Monday, November 2, 2009

IOBit Steals Malwarebytes’ Intellectual Property

Malwarebytes has recently uncovered evidence that a company called IOBit based in China is stealing and incorporating our proprietary database and intellectual property into their software. We know this will sound hard to believe, because it was hard for us to believe at first too. But after an indepth investigation, we became convinced it was true. Here is how we know.

We came across a post on the IOBit forums (cached version since they deleted the thread - well, now the cached version got deleted as well. Glad I still have a screenshot, see below) that showed IOBit Security 360 flagging a specific key generator for our Malwarebytes’ Anti-Malware software using the exact naming scheme we use to flag such keygens: Don’t.Steal.Our.Software.A.

Dont.Steal.Our.Software.A, File, G:\Nothing Much\Anti-Spyware\Malwarebytes’ Anti-Malware v1.39\Key_Generator.exe, 9-30501

Why would IOBit detect a keygen for our software and refer to it using our database name? We quickly became suspicious. Either the forum post was fraudulent or IOBit was stealing our database.

So we dug further. We accumulated more similar evidence for other detections, and we soon became convinced that this was not a mistake, it was not a coincidence, it was not an isolated event, and it persisted presently in their current database. They are using both our database and our database format exactly.

The final confirmation of IOBit’s theft occurred when we added fake definitions to our database for a fake rogue application we called Rogue.AVCleanSweepPro. This “malware” does not actually exist: we made it up. We even manufactured fake files to match the fake definitions. Within two weeks IOBit was detecting these fake files under almost exactly these fake names.

We can’t publicly show all the evidence we found, because it is still our intellectual property: proprietary information about our database internals. But we don’t want you to have to take our word for it either, so we found a way to show you an example illustrating an indisputable pattern of theft.

Consider the file, dummy.exe. It is a harmless dummy executable that runs, displays a “Hello World” message box, and exits. You can see from third-party scans on VirusTotal, that no other security vendor flags this executable as malicious or even suspicious.

We created this dummy executable, then manipulated it slightly so that it matches one of the signatures in our database. We emphasize that it is still not malicious! — the signature is perfectly benign, when not in the context of actual malware, as you can see from the VirusTotal results.

We scanned the file with our own Malwarebytes’ Anti-Malware software and indeed it was flagged as “Don’t.Steal.Our.Software.A”. We scanned it with IOBit using their current build and database version and it was flagged as the same “Don’t.Steal.Our.Software.A”. We have included log file file and a screenshot of the detection. You can verify by yourself using the dummy executable and their most recent database.

We have attached two other such dummy executables to this post, so you can see for yourself. One of them, “rogue.exe”, matches our fake Rogue.AVCleanSweepPro (screenshot) definition, the other “fake.exe”, matches our Adware.NaviPromo definition (screenshot). VirusTotal results for “fake.exe” and “rogue.exe” so you can see they are benign. You can see a screenshot of our detections here.

During the course of our investigation, we uncovered additional evidence that IOBit may have stolen the proprietary databases of other security vendors as well. We are in the process of contacting these vendors.

Malwarebytes intends to pursue legal action against IOBit. We demand IOBit immediately remove all traces of Malwarebytes’ proprietary research and database from their software. We also demand IOBit be delisted from due to Terms of Service violations. This is criminal: it is theft, it is fraud, and we will not stand for it.

What can you do to help? If you feel the same way we do about this theft, we encourage you to send an email to hosting services such as and requesting that all IOBit software be removed.

Copy/paste of the original Article here

Update to this post: IOBit’s Denial of Theft Unconvincing

Friday, July 31, 2009

My New Toy... a HTC Magic

I finally decided to buy a Smartphone...:

Love at first sight!
Too many options and too much stuff to configure. This will certainly keep me busy for a while....

Thursday, June 11, 2009

Searchengine Redirects? It could be a patched ws2_32.dll file...

I was helping someone yesterday (online support via forums) who was complaining about searchengine redirects. Redirections mainly went to,,,,

There are already many different infections responsible for searchengine redirections, I see several different ones every day.... so after a while, it's getting easier for me where to look/search.
The info is mainly gathered from logs (Registry loading points, Rootkit scans, etc).

However, this one was different. I just couldn't find the culprit. Same scenario as with the first Daonol/JsRedirect/Gumblar variant I discussed here last year (October 2008).
People who know me also know that I will search untill I find it, so I finally found the culprit - a patched ws2_32.dll file.
The ws2_32.dll is a legit Microsoft Windows file that contains the Windows Sockets API used by most Internet and network applications to handle network connections.
In this case, it was patched by malware. Its copies in the dllcache and ServicePackFiles\i386 folder were also affected. Reference thread here.
It wasn't detected by any scanner yet. Sophos Antivirus will now detect this one as Troj/WShack-B.

So if you encounter the same and just can't find the culprit of a searchengine Hijack after trying anything else - then it *may be a patched ws2_32.dll file. Don't delete that file if it's indeed patched/infected, but replace it with a clean copy.
If unsure/in doubt, post you issue in the forums.

Wednesday, May 6, 2009

In case you're wondering....

Yes, I'm still alive, just extremely busy lately.

It's now already a couple of months that MalwareBytes hired me as Malware researcher, so that's where most of my time goes nowadays.
I've decided I will only blog here once in a while - I hope at least once a month - but I cannot promise anything :-)

Also... Thank you for the nice mails I've received lately via this blog and sorry I didn't respond earlier. It looks like something went wrong with the "Contact Me" mailform, so a lot of delayed (2 months or so) mails arrived just today. Anyway, this should be fixed now.

Friday, March 6, 2009

In between message...

It's been a while that I've blogged and since I'm going through some major changes in my personal and professional life (maybe new job), I won't have the time and inspiration either to blog in the next couple of weeks.
In a meanwhile... Click the icon to play a little game, so you didn't come here for nothing. :-)

World's smallest pong game

See you later!

Tuesday, February 17, 2009

Virut and other File infectors - Throwing in the Towel?

I actually wanted to blog about this last week, but didn't find the time yet...
In the last couple of weeks, I noticed a HUGE increase of Virut present on computers. As a matter of fact, 30% of the infected computers I analyzed were infected with Virut. This is bad, really bad... :-(

Virut is a Polymorphic File Infector that infects .EXE and .SCR files. It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker - for example to download/run more malware on the compromised computer. Emails may be harvested as well.
This latest variant may also search for htm, html, asp and php files on the drives and modifies them by inserting an iframe that points to a malicious website. So you can already imagine what may happen if the owner is a webdesigner and uploads the infected webpages.
An excellent write up on this latest variant (and previous one) can also be found here (by Nicolas Brulez):

Disinfection of the infected webpages should be easy - it's just a matter of deleting the iframe script in it.
The disinfection of the infected exe and scr files is something else...
Since Virut infects legitimate files, the files may not be deleted, but disinfected instead. And that's where the problems start...
Virut was known to be a buggy Virus in the past and it appears that this hasn't changed yet. We've seen this with other File infectors as well: To Junk Or Not To Junk.

And because of that, Virut may misinfect a proportion of executable files > result > corrupted file.
The same applies for other File infectors such as Sality.

If I guide someone with Virut (or any other File Infector) present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall.
And even though an Antivirus is able to disinfect the files, in a lot of cases, many files will be corrupted anyway > result > many programs won't work > loads of errors > corrupted Windows + there's still no guarantee that the Virus is really gone.
So why bother to clean this if a format and reinstall is the fastest and especially the safest solution?

And that's why I am blogging about this in the first place, especially since Virut is a very common infection nowadays. It's a pity to see that so many people are struggling with it and whatever they try, nothing helps. Then they ask for support via the forums and in a lot of cases, the one who is helping/guiding won't give up either and posts a new set of instructions to deal with this one.
Unfortunately another failure as result, so again, new instructions are posted... and this may go on and on...sometimes for weeks....
Is this responsible?
I'm not saying it fails everytime, but from what I have seen so far and especially if you're helping someone else with this infection... don't guarantee them a "clean" and errorfree computer afterwards .

In anyway, that's how I see it. Imho, dealing with such infections is a waste of time and that's why I prefer the fastest and safest solution - which is a format and reinstall.
Many people may see this as "giving up", but I see this different.
After all, I think it would be irresponsible to let the malware "stew" (download/spread/run more malware) for another couple of days/weeks if you already know it's a lost case.

Wednesday, February 4, 2009

Happy Dance - Blog 1 year old!

I started with this blog exactly 1 year ago. I actually didn't expect anything from this since I'm not a writer and don't have enough inspiration either to update my blog every (other) day.
The main goal of this blog was to post some tutorials and thoughts for the "average" user I was helping on forums and newsgroups - so I could link to my blogposts instead of reposting it again and again.
I was already happy with only a few blogposts and actually didn't really plan to update it anyway - only once in a while.
Maybe I could have updated my blog more often with latest Security News etc, but decided not to do so.
However, after a month or two, I saw that some people started to follow this blog and linked to it as well. That was a pleasant surprise.
And that's why I'm still updating this blog with thoughts (mainly rants), tutorials and other (stupid) stuff.

