My career in technology

I’m not a malware hunter by trade, but I have been called on from time to time to do a little extermination.

Sometimes, you can’t help an infection.  You visit a web page, quite innocently, and the page or an advertisement on it has been modified to take advantage of security flaws and suddenly you are fighting some nastyware.

But sometimes you get social engineered into clicking something you know you shouldn’t have clicked, and you mess yourself up.  This is what happened to one acquaintance of mine (who shall remain anonymous because it was her fault, and she feels bad enough already about it). She opened an attachment on an e-mail claiming to be from Federal Express, and her system was infected by Smart Fortress 2012.  Here is how I cleaned the system of Smart Fortress 2012.

First I’ll jump right into the removal of the malware, but afterwards, please read a few words about Social Engineering, and not getting caught by this kind of thing.

Resolution

Smart Fortress 2012 shuts down all your running programs, and prevents you from opening anything that might allow you to verify that Smart Fortress 2012 is malware, or that might allow you to solve the problem.

As long as the program is running, you can’t do anything to clean your system.

The problem is that it uses a completely random 32 digit number as the process name, so good luck guessing it.  Fortunately, though, the programmers provided a helpful way of figuring out the random number.

To help you launch your new “antivirus” program, they put a shortcut on your desktop.  If you right-click on the shortcut and choose properties, you will get the name of the file (and thereby the process name).  The information is in the Shortcut tab, in the Target field.  It till say something like “C:\ProgramData\B7E85B3E00015BB2000AAC1FB4EB2367\B7E85B3E00015BB2000AAC1FB4EB2367.exe”.

Thanks again to tech-recipes.com, you can click on Start, then Run and type in taskkill /IM [your random number].exe

So in the case of what was on the victim’s computer, I would have put in “taskkill /IM B7E85B3E00015BB2000AAC1FB4EB2367.exe”.

If the Run command isn’t on your start menu, Windows Logo Key + R also launches Run. You can also add it by right-clicking on the start menu, click Properties, click the Customize button, then find the Run Command option and put a check in the checkbox.

Using taskkill stops the process from running and stops it from preventing you from running programs, but it doesn’t clean your system!!!  You still have  some work ahead of you.

In the case of my particular victim, though, by the time I got to the system to fix it, the malware had rebooted the system, and I thought I should have a much bigger problem than I ended up having.  So I didn’t use taskkill myself to resolve this issue.  I booted the computer into Safe Mode, and that prevented Smart Fortress 2012 from running.  From there I manually cleaned the system, then ran antivirus software to make sure the malware was gone.

Manual Removal

I deleted the shortcut from the desktop, and  deleted the B7E85B3E00015BB2000AAC1FB4EB2367 folder (and the B7E85B3E00015BB2000AAC1FB4EB2367.exe file inside it) from C:\ProgramData\.

I used the 32-digit random number to search the registry using RegEdit.  I found four registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Smart Fortress 2012
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\B7E85B3E00015BB2000AAC1FB4EB2367_RASAPI32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\B7E85B3E00015BB2000AAC1FB4EB2367_RASMANCS

(The text above runs off to the right of the visible area of the blog layout. Just highlight, copy, and paste into notepad to see the full text. Sorry about that. Blame the WordPress layout.>

Under the RunOnce key was an entry pointing to “C:\ProgramData\B7E85B3E00015BB2000AAC1FB4EB2367\B7E85B3E00015BB2000AAC1FB4EB2367.exe”, which I deleted.  I deleted the other three keys in their entirety.

I also searched the hard drive for the name “Smart Fortress 2012” and for the 32-digit number, and deleted any references.

After that, the virus scans using a legitimate scanner came back clean.

Now that your system is cleaned up, let’s talk about the root cause of the problem, Social Engineering.

Getting Manipulated

The victim received the following e-mail, ostensibly from FedEx Customer Service [delivery_item@fedex.com] with the subject line “Your parcel is ready for pickup“:

Notification,

We couldn’t deliver your parcel.
Status deny:Address delivery doesn’t exist in database.

LOCATION OF YOUR ITEM:Pittsburgh
PARCEL STATUS: sort order
SERVICE: Standard Shipping
Parcel number:U281745616NU
INSURANCE: Yes

The label of your parcel is enclosed to the letter.
Print your label and show it at the post office.

Important information!
If the parcel isn’t received within 30 working days our company will have the right to claim compensation from you for it’s keeping in the amount of $15.46 for each day of keeping over limited time.

You can find the information about the procedure and conditions of parcels keeping in the nearest office.
Thank you for your attention.
FedEx Customer Services.

The e-mail had an attachment, a file named FedEx_Label_ID_Order_83-27-45333US.zip. My expectation is that the number at the end of the file name is a randomized number.

Social Engineering Prevention

Sometimes it is easier to manipulate someone into launching a program than it is to work out a way to manipulate a system vulnerability to do it.  In this case, despite the fact that the victim had ordered items from companies that use UPS and the Postal Service – not FedEx – she had ordered things recently, so the attacker was able to play on her fears about not getting her stuff, or being charged extra.  She got stampeded into opening the attached file.

But had she taken a moment, she would have noticed a few things.  First, the e-mail never addresses her by name.  That is a big, huge red flag.  The hackers may have your e-mail address, but they are generally not going to have your name attached to it (which is one of the reasons data breaches are a big problem – start matching e-mail addresses to other data and you start to get some real leverage).   And just how did FedEx get her e-mail address in the first place?  Gee, they didn’t seem to have her correct address, where did the correct e-mail address come from?  “But I ordered it online, of course they have my e-mail address!”   No, you ordered the items from the company, not FedEx.  The company has your e-mail address, not the delivery service.

And what would actually happen if FedEx had the wrong address?  Your stuff would get delivered to the wrong address.  Someone else would have it.  You’d wait for delivery, it wouldn’t show up, you’d call the company you ordered it from, they would track the package, tell you it had been delivered, you’d say it hadn’t been, the wrong address would be discovered, they would resend it and work with FedEx to recover the original package.  Or, the recipient would reject the delivery, and FedEx would return it back to the company you ordered stuff from, and the company’s customer service would call you.  In no case would a delivery company e-mail you if the address was wrong, and threaten to bill you for holding the package.

And here is the big one.  Despite the use of the word “Federal” in its name, Federal Express is a private company.  (Just like United Parcel Service (UPS).)  Neither one is affiliated with the Unites States Postal Service (USPS), which is a government service.  FedEx will never send you to the Post Office, and neither will it have someone at the post office;  the postal service is a competitor.

Finally, lets look at the text of the e-mail.  First, it was plain text, no images.  While just because the e-mail contains images does not confirm its legitimacy, lack of images from a commercial source like FedEx is suspect.  Then there are the words and phrases used:

  • The label of your parcel is enclosed to the letter” – Wow, that isn’t awkward phrasing, is it?
  • Address delivery doesn’t exist in database” – backwards wording
  •  “for each day of keeping over limited time.” – nobody talks like this, except if they don’t speak english
  •  “conditions of parcels keeping in the nearest office” – nobody talks like this, ever
  • FedEx Customer Services.” – Customer service is plural?  With a period after it?  Really???

I could go on, but I believe I have made my point.

So here are the rules:

  1. Rule One:  Never click on an attachment you aren’t expecting.  Just don’t do it.
  2. Rule Two: Not even if it is from someone you know.  Not ever.
  3. Rule Three:  If you are ever tempted to click on an attachment, refer to Rules One and Two.
  4. Rule Four:  If you are still tempted to click, pay attention to the e-mail itself.  Slow down and think – does this make sense?  Is it in English?  In the kind of English people actually speak and write?  That a professional company with hired professional writers on staff that are paid to make sure the grammar is proper would use?  Really?  Then don’t click it.
  5. Rule Five:  If you are still tempted to click, call them first.  Pick up the phone and call them and make sure it is legitimate before you click it.
  6. Rule Six: And I can’t stress this enough, DON’T CLICK ON THE ATTACHMENT. Hopefully I haven’t been unclear on this. Really. Just don’t. Please.

Smart Fortress 2012

Smart Fortress 2012 is, like a lot of the malware I have encountered, “scareware”; that is, it makes you believe your computer is infected with all kinds of nasty things, but that Smart Fortress 2012 is the solution, not the problem.  Smart Fortress 2012 shuts down all your running programs, and prevents you from opening anything that might allow you to verify that Smart Fortress 2012 is malware, or that might allow you to solve the problem.  Then it tells you you need to buy something – an update or a license – before your system can get cleaned from its infection.

Using the particular social engineering technique they used, getting a user to panic a little and click an attachment (that they know they shouldn’t have clicked on in the first place), makes this part of the scareware is pretty effective.  “Uh oh, I clicked on the attachment, just like Jim told me six times not to, and now my antivirus says I have a virus!  And now it says I need to pay for an update/license so it can clear my system!”  And the already panicked user panics further.

Hopefully my experience will help you with resolving your issue, please feel free to leave a comment if you need further assistance or if something I wrote was unclear, and I will do what I can to help.

Death to viruses, trojans, and spyware! Death to malware!

Jim Adcock makes a living as a SharePoint Administrator, and makes a difference as Vice President of Launch Pad Job Club, an organization in Austin, Texas, whose mission is help people who have lost their jobs to get the skills they need to land their next job, and to help them cope with the interim between jobs. Check out his career-related posts or check out some of the other content on the site.

Advertisements

Comments on: "Death to Malware: Smart Fortress 2012" (3)

  1. I was wise enough not to open it, but I’m sure a lot of people appreciate the help you’ve given, well done.

    • About 200 people in the last three weeks.

      I’m just glad that my struggles can help other get through theirs with less hassle.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: