BProtector for Windows: A Case of Digitally Signed Malware
Recently, I was fixing an infected computer and discovered a very intrusive browser hijacker that tried to mimic a legitimate program on many levels. The program is called "Bprotector for Windows", short for "Browser Protector for Windows", and as is often the case with Rogue Programs, it did just that opposite of what its name implies. And yet, so complete is this ruse, that no security programs that I tested, recognized the program's EXE or accompanying DLL file as malware. In fact, the detection rate at VirusTotal was a disappointing 0/42 for both of the infection's primary executable files: bProtect.exe and protector.DLL:
VirusTotal scan result for bProtect.EXE = 0/42
VirusTotal scan result for protector.DLL = 0/42
This was the case, despite, the fact that this malware completely took over Firefox and Internet Explorer, & left Google Chrome completely non-operational. It partially accomplished all of the above by installing a "Babylon Plug-in for IE" and a Firefox Babylon Search add-on which virtually left both browsers beset with pop-ups and incapable of conducting any normal searches.
Hence, I was forced to use a clean computer to download analysis and removal tools (Process Explorer and Autoruns) to a USB flash drive to combat this infection. And, since its detection rate was negligible, I knew I was unable to rely on any conventional scanners to rid the PC of this beast. No, it would be manual removal all the way, based on the nearly fail-safe premise that most manual and automatic methods follow:
Locate & disable the infected startups (executable load points) and then remove the executable files they reference.
Relevant File System Changes
C:\ProgramData\bProtectorForWindows\2.2.453.59\bProtect.exe 1,677,856 bytes
C:\ProgramData\bProtectorForWindows\2.2.453.59\protector.dll 2,008,096 bytes
The most visible signs of this infection from an analysis perspective, are the process bprotect.exe that is viewable in Task Manager, and the library file protector.dll that is loaded under the AppInit_DLLs registry value located under the following registry key:
The location of the BProtector Program folder was a dead giveaway that something was amiss, because no legitimate programs install themselves into a nested location within the ProgramData folder. This is simply a hideaway location, selected to avoid detection.
Bprotect.exe loads as a Windows service with a display name of bProtector and a description of 'Your browser protector service". The service is set to automatically start at system startup.
This is an export of the bprotector service registry key:
Windows Registry Editor Version 5.00
"Description"="Your browser protector service"
The infection inserts a scheduled task called 'BProtector' into the Windows Task Scheduler, to ensure that the bProtector service runs continuously and restarts if it is stopped. This BProtector task triggers the Service Control Manager (sc.exe) to start the BProtector service by running it once every minute, indefinitely. This task must be deleted by using Task Scheduler's 'Action' Menu', as part of the infection clean-up:
If you try to terminate the process bprotect.exe, it will immediately respawn by using a child process to accomplish this (I witnessed this happening by viewing bProtect.exe's child process in Process Explorer's Process Tree). Upon viewing this perpetual respawning, I immediately decided the best course of action was to set the bProtector service Startup Type to “Disabled” by setting its Start value to 4. This prevents the service from restarting after a system reboot.
This can also be accomplished by directly editing this bProtector Service key in the Registry (refer to the export of this key above):
Just change the Start value from "Start"=dword:00000002 to "Start"=dword:00000004. It can also be done by issuing the appropriate “SC” command from the command prompt (elevated in Windows 7, 8 & Vista) as follows:
sc config bProtector start= disabled
As mentioned above, in all versions of Windows released after XP that incorporate UAC (User Account Control), the command prompt must be "Run as Administrator" by selecting that option from the context menu of cmd.exe.
Service Console showing disabled bProtector Service:
Before rebooting, it was also necessary to disable the Protector.dll startup loaded through the AppInit_DLLs. I did this by removing Protector.dll from the value field of the Windows key:
There can be legitimate Dlls loaded under the AppInit_DLLs separated by commas or spaces, so it is necessary to leave those that are determined to originate from legitmate programs intact by doing a little investigatory research beforehand.
Moral of the story - do NOT just delete the entire AppInit_DLLs data value if more than one DLL is listed there. Target only those DLLs that are illegitimate for removal and leave the rest. Above all, Do NOT delete the entire "Windows" registry key, and backup your registry before attempting any edits!
With the infected start-ups set to disabled, it was time to restart the computer so the infection would no longer be running. After rebooting the computer, the infection was effectively rendered inactive, and what remained was cleaning up of the 'fall out'. The fall out consisted of restoring all browsers to their pre-infection state by removing the Babylon Toolbar for IE, and the Babylon Firefox search add-on. I also had to uninstall and re-install the Google Chrome Browser as it became nonfunctional.
Before, I deleted the bProtector Folder, I did some research into the origin of this hijacker.
The following is an image of the Properties of bprotect.exe. Observe the entry under the"language" field: "Ukrainian"- if you know anything about cybercrime and its source (the Ukraine is the epicenter of the Zeus Botnet) - well, enough said!!!!
I also used Microsoft's digital signature verification program called "Sigcheck" to determine whether the infected executable files were signed. I had a hunch that this might be the reason why bProtect.exe and Protector.dll were not targetted by any anti-malware programs, resulting in a completely clean VirusTotal scan result.
The following is the Sigcheck output for bProtect.exe (protector.dll has a similar result) :
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
Sigcheck v1.71 - File version and signature viewer
Copyright (C) 2004-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Signing date: 9:48 AM 6/10/2012
Description: bProtector Engine
Product: bProtector Engine
File version: 2,2,453,59
Sure enough, this was a case of "digitally signed" malware (Protector.dll was also digitally signed), which is highly unusual in that only a very small proportion of malware files are digitally signed. However, a rise in the use of malware incorporating stolen and rogue (counterfeit) digital certificates has caused this number to rise recently. The reasoning behind this strategy is twofold: it enables malware to bypass Win 64K driver signing requirements allowing it to gain entry onto a system, and it also prevents it from being flagged as malware by most anti-malware programs since the assumption may be that a digitally signed file must be legitimate.
The bProtect.exe Digital Signature Details dialog revealed an expired certificate that lists 'Go Daddy Secure Certification Authority' as the digital signature certificate issuer and PerformerSoft LLC as the issuee.
An inspection of the software sold on the PerformerSoft website gives no indication that they create or distribute anything called "BProtector for Windows" and their "Contact us" page shows they have an Oregonian (not a Ukrainian) address.... so not surprisingly, something is very fishy here.
All of the findings irrefutably point to this BProtector imposter being a case of digitally signed malware!! It is true, there are a multitude of rogue security programs that masquerade as being something that is beneficial to your computer. However, it is quite rare, though not impossible, to find a digitally signed rogue program (the fake System Restore program being the only one I know of), and that is what makes BProtector for Windows so unique.
BProtector Removal Instructions
Since my explanation of how to to remove BProtector was interwoven with a description of its "modus operandi", I will now briefly summarize BProtector removal instructions.
Note: Please remember to backup your registry before attempting any registry edits. A good program to use is ERUNT. You can download it and read usage directions in this ERUNT Tutorial at Geekstogo.com.
1. Set bProtector service to disabled using Regedit, or invoke the relevant sc command, from an elevated command prompt (click start, type cmd into the Search box, right-click cmd.exe and select 'Run as Administrator'); next, type or copy/paste the following command into the command prompt window, and hit Enter:
sc config bProtector start= disabled
2. Delete the Protector.dll value data from AppInit_DLLs Registry value while preserving any legitimate DLLs.
Open the Windows Registry Editor, Regedit.exe, by clicking Start, type regedit into the search box, and click regedit.exe in the search results. Then, navigate to the following registry key by clicking the + or > symbol next to each registry key to expand it:
Double-click on the AppInit_DLLs value in the right pane, delete Protector.dll from the Value data field, click OK, and then close Regedit
3. Reboot Computer to disable infected startups
4. Open Task Manager (Ctl +Shift + Esc), select 'Process' Tab, and confirm that bprotect.exe is no longer running in Task Manager's list of active processes.
5. Open Task Scheduler (Start -> Adminstrative Tools -> Task Scheduler).
On the Menu, Click 'View' -> Show Hidden Tasks & ensure that it is checked
In the Task Status Window, use the pull down Window to set the Task Time Period to 30 days. The lower pane will refresh to show all Active Tasks run during the last 30 days
In the Active Tasks window, double-click the bProtector task, and select 'Delete' from Action Menu
6. Delete the following bProtector Folder and and all subfolders that appear within it:
Run this command from an elevated command prompt ('Run as Administrator') to do that:
rmdir /s C:\ProgramData\bProtectorForWindows\
7. Open Control Panel -> 'Programs and Features' and uninstall "Babylon Plug-in for IE"
8. If you use the Firefox browser, you will need to remove the Firefox Babylon Search Add-on under the list of Firefox Add-ons
9. If you use the Google Chrome browser, you will probably need to uninstall and reinstall it
10. Delete the bProtector service by launching an elevated command prompt (type cmd into the Start Search box, right-click cmd.exe and select 'Run as Administrator'). Then type the following sc command:
sc delete bprotector