Beware the Samsung rootkit

[Vurbal]

I feel kind of bad for waiting so long to post this but better late than never I guess...

A couple weeks ago my wife gave me a Samsung Galaxy 3 7" tablet. It didn't come with drivers and it seems Samsung only distributes them as part of their Kies transfer software so I went ahead and downloaded/installed it figuring I'd backup the drivers, check out the software, and then most likely uninstall it. Annoying but not surprisingly so.

A day or 2 later I happened to be looking at some files in my Windows folder and noticed one called MusicCityDownload.exe which naturally made me suspicious. A quick look at the PE headers using CFF Explorer made me even more suspicious but did at least provide me with the software vendor's name - MarkAny. A quick web search later and I figured out MarkAny is a Korean company which pretty well gave away the fact it was installed with Kies. A couple more searches and I ran across this gem on the XDA Developers forum.

To make a long story short, don't install Kies and if you already have it installed you should make a copy of the driver installer (located in the Kies program folder) and then immediately uninstall. The good news is Samsung's installer seems to be one of those rare ones that actually does the job right and unlike say the infamous Sony rootkit this one doesn't resist uninstallation. Also, conveniently, you can uninstall everything except the drivers.

If you need the drivers and haven't already installed Kies I'll be happy to send you the installer.

In case you want to be as thorough as possible when uninstalling here's a list of all the information I collected during my own little investigation. It's a combination of what I found on my own and the Kies install log. I didn't dig through the registry for all the Samsung entries so there's certainly more I'm missing. However, as I said, the uninstaller seemed to do a thorough job.

Code: Text [Select]