Anyway, thanks for the comments and feedback I have received so far - I've learned a lot from this and I'm still learning every day!

Thank you readers!

Saturday, January 31, 2009

IX Web Hosting - Reliable?

Someone contacted me recently about the wdmaud.sys / sysaudio.sys - Win32:Daonol infection. This because his site was injected with the iFrame Javascript "Yahoo! Counter starts here". People who visit the compromised site will get infected with Win32:Daonol.
Even though he removed all injected code, it came back all the time. Also, he couldn't understand how his site(s) got compromised in the first place.
Until he told me what his webhosting service was..... IX Web Hosting.

A quick google search explained a lot....

There's even a blog called "IX Web Hosting Warning" to warn people for this webhosting company.
Quote from their About page:

"IX Web Hosting the incompetant cheap web hosting company was hacked in May of this year, and hackers managed to “seed” the servers, which are now injecting 1000’s of innocent paying customers websites, on a weekly basis. It has gotten so bad, and happened so frequently that even the backups are infected.

This has been going on now for almost 8 months!!… Yes that is correct, 8 months, and IX web hosting has still not fixed this massive security issue.
The worst part of this ordeal, is the fact that IX web hosting knows, and has openly admitted to certain people ( myself being one) that they have a massive issue, they still blame the innocent customers that it is their fault."

In anyway, that may also explain why so many people got infected with Win32:Daonol lately:

"Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines."

Lesson learned: Avoid IX Web Hosting - Avoid sites being hosted with IX Web Hosting, because you may get infected.

Thursday, January 22, 2009

Miekiemoes rules ?? Yeah right...

This is about the Searchengine Hijack I blogged about a couple of months ago. Files responsible for this hijack are sysaudio.sys or wdmaud.sys, present in the system32 folder - detected by most scanners as Win32:Daonol.
Someone notified me yesterday about a version of Win32:Daonol which is a bit different than other versions.
The malware author(s) decided to add "Miekiemoes rules" under file description in one of its versions.
Again, another proof why not to believe what malware tells you :P

This is what you get when you hover your mouse over the malicious wdmaud.sys:

I only have above screenshot. The person who uploaded this screenshot for me already deleted the wdmaud.sys, so no sample available. In anyway, thanks for the screenshot.

Sample is welcome (only above version).
Edit - Sample received - Thank you blogreaders :)

Wednesday, January 14, 2009

Settings won't save in Firefox

This is another common problem I see in forums lately. This especially since more and more malware targets firefox as well.
An example we see in forums lately is "Yoog Search". This is a searchengine Hijacker - comes with a variant of AdRotator/IconAds Adware.
The Firefox startpage + searchengine / Searchsettings get hijacked and even though the malware (responsible for changing startpage+searchengine) is gone/deleted already, if people want to change it back to default again, or change it back to their own startpage / searchengine, firefox won't save the settings.
So after a next Firefox session, the Hijacked startpage / searchengine etc is back again.

The cause is a user.js file present inside the Firefox profile folder. So, in this case the %APPDATA%\Mozilla\Firefox\Profiles\"identity" folder.
The user.js file does not exist by default and was in this case added/modified by malware.
This file is used to set or reset preferences to a default value. For example whenever the browser is loaded, the values present in the user.js file will supersede the stored values in the prefs.js file.
The prefs.js file contains the values you can access/modify via about:config or via the preferences in Tools > Options Menu in Firefox.
See here for more info about the user.js file.

I've also seen the same where malware changed the Proxysettings and created a user.js file to store the Proxysettings there. Result > once the malware was removed, the user would get the error: "The Proxy Server is Refusing Connections" since the user.js file is still in use.
Some versions of the Ask Toolbar also create a user.js file in the Firefox userprofile, so after uninstalling the Ask Toolbar, the homepage + searches are still set to because the user.js file is still present.

That's why, if you're ever having problems with Firefox that won't save settings like startpage, searchengine, proxysettings etc.., then look if a user.js file is present in the Firefox profile folder and delete or modify it.
The presence of user.js in the Firefox profile folder doesn't necessarily mean that it's a bad file. Many people create their own user.js to supersede the stored values in the prefs.js file. So if you didn't create the user.js file yourself, you may delete it (since it's not present by default anyway).
If you're not sure, just rename it to user.js.bak, or open the file with notepad to see what values are present there.