET
    • Follow the steps in this Microsoft article (also for companies)
  • Don't simply insert a USB-drive in your machine without knowing who it is from. Found a USB-drive at your parking lot? Yeah, don't even think about it. You might want to read:
    Criminals push malware by 'losing' USB sticks in parking lots
  • You can install and run Script Defender along your antivirus/antimalware product:
    Script Defender by AnalogX
    This will effectively block the execution of malicious scripts like VBS, VBE, HTA, ...
  • If you aren't planning on ever using VBscripts at all, or you are not working on a company laptop (which may use scripts!), you can also simply disable the Windows Script Host.
  • For companies, take a look at this as well:
    Command line process auditing
  • Last but not least, install an Antivirus and update it regularly.