1. Processes:
2.     KiesTrayAgent.exe
3.     DeviceDataService.exe
4.     ConnectionManager.exe
5.     DeviceManager.exe
6.     Kies.exe
7.     KiesPDLR.exe
8.     KiesHelper.exe
9.     KiesAirMessage.exe
10.  
11. File System:
12.     C:\Users\[UserName]\AppData\Local\Temp\{A9E68544-3AA6-4AB9-9A4B-2BF631975A17}\
13.     C:\Users\[username]\AppData\Local\Temp\KiesTemporary\
14.     C:\Users\[username]\AppData\Local\Temp\MarkAny\
15.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\
16.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\
17.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaAgent.exe
18.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MAAuthProc.dll
19.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACLICX13.dll
20.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACLicX15.dll
21.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACSMANAGER.dll
22.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaCSMgr.exe
23.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaCSProHook.dll
24.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\mapshapi.dll
25.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\mapwij10.dll
26.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaSyncP.dll
27.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaWAMP.dll
28.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MAWebControl.exe
29.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaWMP.dll
30.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MPXBox.exe
31.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MtpAccess.dll
32.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAFileUpdate.dll
33.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAUpdate.exe
34.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAUpdateBoot.exe
35.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MaUpdateClient.exe
36.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UserShare.dll
37.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\XSYNCClt.dll
38.     C:\Users\[username]\AppData\Local\Samsung\
39.     C:\Users\[username]\AppData\Local\Temp\KiesLiveupdateTemp\
40.     C:\Users\[username]\AppData\Local\Temp\KiesTemporary\
41.     C:\Users\[username]\AppData\Local\Temp\MarkAny\
42.     C:\Users\[username]\AppData\Local\Temp\SAMSUNG\
43.     C:\[KiesInstallPath]\Kies\External\FirmwareUpdate\AgentVer.txt
44.     C:\[KiesInstallPath]\Kies\EULAVer.txt
45.     C:\Users\[UserName]\AppData\Local\Temp\{A9E68544-3AA6-4AB9-9A4B-2BF631975A17}\WriteDescExecuteFileName.exe Software\Samsung\KIESSETUP Samsung Kies Installer 2.0
46.     C:\[KiesInstallPath]\Kies\External\DeviceModules\ConnectionManager.exe
47.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceManager.exe
48.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceDataService.exe
49.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceServiceModelDB.dll
50.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceServiceCore.dll
51.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceCommunication.dll
52.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCADU.dll
53.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAKOREAMITSOBEX.dll
54.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONATOBEX.dll
55.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONGM.dll
56.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONOBEX.dll
57.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAWM.dll
58.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAOBEX.dll
59.     C:\[KiesInstallPath]\Kies\External\DeviceModules\THNRProghelp.dll
60.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DevFileService.dll
61.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceSearch.dll
62.     C:\[KiesInstallPath]\Kies\External\DeviceModules\RASWraper.dll
63.     C:\[KiesInstallPath]\Kies\External\DeviceModules\BackupRestoreLib.dll
64.     C:\[KiesInstallPath]\Kies\External\DeviceModules\CDBurnCOM.dll
65.     C:\[KiesInstallPath]\Kies\External\DeviceModules\StarburnX12.dll
66.     C:\[KiesInstallPath]\Kies\External\DeviceModules\UPNPDevice_Kies.dll
67.     C:\[KiesInstallPath]\Kies\External\TransModules\TG_Dump0708.DLL
68.     C:\[KiesInstallPath]\Kies\External\MediaModules\MP3FileInfoCOM.dll
69.     C:\[KiesInstallPath]\Kies\External\MediaModules\OGGFileInfoCOM.dll
70.     C:\[KiesInstallPath]\Kies\External\MediaModules\AStoreMarshal.dll
71.     C:\[KiesInstallPath]\Kies\External\MediaModules\MACSReaderAVI.ax
72.     C:\[KiesInstallPath]\Kies\External\MediaModules\NEDFilter4Samsung.ax
73.     C:\[KiesInstallPath]\Kies\External\SyncModules\secman.dll
74.     C:\[KiesInstallPath]\Kies\External\SyncModules\metastore2.dll
75.     C:\[KiesInstallPath]\Kies\External\SyncModules\Synchronization2.dll
76.     C:\[KiesInstallPath]\Kies\External\SyncModules\nktwab.dll
77.     C:\Windows\SysWOW64\Redemption.dll
78.     C:\[KiesInstallPath]\Kies\External\smdecryption.dll
79.     C:\[KiesInstallPath]\Kies\External\PRPlayerCore.dll
80.     C:\Windows\MusicCityDownload.exe
81.  
82. Registry:
83.     HKEY_CURRENT_USER\Software\AppDataLow\Software\MarkAny
84.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\090B0474CB502846DABF6D9B6BD86327
85.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0C0EAADEC0B0BEC47056488271833ED1
86.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\290A1BAC3852561E434EDCF37ADDC650
87.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2F51676373E2C8FAFD1C3CB5D0FC6F78
88.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32947F291B037BB37F4C94D15C71AFCC
89.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\364651BA342348B03E7E38A50F61D602
90.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3749FA404D1387FD0883E182C92F5AB1
91.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4482C36BEE44B81F7D56DABE40984FCE
92.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5390087D56653F56BFE40693A70A5A2A
93.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\61F50ED3728E668469DD5A9B7663EEFF
94.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F5AD8238986F445D49AC9AE6A9CDD06
95.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\72798142C6A7CA8AEAFB493E6CA75C3D
96.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\90F0105370096E802C973171912E5EC9
97.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\93098AC90CB9B9D9E0B7DAF98117ABD6
98.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B0BA626160FBB7AF5AF852DC3D4E8C5C
99.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B245A3B6DB9BDEE94D368EAD00DF75C1
100.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C0153905C28C684AD92906E7C31D656A
101.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DAB70100ACFDAE9CF043224B28091403
102.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E71E9BD78DFE557AE8AD19C38A450BD8
103.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF765801CEFE877C538A6FB5CFB97515
104.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB0AD455040F4F919919F27A26A877CA
105.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FDA9F652221F00D6C071019FF16552A4
106.     HKEY_USERS\S-1-5-21-1034364882-3164073863-2110962517-1000\Software\AppDataLow\Software\MarkAny

[jpfx]

I have kies 3 installed but none of the registry entries or files you've listed.

[Vurbal]

I have kies 3 installed but none of the registry entries or files you've listed.

-jpfx (February 14, 2014, 05:35 PM)

Sounds like you're safe then. Just make sure to watch out for any future updates in case Samsung tries to sneak it in.

[Innuendo]

I had already decided not to go with Samsung for my next phone. This news just tells me that I was right in my decision.

[ewemoa]

A couple more searches and I ran across this gem on the XDA Developers forum.

