Trojan "theft" Baidu signature tampering home page and favorites

Trojan "theft" Baidu signature tampering home page and favorites

Recently, the 360 anti-virus team received user feedback, saying that the home page was inexplicably modified, and many additional favorite sites were inexplicably added to the favorites folder of the browser.

After investigation by the anti-virus team of 360, it was found that the homepage and favorites of users were tampered with due to incorrect running of the advertising program-more and more advertisement programs have been in these years, and this is not uncommon, however, we were surprised by the modification of the home page and the Program for adding favorites.

Let's talk about the program for changing the homepage.

Program MD5: be7f33d7920e94e81710c0389c351b6f

Digital Signature: BeiJing Baidu Netcom Science Technology Co., Ltd

It turned out to be Baidu's signature and added the UPX compression shell, while the product name of the program is even more confusing (what is qingzao ?) :

Double-click the installation package to run without any special parameters. The installation package runs silently without any interface and releases program components to the WinHomeLocker directory:

All the files released are as follows, and all the executable programs released are compressed with Baidu digital signatures in the same way as the installation package. The product names are all qingzao:

File Name

MD5

Uninstall.exe

4ff2ee2595dd81f40aa1f475c66d

Locker64.exe

B0f5b9067d24fdf853a05c2578374739

Locker32.exe

1e68bfc1c31ac16f90c9addb8186030d

HPHelper64.dll

0a467834433a9000000006faa96df6014c

HPHelper32.dll

844024a1824981923d705ba26350110e

HomePageLocker.exe

1c50b75d3432718504026cf984bda1d3

HomeLockerUpdateServices. dll

74358740900f49f727aff515c45418de

 

After the file is released, the system's regsvr32.exe will also be used to add HomeLockerUpdateServices. dll under the program directory as a service:

After the service is added, the homepagelocker.exe program is started with "/update.exe.

When homepagelocker.exe compares the startup parameters and finds that it is an update parameter, it executes the specified upgrade operation.

Go to the domain name www.microrui.net to get the update information.

The locker32.exe program under the directory is also started at the same time, and the program will obtain and modify the homepage information through online acquisition or reading the configuration file.

 

At the same time, whtj.meijucenter.com receives statistics every time the browser opens.

None of the two domain names can be seen to have any relationship with Baidu.

Microrui.net has a Shanghai ICP filing named "Mike luorui", and whois information shows that the registrant is "WANGRUI" (according to the registered email, the registrant should be a "Wang Rui)

The other meijucenter.com is even more mysterious-No record filing, and the registration information has also purchased the Privacy Protection Service.

 

After the installation is complete, no trace of installation of the program is visible on the desktop and System Tray. It can be found in the Start menu, but the location is a little odd, in addition, the shortcut to uninstall is not provided in the Start Menu.

Click the program ...... Why is the program title covered? Why did I write 360 on the homepage? You are locking hao123 ...... I am deeply confused.

 

Let's talk about programs that tamper with favorites.

Program MD5: bf74e8e97c78171eee87e06d109f0491

Digital Signature: BeiJing Baidu Netcom Science Technology Co., Ltd

The same signature does not include the UPX compression shell, but the product name cannot be understood as follows:

The program obtains the configuration file online and decodes the list and icon of the website to be promoted.

 

Then, write the obtained url link file to the favorites folder of the browser:

Significant effect:

 

The appearance of the above two programs was totally unexpected, and we could not understand why these two programs with so many strange behaviors were signed by Baidu, I hope Baidu can trace this matter to see if someone has used his position to add a signature to his program for commercial benefits.