Usually, if we talk about virus and antivirus, it is more or less connected with detections. So if I say a malware uses antivirus to do bad things, will that be interesting?
Recently, AVG caught a kind of StartPage malware which uses Kingsoft WebShield as part of itself to achieve its aim.
Kingsoft is one of the most popular antivirus companies in China. Its web shield is desgined to protect users from phishing and injected websites to surf on line safely. It has two well known functions, locking IE’s homepage and page redirection, which are just what the malware take advantage of.
This malware combines modules from Kingsoft:
It would be clearer if we have a look at the digital signatures:
And modified configuration files:
Where kws.ini contains homepage settings, of course filled with faked URLs as you can see in this detail:
And Spitesp.dat which contains the list of URLs that is used for homepage redirection. That means, if you try to access these URLs, you will be redirected to the homepage or a certain URL prior configured:
Just take a look at these URLs. We can see that some of the popular internet websites are also included.
So how does this malware uses Kingsoft WebShield to do bad things?
Actually, this malware is packed in NSIS package (Nullsoft Install System). Below is script decompiled from the package by AVG engine.
First of all, we can see that this malware will search the process named ‘KSWebShield.exe’ which means the Kingsoft WebShield is already running. If it finds out, it will stop and remove the Kingsoft WebShield service.
Second, the malware will drop the needed Kingsoft WebShield modules into directory below:
Third, it will drop the configuration files, mentioned previously, into folder from which Kingsoft WedShield will read the settings by default:
At last, this malware will run a batch file to install and run the Kingsoft Web Shield service:
So far, the Kingsoft WebShield which has been configured malicious took effect. That means, your browsers’ homepages are faked and you will be redirected to the faked homepage if you try to access the URLs listed in the configuration file.
Kingsoft WebShield is a powerful browser protector. Maybe because of its power, it attracts malwares’ interest. Unluckily, malwares can just change the configuration files to take advantage of this power to do bad things. Is this a warning to others?
Jason Zhou & Hynek Blinka
