Home > News content

Jinshan series do evil again: drive elves to put back door virus to users to manipulate and hijack traffic

via:火绒网络     time:2019/12/6 18:34:51     readed:360

During the double 11, Huorong started to intercept and kill some software of Jinshan series that imitated other security software and promoted advertisements (see link 1 for the report). Subsequently, Huorong received a lot of user feedback, saying that in the case of uninstalling Kingsoft, driving Genie and other software, Huorong still reported the virus. After communicating with users and checking and analyzing remotely, the engineers found that the driver Genie intentionally left a back door program named "kbasesrv" when uninstalling, including the advertisement module that was poisoned by the tinder.


After in-depth analysis, it is found that the driver wizard will put in "kbasesrv" back door program when uninstalling, and execute malicious behaviors such as software promotion, traffic hijacking, cloud control locking browser home page in the user's computer. Not only that, the backdoor program can also cloud control to execute any file, copy or delete files, end the process, modify the registry, send messages to the specified form, etc., which means that the user computer is at risk of being remotely executed any operation at any time.

All of the above behaviors have met the definition of backdoor program by the security manufacturer, so tinder will investigate and kill the program. Users who don't have the tinder installed can also choose the tinder kill tool to completely clear the backdoor program "kbasesrv". (see link 2 for kill address)

In addition to the driver wizard service and the special version of Jinshan software installation package, the most important way to launch the "kbasesrv" backdoor program is when the driver wizard is uninstalled by the user. In addition, some cloud control instructions of the program will actively avoid mainstream security software such as cashmere and some major provincial capitals (Beijing, Shanghai, Shenzhen, Guangzhou). In addition, because the "kbasesrv" backdoor program component overlaps with many Jinshan software components such as Kingsoft poison bully, cheetah browser, cheetah WiFi, etc., if Kingsoft issues cloud control commands to these software, they can also implement the malicious behavior of "kbasesrv" backdoor program execution, so Huorong will intercept and report the virus accordingly. Due to the large number of users of Jinshan system software, the influence of the backdoor program is more extensive.

In fact, several years ago, users exposed the hijacking behavior related to Jinshan software (see link 3). We also reported Jinshan's use of viruses to promote installation, counterfeit other security software to promote advertising (see links 1 and 4 for the report). Tinder is not intended to target a certain manufacturer. It is indeed that this series of program behaviors touch our principles and bottom line. If we do not stop them, the rights and interests of users will be harmed. In Huorong's view, if these software manufacturers continue to do evil and exploit the interests of users, Huorong will continue to intercept and kill such dangerous programs.

After the "hijacking of browser homepage" phenomenon was exposed, recently people's daily once again criticized the "pop-up ads" and other bad behaviors of commercial software damaging user experience, pointing out that relevant platform manufacturers should "optimize the industry ecology and strengthen the industry self-discipline". In this regard, we also call on manufacturers to pursue profits rationally, so that users will no longer be maliciously harassed and enjoy their due rights and interests.

Note: the back door program "kbasesrv" mentioned in this paper used to be called "homepage security protection" and "Jinshan security basic service".

Related links:

1. 11% hooligans promote Carnival and invade tens of millions of computers in a single day


2. Killing address


3. Users exposed Jinshan hijacking



4. There is an underground industry behind Jinshan poison bully's "uninvited".


Attachment: [analysis report]


I. traceability analysis

II. Delivery channels

Drive genie to promote kbasesrv

Launch of kbasesrv in Jinshan system software channel package

III. back door of cloud control

IV. tampering with browser memory data

V. traffic hijacking

Promotion number hijacking

Browser hijacking

Vi. cloud control lock head

Home page lock

Lock new tab

Add external chain

7. Homology analysis

VIII. Appendix

I. traceability analysis

In the recent report "double ten ten ten ten ten ten ten hooligans promote Carnival and invade tens of millions of computers in a single day", Huorong revealed the hooligan advertising promotion behaviors of Jinshan series advertising module, such as camouflage the process name of security software, monitor the user's cutting board, and detect security analysis tools. After we checked and killed the relevant advertising modules of Jinshan system, we received a large number of users' relevant feedback. We are surprised to find that in many computers implanted with rogue promotion modules, users have never actively installed or uninstalled any Jinshan software. Through the analysis, we finally locate that kbasesrv, a backdoor service with Jinshan signature, sends out the rogue promotion module. When the service is installed, there will be no interface prompt, and the program behavior of the service in the user terminal can be controlled through the cloud control server, including but not limited to the execution of advertising, traffic hijacking, software promotion, etc. in the user computer. The service behavior Conform to the definition of back door program of tinder.


Kbasesrv backdoor file signature information

By tracing the source, we position that there are many channels to promote kbasesrv backdoor program, such as: Driver Wizard service item, driver wizard uninstaller, Jinshan software special version channel package, etc. After our confirmation, users in the above promotion channels can't prevent kbasesrv service from being installed through manual settings, that is, it will be controlled by the backdoor program without users' knowledge. When the backdoor installation package is launched, it will actively avoid the mainstream security software (tinder, 360). For the time being, the backdoor program mainly performs software promotion, traffic hijacking (including hijacking promotion billing number, hijacking browser, etc.), cloud control locking browser home page.

In addition, we found that the backdoor program also has the functions of executing any executable file, command line, releasing promotion shortcut, ending process, sending message to the specified form, copying files, modifying and deleting registry. When the back door cloud control configuration is distributed, it will actively avoid major provincial capitals (Beijing, Shanghai, Shenzhen, Guangzhou) and mainstream security software. The above malicious behavior fully conforms to our definition of backdoor program, which directly affects the normal use of personal computer by users. The execution process of the back door program is shown in the following figure:


Backdoor program execution flow chart

II. Delivery channels

Drive genie to promote kbasesrv

When the driver wizard uninstaller releases kbasesrv, in order to avoid repeated installation, it will detect whether kbasesrv or Jinshan poison bully has been installed (Jinshan poison bully contains relevant components of kbasesrv, and the specific homology analysis will have relevant instructions later), and at the same time, it will avoid the security software (tinder, 360 security guard) and prevent its malicious release behavior from being captured by the security software. Relevant codes are shown in the following figure:


Putting kbasesrv logic into driver wizard uninstaller

Avoid code related to cashmere, as shown in the following figure:


Avoid code related to cashmere

Kbasesrv service delivery logic exists in driver wizard service and uninstaller. The relevant code logic is shown in the following figure:


Driving sprite service to launch kbasesrv related code logic

Launch of kbasesrv in Jinshan system software channel package

Through our traceability analysis, we also found a special version of cheetah browser installation package. The kbasesrv installation package and Cheetah browser installation package are stored in the installation package resources in the form of binary data. After the installation package runs, the cheetah browser installation interface will pop up, but the installation of cheetah browser and kbasesrv backdoor program will not affect each other, even if the user does not install cheetah browser, it will not affect the installation of kbasesrv backdoor program. Screenshot of relevant actions, as shown in the following figure:


Screenshot of kbasesrv operation

The digital signature information of the installation file of this special version of cheetah browser is shown in the following figure:


Special version of cheetah browser installation file digital signature information

III. back door of cloud control

The kbasesrv backdoor program will call the specified backdoor module (infocenter.exe, phoenix.exe, kwhcommonpop. Exe) to execute the backdoor instructions according to the cloud control configuration. Among them, kwhcommonpop.exe is called by kcmppinvoker.dll, and the current cloud control configuration is mainly used for software promotion; kpolicy.dll can call infocenter.exe and phoenix.exe to execute the back door command according to the cloud control configuration loaded by kpctrl.dll. Take phoenix.exe as an example, some of the main back door instructions that the back door module can execute are as follows:


Back door instructions that phoenix.exe can execute

Kpctrl.dll will first parse the policy data related to the implementation of the back door module from the fnsign.dat (the file is encrypted, the file synchronization address is: hxxp://pc001.update.lbmini.cmcm.com/cmcm/kprotect/bin/2001/kprotect/data/d8d04a3927358e312562fe1f1641b0, and the last part is the file content hash value) configuration synchronized locally. The decrypted configuration data is shown in the following figure:


Promotion and allocation

Kbasesrv will call kpolicy.dll according to the configuration data loaded in kpctrl, create the promotion software control thread, and detect the cloud control data list every 5 seconds. If the list is not empty, it will call the specified backdoor module to execute the backdoor logic according to the synchronization to the local cloud control configuration. Relevant codes are shown in the following figure:


Code related to software promotion

If the copy path is set in the cloud control data, the backdoor module will be copied to the specified directory for execution. Relevant codes are shown in the following figure:


Call relevant codes of rear door module

Because the key codes of infocenter.exe, phoenix.exe and kwhcommonpop.exe are basically the same, only phoenix.exe is used for analysis and description in the report. After phoenix.exe is executed, it will parse and synchronize to the local cloud control configuration (the cloud control distribution address: hxxp://config.i.duba.net/rcmdsoft/6/7/generizecfg.dat) file generizecfg.dat (the file is in the Phoenix / 6 / 7 directory in the software directory, where 6 represents the current software name, such as kbasesrv, Kingsoft, driver wizard, etc.; 7 is the given value in the module). After the cloud control configuration file is decrypted, as shown in the following figure:


Generizecfg.dat configuration content

The relevant cloud control configuration we requested is mainly used for software promotion. According to the existing configuration of the back door module, we will implement the induced software promotion. The URL field under the resinfo tab in the configuration above is used to splice the download address of the resource file (for example, hxxp://config.i.duba.net/rcmdsoft/6/7/db/kp_music_push_db. Zip). The resource file is the resource of the induced pop-up page. After the user clicks "one button cleaning", it will promote the installation of Kingsoft. Pop up interface, as shown in the following figure:


Guided promotion pop up interface

In another generizecfg.dat configuration, we found a lot of policies for rule based security software. According to the notes, we speculated that this configuration was the promotion behavior performed by Kingsoft when it was uninstalled. Related configurations are shown in the following figure:


Generizecfg.dat configuration content

In addition, we also found other back door instruction functions (execute arbitrary executable program, command line, copy file, modify registry, etc.) in phoenix.exe back door module. We also found the related configuration files using backdoor instructions through the screening of the history files of Jinshan system software. From the configuration content, we find that some software functions and backdoor functions exist in the same configuration file, namely. The content of the configuration file is shown in the following figure:


Rear door command configuration

Analyze and execute the relevant code of cloud control command, as shown in the following figure:


Analyze and execute cloud control command related codes

The rear door command function is only used for individual functions. Relevant codes are shown in the following figure:


Execute the specified command line


End specified process


Call kingst.dll dynamic library to promote the installation software

Kingst.dll is a general software promotion module of Jinshan system, which can promote and install the specified software according to the cloud promotion configuration. In the promotion configuration we downloaded, the promotion strategy can quietly promote Kingsoft. This software installation program is a special dynamic library. After running the installex export function, you can install the Kingsoft Viper silently. Related configuration files are shown in the following figure:


Promote software related cloud configuration

Download and parse the relevant code of cloud promotion configuration (server address: http://config.i.duba.net/lminstall3/ [config'u number]. JSON? Time = [time'tickecount]), as shown in the following figure:


Download and analyze cloud promotion configuration code

Execute relevant code of software promotion, as shown in the figure below:


Execute software promotion related codes

IV. tampering with browser memory data

The knb3rdhmpg.dll module injected into the browser will tamper with the browser memory data and destroy the tamper proof function of the browser home page. The affected browsers are shown in the following figure:


Affected browsers

Take 360 safe browser as an example. In the sesafe.dll module, the startup parameters of 360 safe browser will be detected. If the "Dubai" string is found in the startup parameters of the homepage, the homepage repair function module will be opened. Relevant codes are shown in the following figure:


Hijacking protection of the homepage of sesafe.dll

When 360 security browser detects that the home page is hijacked by a drug bully, it will repair the home page. Relevant phenomena are shown in the figure below:


360 safe browser home page repair

In order to hijack the browser homepage successfully, the knb3rdhmpg.dll module injected into the browser will tamper with the corresponding module data and destroy the original malicious tampering homepage interception function through hook ldrloaddll function when the browser DLL module is loaded. This module will not only tamper part of the content, but also tamper according to the configuration file. The related configuration file is safepatch.dat, which can be distributed through cloud control, including the browser module and content to be tampered with. Relevant codes are shown in the following figure:


Hook LdrLoadDll


Tampering with memory data of sesafe.dll


Safepatch.dat file

V. traffic hijacking

Promotion number hijacking

The knb3rdhmpg.dll module injected into the browser will hijack the promotion numbers of Baidu search, Sogou search and the navigation pages of hao123. When users access these sites with a browser, the module hijacks the promotion numbers of these links. There are two configuration files for hijacking promotion number. Use se ﹣ redirect ﹣ ex2.dat and uredirect.dat files of simple XOR in kbasesrv directory. Configuration files can be updated through cloud control, including hijacked URL prefix, hijacked white list, hijacked promotion number, hijacked probability and other information. The se ﹣ redirect ﹣ ex2.dat file is now distributed for active update. The uredirect.dat file will not be updated at present, but the file with the same name can be found in the directory of Kingsoft poison bully, and the field information in the file is consistent with the program logic. Hijack the configuration file, as shown in the following figure:


Se ﹣ redirect ﹣ ex2.dat file


Uredirect.dat file

For different browsers, there are three ways to realize the hijacking of extension number.

1) call setwineventhook to filter the event menu object menu namechange event and hijack the browser tab form. When the window title of the tab changes, the callback function of the event hook will be triggered to enter the hijacking process. The knb3rdhmpg.dll module will query the hijacking link according to the window title of the tab and save it to the pasteboard. Then paste the hijacked link into the address bar and access it in the way of analog keyboard input to complete hijacking. Relevant codes are shown in the following figure:


Call setwineventhook to filter event? Object? Namechange events


Analog keyboard input for promotion number hijacking

2) the hook ntdeviceiocontrollfile analyzes the traffic transmitted by the browser, resolves the domain name and the requested URL, matches the corresponding hijacking link, and replaces the returned data with 302 redirected return data, jumping to the hijacked link. Relevant codes are shown in the following figure:


Use 302 redirect to hijack promotion number

3) use hook setwindowtextw to filter the calls to set the content of the browser title bar. When the browser will visit the search tool link (Baidu, Sogou, hao123), the title bar is set to search tool name, which will trigger the hijacking process. The knb3rdhmpg.dll module gets the hijacking link according to the original link, and calls setwindowtextw to set the address bar link, and finally simulates the keyboard input to access.


Hook SetWindowText hijack promotion number

Browser hijacking

The browsers affected by hijacking include 2345 browser, Sogou browser and QQ browser

Kbasesrv.exe will inject "knbhmpg.dll" and "knb3rdhmpg. DLL" or "knbhmpg64.dll" and "knb3rdhmpg64. DLL" under kbasesrv module into the system process explorer.exe according to the current system version. The process of explorer.exe after injection is as follows:


List of explorer.exe process modules after injection

After the successful injection into explorer.exe, knbhmpg.dll will hook the invokecommand method under the icontextmenu interface. The invokecommand method is primarily used to execute commands associated with shortcut menu items. That is to say, when we double-click the shortcut and other operations, the hook function will be triggered. The hook invokecommand method code is shown in the following figure:


Hook invokecommand method

When the hook code is triggered successfully, the program will load knb3rdhmpg.dll to obtain the address of its export function "F1". The relevant code is shown in the following figure:


Get the address of export function F1 in knb3rdhmpg.dll

After obtaining the address of the exported function F1 in knb3rdhmpg.dll, the program will run in the code logic of F1. First, the executable path it points to will be obtained according to the shortcut path obtained. The relevant code is shown in the following figure:


Get the file path the shortcut points to

Then decrypt the safeurl.dat configuration file under its own path, and get the required configuration content. Decrypt safeurl.dat, and the relevant code is as follows:


Decrypt safeurl.dat

The corresponding configuration and field explanation in the decrypted safeurl.dat file are as follows:


Content and field explanation of decrypted safeurl.dat

Then check whether the times field representing the trigger times is greater than 0. If it is greater than 0, the function will continue to run normally. Otherwise, the function fails. The relevant code is as follows:


Detect times field value

When the trigger times meet the conditions, a random number divided by 100 will be obtained, and the remainder will be compared with the value in the configuration file, so as to control the probability of triggering. The relevant code is shown in the following figure:


detection probability

After the probability is successfully triggered, the module will obtain its own path according to the registry key value and splice the startup parameter "C: \ \ program files \ \ kbasesrv \ \ knbhm.exe - URL sogouexplorer.exe https://www.duba.com/? F = lnkjks" to create a new process. The relevant codes are as follows:


Splice start parameters and create process

Knbhm.exe is actually a starter. It processes different logic according to different parameters of other modules. The parameters that knbhm.exe can receive are as follows:


Knbhm.exe receive parameters

When knbhm.exe is started with the "- URL" parameter, a new process will be created according to the safeurl.dat configuration to hijack the browser clicked by the user. If there is a cheetah browser on the user's computer, the cheetah browser will be used to start the browser clicked by the user. Take Sogou high-speed browser as an example, the phenomenon of being hijacked by the cheetah browser after double clicking is shown in the following figure:


Hijack user browser

Vi. cloud control lock head

The knb3rdhmpg.dll module injected into the browser will obtain the configuration content of the lock head through inter process communication, and the lock head function can be controlled through the configuration file. This configuration file can be updated through cloud control, which includes the lock strategy of different promotion channels. Most of the lock-in strategies are to avoid Beijing, Shanghai, Shenzhen and Guangzhou metropolitan areas. The affected browsers and promotion strategies are shown in the following figure:


Affected browsers


Home page locking strategy

Home page lock

After the hook invokecommand method, if the above conditions of browser hijacking are not triggered, the module will obtain the built-in field name according to the browser name. Take Sogou high-speed browser as an example, obtain the built-in field "browser" Sogou ", and send it to" kbasesrv. Exe "through interprocess communication to get the lock URL. After that, new startup parameters will be spliced. The hash field is followed by the browser path and the hash value of startup parameters. The code for creating knbhm.exe process is shown in the following figure:


Splice startup parameters and create knbhm.exe process

Take Sogou high-speed browser as an example. After double clicking, the homepage is locked by poison bully navigation, as shown in the following figure:


Poison bully locks Sogou navigation page

Lock new tab

Knb3rdhmpg.dll injected into the browser filters the call to set the content of the browser title bar through hook setwindowtextw. When a user opens a new tab for a specific browser, the lock process is entered. Through interprocess communication, the module gets the mark and lock link of the new tab locking function and then calls the knbhm module to start the browser to open the lock link to generate a new locked tab. The relevant codes are as follows:


Hook setwindowtextw function


Lock new tab

Add external chain

The knb3rdhmpg.dll module injected into the browser adds an outer chain to the command line. The knb3rdhmpg.dll module processes the command line parameters of some browser hook getcommandlinew functions, and adds additional links based on the original links. When the user browser starts with the URL parameter, the module will add additional links later. While opening the original page, open an additional link page. Relevant codes are shown in the following figure:


Hook GetCommandLineW


Add the outer chain after the original command line parameter

7. Homology analysis

In addition to the above malicious modules found in the kbasesrv directory launched by the driving genie, we also found similar malicious modules in other software of Jinshan (for example: Kingsoft poison bully, driving genie, cheetah browser, cheetah WiFi). Taking the file kwhcommonpop.exe with the same name as an example, the similar code for parsing and executing back door instructions is shown in the following figure:


Homologous code analysis

VIII. Appendix

Sample hash


translate engine:

China IT News APP

Download China IT News APP

Please rate this news

The average score will be displayed after you score.

Post comment

Do not see clearly? Click for a new code.

User comments