Thursday, December 15, 2011

Windows 7 Internet Security 2012 (FakeAV) -- The Aftermath...

This article also applies to Windows 7 AntiSpyware 2012


These particular FakeAVs aim to break the Windows 7 Firewall as well as attempting to scam you for your financial information -- and they are very successful.
Earlier this week at work,  I had the pleasure of working on a PC with this infection. I had known before hand that the Firewall would have been compromised; and it was.

First I tried just opening the Windows Firewall settings in Control Panel.
This is what I was presented with.
Opened an elevated Command Prompt window and tried starting the services manually. At this point I was just taking notes...
That's right -- Windows Firewall (MpsSvc) is a non-existent service!
The same is true for Base Filtering Engine (BFE) service which is required for the firewall to work.
Windows Firewall Authorization Driver (mpsdrv) service appears to be in tact, the only thing we need to change is so that it starts automatically when Windows is booted.

Now typically we could import registry patches of these services from a clean Windows 7 computer, but there are permission issues on the following keys:
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSSVC
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MPSDRV\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mpsdrv
Some of the above keys may not even exist.

Once I created "Everyone" user account to have full permission to change these keys using regedit.exe, I was able to successfully import the clean registry patches from a clean Windows 7 computer.

Upon reboot I was able to turn on the Windows 7 Firewall again as shown below by the screenshot.

As you can see, malware is always improving and is capable of breaking parts of Windows that should always be secure.

2 comments:

  1. Hello, I am currently dealing with the after effects of this infection as well (got it from a site that has videos of tv shows, I know, not safe :) )
    I have been able to clean the infection and all traces of it (with the help of an identical post on majorgeeks.)
    I may be creating a post there to double check. As to my current issue, I'm having a few problems; 1, in the hijack log/analyse there are several items marked (file missing) but are actually there. 2 the other problem is the firewall. I think the original mgtools log showed that bfe.dll was on and working, however subsequent scans show that the file is present, but not running. like i said, I will make a post on mg possibly tonight. keep up the good work!

    ReplyDelete
  2. Thank you, TheSmokinGun!

    The HJT (file missing) entries are most likely due to a 64-bit (x64) system. HJT isn't very accurate for x64.

    See you on MGs :-)

    ReplyDelete