-Vurbal (February 14, 2014, 03:11 PM)

I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.

MarkAny describes this process as "watermarking". This behaves like a rootkit because once the malware is running, it then attempts to HIDE this watermark to the normal OS I/O operations, in order for these files to appears as if they were still clean of any alternation.

BUT....

This watermarking process not only has a very intrusive effect (no this is not a keylogger process, but a process that will report to some internet server in Korea all media files that contain any other watermark inserted by "MarkAny ContentSAFER" from another PC/user. The watermark is personnally identifiable because MarkAny ContentSafer is installed SILENTLY as a REQUIRED bundle with other softwares requiring an online registration (for example when installing Samsung Kies, you need to register an account at Samsung, and this registration includes this personal data which is sent SILENTLY to MarkAny to associate your generated UUID which will be stored in YOUR media files, with YOUR identity).

Wow.

[Ath]

Another approach could be like we do here: Despite the fact we have several Samsung phones and tablets, we never installed the Kies software, just let Windows install the usb-driver on first connect, required to access the memory, and install updates directly from the phone/tablet.

[Vurbal]

Another approach could be like we do here: Despite the fact we have several Samsung phones and tablets, we never installed the Kies software, just let Windows install the usb-driver on first connect, required to access the memory, and install updates directly from the phone/tablet.

-Ath (February 16, 2014, 05:49 AM)

That was my initial plan. Unfortunately Windows couldn't find a driver so I was forced to install kies if I wanted to connect to the tablet's internal storage directly.

[IainB]

I could be wrong, of course, but I can't see that this discussion has in fact so far identified any real risk/threat - it seems to be all supposition.
I would recommend great care. The link to the allegations of spyware in the Kies install is to a discussion here that levels alarmist criticism without actually proving/substantiating what is said. Even some of the comments in that thread seem to throw doubt on the validity of the alarmism.

If you wanted to contain/inhibit the "suspect" software or DLLs - just-in-case (nothing wrong with paranoia) - without disrupting anything or disabling the Kies installation, then it might be worth considering trying to do that via Windows Software Restrictions Policies.

By the way, TotalVirus and Malwarebytes do not seem to object to the software involved, but that's my copy of the installed software. Check your own software as it may be different.

[J-Mac]

I don’t think the poster at the XDA forum understands exactly what a rootkit is. This program ain't. It's not a nice program IMO, mainly because it does "watermark" your media files, and not just those downloaded from Samsung's service - at least from what I have read. MarkAny touts itself as the No. 1 DRM and watermarking company in the world, so their purpose is very clear. And if they only watermarked files downloaded from the service providing MAAgent.exe then simply don’t use that service.

It's reported that all parts of the program are removed upon normal installation. However if as the poster at XDA claims unrelated media files on your box are left with this "home-calling" watermarking, then it should be considered to be a bad program, and possibly even malware.

Jim

[Vurbal]

I could be wrong, of course, but I can't see that this discussion has in fact so far identified any real risk/threat - it seems to be all supposition.
I would recommend great care. The link to the allegations of spyware in the Kies install is to a discussion here that levels alarmist criticism without actually proving/substantiating what is said. Even some of the comments in that thread seem to throw doubt on the validity of the alarmism.

-IainB (February 16, 2014, 05:31 PM)

I would recommend you check for yourself before making proclamations like this then.

That was not the sole reference I found to MarkAny's rootkit. Actually worm might be more accurate although technically it's not entirely either. At any rate every source I found which provided any level of detail about what ContentSAFER does all indicated it silently adds code to your media files without asking for permission first or notifying you afterwards. IMO that's inherently a threat.

[Innuendo]

....silently adds code to your media files without asking for permission first or notifying you afterwards. IMO that's inherently a threat.

-Vurbal (February 17, 2014, 05:05 AM)

That's text book behavior for a virus. I don't care what the program's called or what it's supposed to do, especially if what it is doing is for the benefit of someone other than the owner of the computer.

[jpfx]

found this software on a different pc with kies installed. so one with and one without.
I have to agree with IainB post. as far as I can tell this software was used by the samsung store for DRM and also signed content so it could be played on older samsung phones/mp3 players.
it uninstalled without issue too.