1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Searchnet Activity

HTTP Searchnet Activity

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects Adware.SearchNet communicating and requesting information from its controlling server.

Additional Information

When Adware.SearchNet is executed it performs the following actions:

1. Creates the following files:

* %Windir%\Downloaded Program Files\[RANDOM NAME].dll
* %Windir%\Downloaded Program Files\[RANDOM NAME].dll
* %System%\drivers\Anfad.sys
* %System%\drivers\[RANDOM NAME].sys
* %System%\drivers\FAD.sys
* %System%\drivers\[RANDOM NAME].sys
* %System%\ServeHost.dat
* %System%\ServeHost.exe
* %ProgramFiles%\SearchNet\SearchNet.exe
* %ProgramFiles%\SearchNet\ServeUp.exe
* %ProgramFiles%\SearchNet\SNHpr.dll
* %ProgramFiles%\SearchNet\SrvNet32.dll
* %ProgramFiles%\SearchNet\UnInstall.exe

Notes:
* %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
* %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).
* %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.

2. Creates the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{52BEA5F9-7E3F-490A-B7E8-9BD5DDDEE5DF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1AFED83-9133-4660-8C8F-DAF1B4A3D5A8}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{158919D3-4CAB-4109-9755-9AE794D5B2DE}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{E8D3778F-47D3-4F1F-9245-3D46856936E4}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\IEHpr.InterCept.1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ZSXZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cdnup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{04152c5b-7ca9-4bb1-8077-5ea42f787eb8}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{515bafd0-86a0-4b2a-9dfe-4440bf60c355}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{5c20c0e0-9a22-424f-92c8-6f408563ce98}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{93506e82-31e9-47b4-901e-2d04d6aa3b86}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{b9b553a9-77ff-44de-8c24-fe88ccdc4e93}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{c8a82950-abe8-4b7d-a5de-19c249a9cfac}
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{cf3780c4-33ba-44bd-981f-e37940887d8b}
HKEY_LOCAL_MACHINE\SOFTWARE\SearchNet
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANFAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FAD
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2A0176FE-008B-4706-90F5-BBA532A49731}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3CE496D1-1746-41CD-9489-3C0B93DF10E2}

3. Creates the following registry subkeys so that it runs as a service:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Anfad
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RANDOM NAME]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FAD
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Log

4. Adds the value

"Enable Browser Extensions" = "yes"

to the registry subkeys:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\S-1-5-18\Software\Microsoft\Internet Explorer\Main

5. Adds the values:

"CdnCtr" = ""
"SearchNet_Up" = "%ProgramFiles%\SearchNet\ServeUp.exe"
"[RANDOM NAME]" = "rundll32 "%Windir%\Downloaded Program Files\[RANDOM NAME].dll""

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that it runs every time Windows starts.

6. Modifies the Internet Explorer default search page so that each search is redirected to the following domain:

zhongsou.com

7. Attempts to delete folders and registry keys associate with another Browser Helper Object.

8. Uses kernel mode drivers to protect its files and registry keys from being tampered with, thus making removal more difficult.

Response

The following instructions pertain to all Symantec antivirus products that support security risk detection.

1. Restart the computer using the Windows Recovery Console
2. Update the definitions.
3. Close all open Internet Explorer windows.
4. Run a full system scan.
5. Delete any values added to the registry.
6. Reset the Internet Explorer search page.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube