Author Topic: CertLock Trojan Blocks Security Programs by Disallowing Their Certificates  (Read 998 times)

Offline Felipe Oliveira

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 403
  • Brazilian / Medicine Student / Love Technology
Quote
A new trend in adware and unwanted program purveyors is to install protection software that makes it more difficult for Windows users to run their security programs and clean infections. This was seen with the SmartService rootkit that blocked AV software from running and now with a protection program being called CertLock.

Since the end of May, security forum helpers have noticed reports that people are not able to install and run security programs on their infected computers. When they try to run the programs, they are greeted with an alert that states that the publisher has been blocked from running on the computer.

It turns out that this is being caused by CertLock disallowing a security vendor's certificate on the affected computer so that Windows does not allow the program to run.

Quote
CertLock disallows security vendor certificates
Being commonly detected as Ceram or Wdfload by anti-virus vendors, CertLock is distributed by unwanted programs bundles, such as miners. Once installed, CertLock will block a security vendor's certificate by adding them to a special Windows registry key. This causes Windows to not execute any programs that are signed with that certificate.


Quote
Disallowed Certificates (Thumbprints):
Security Vendor   Thumbprint
AVAST   AD4C5429E10F4FF6C01840C20ABA344D7401209F
AVAST   DB77E5CFEC34459146748B667C97B185619251BA
AVG   3D496FA682E65FC122351EC29B55AB94F3BB03FC
AVG   AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
AVG Technologies   E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
Adaware   9132E8B079D080E01D52631690BE18EBC2347C1E
Avira   A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
BitDefender   18DEA4EFA93B06AE997D234411F3FD72A677EECE
BitDefender   ED841A61C0F76025598421BC1B00E24189E68D54
BullGuard   A5341949ABE1407DD7BF7DFE75460D9608FBC309
Bullguard   76A9295EF4343E12DFC5FE05DC57227C1AB00D29
Checkpoint Software   5240AB5B05D11B37900AC7712A3C6AE42F377C8C
Comodo   03D22C9C66915D58C88912B64C1F984B8344EF09
Comodo   872CD334B7E7B3C3D1C6114CD6B221026D505EAB

CurioLab   9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
Doctor Web   4420C99742DF11DD0795BC15B7B0ABF090DC84DF
Doctor Web   FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
ESET   A59CC32724DD07A6FC33F7806945481A2D13CA2F
ESET   F83099622B4A9F72CB5081F742164AD1B8D048C9
Emsisoft   4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
Emsisoft   5DD3D41810F28B2A13E9A004E6412061E28FA48D
F-Secure   0F684EC1163281085C6AF20528878103ACEFCAAB
FRISK   1667908C9E22EFBD0590E088715CC74BE4C60884
GData   2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
K7 Computing   42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
K7 Computing   7457A3793086DBB58B3858D6476889E3311E550E
Kaspersky   3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
Kaspersky   D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
Malwarebytes   249BDA38A611CD746A132FA2AF995A2D3C941264
Malwarebytes   B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
McAfee   775B373B33B9D15B58BC02B184704332B97C3CAF
McAfee   88AD5DFE24126872B33175D1778687B642323ACF
PC Tools   4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
Panda   FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
SUPERAntiSpyware   373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
Safer Networking   982D98951CF3C0CA2A02814D474A976CBFF6BDB1
Symantec   31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
Symantec   AD96BB64BA36379D2E354660780C2067B81DA2E0
ThreatTrack Security   9C43F665E690AB4D486D4717B456C5554D4BCEB5
ThreatTrack Security   DB303C9B61282DE525DC754A535CA2D6A9BD3D87
Total Defense   E22240E837B52E691C71DF248F12D27F96441C00
Trend Micro   331E2046A1CCA7BFEF766724394BE6112B4CA3F7
Trend Micro   CDC37C22FE9272D8F2610206AD397A45040326B8
Webroot   3353EA609334A9F23A701B9159E30CB6C22D4C59
Webroot   9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361

https://www.bleepingcomputer.com/news/security/certlock-trojan-blocks-security-programs-by-disallowing-their-certificates/
« Last Edit: June 09, 2017, 12:58:50 AM by Felipe Oliveira »

Offline Yousername

  • Comodo's Hero
  • *****
  • Posts: 233
Nice share. Looks like it's not an all inclusive list, HitmanPro which is signed by Surf Right can bypass this. It is also possible to use an unsigned version of a clean up tool, that way you don't need to use a bootable environment for cleanup.

And Microsoft can't be blocked for obvious reasons. Actually I wonder what happens if Microsoft Vendors are blocked if that is possible, that could be a method for malware designed to shut down systems from working.


Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 343
  • I like CIS , Kali Linux and IDA Pro ! ;)
I've seen it a bit late , but very interesting post  :-TU  ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
well...to disallow the certificate, it must execute something and change something in the hard drive....

With Comodo's containment technology, whatever it does, will happen in virtualized environment and no change will be committed to the hard drive.

We don't let unknown files have access to the gun so that they can shoot us!!!

No access to Hard Drive
No access to Registry
No access to COM interface...

No gun wound ;)


Offline Zbc

  • Product Translator
  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 744
Yea, but there is a problem when u try to install CIS in infected system by this trojan  ;)

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 343
  • I like CIS , Kali Linux and IDA Pro ! ;)
Yea, but there is a problem when u try to install CIS in infected system by this trojan  ;)

thats fully right , but i think this szenario would , could be a problem for all antivirus programs   ;)
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Yea, but there is a problem when u try to install CIS in infected system by this trojan  ;)

Many people probably don't agree with me but in my opinion if a system has been infected then it's forever contaminated, you might be able to clean it out but you don't know what damage it has done to the OS or what else it has done. If a system is infected then in my personal opinion there is no need to clean it, start fresh.
I support privacy and freedom online - eff.org

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 343
  • I like CIS , Kali Linux and IDA Pro ! ;)
Many people probably don't agree with me but in my opinion if a system has been infected then it's forever contaminated, you might be able to clean it out but you don't know what damage it has done to the OS or what else it has done. If a system is infected then in my personal opinion there is no need to clean it, start fresh.

I agree with you ! For the most types of malware , this is the best and safest thing you can do .
« Last Edit: July 09, 2017, 12:33:39 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline panic

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 11610
  • Linux is free only if your time is worthless.;-)
Many people probably don't agree with me but in my opinion if a system has been infected then it's forever contaminated, you might be able to clean it out but you don't know what damage it has done to the OS or what else it has done. If a system is infected then in my personal opinion there is no need to clean it, start fresh.

If only there was a way to go back in time before the infection occured.

Like a time machine.

A Comodo Time Machine.

Boom goes the hammer Melih. ;-)
As your mums would say, "If you can't play nice with all the other kiddies, go home".
All users are asked to please read and abide by the  Comodo Forum Policy.
If you can't conform, don't use the forum.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Many people probably don't agree with me but in my opinion if a system has been infected then it's forever contaminated, you might be able to clean it out but you don't know what damage it has done to the OS or what else it has done. If a system is infected then in my personal opinion there is no need to clean it, start fresh.

agree 100%!!!

You can keep a computer clean without knowing what the malware does (Virtualization)
But you can't clean a computer without knowing what the malware has done.
How will you know what kind of malware you have? You will only what you know and what you don't know will still be there unnoticed...

Infected system.....re-image!

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
If only there was a way to go back in time before the infection occured.

Like a time machine.

A Comodo Time Machine.

Boom goes the hammer Melih. ;-)

Personally I use Macrium Reflect for that.
I support privacy and freedom online - eff.org

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek