topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday October 15, 2024, 6:42 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Beware the Samsung rootkit  (Read 25765 times)

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Beware the Samsung rootkit
« on: February 14, 2014, 03:11 PM »
I feel kind of bad for waiting so long to post this but better late than never I guess...

A couple weeks ago my wife gave me a Samsung Galaxy 3 7" tablet. It didn't come with drivers and it seems Samsung only distributes them as part of their Kies transfer software so I went ahead and downloaded/installed it figuring I'd backup the drivers, check out the software, and then most likely uninstall it. Annoying but not surprisingly so.

A day or 2 later I happened to be looking at some files in my Windows folder and noticed one called MusicCityDownload.exe which naturally made me suspicious. A quick look at the PE headers using CFF Explorer made me even more suspicious but did at least provide me with the software vendor's name - MarkAny. A quick web search later and I figured out MarkAny is a Korean company which pretty well gave away the fact it was installed with Kies. A couple more searches and I ran across this gem on the XDA Developers forum.

To make a long story short, don't install Kies and if you already have it installed you should make a copy of the driver installer (located in the Kies program folder) and then immediately uninstall. The good news is Samsung's installer seems to be one of those rare ones that actually does the job right and unlike say the infamous Sony rootkit this one doesn't resist uninstallation. Also, conveniently, you can uninstall everything except the drivers.

If you need the drivers and haven't already installed Kies I'll be happy to send you the installer.

In case you want to be as thorough as possible when uninstalling here's a list of all the information I collected during my own little investigation. It's a combination of what I found on my own and the Kies install log. I didn't dig through the registry for all the Samsung entries so there's certainly more I'm missing. However, as I said, the uninstaller seemed to do a thorough job.

Code: Text [Select]
  1. Processes:
  2.     KiesTrayAgent.exe
  3.     DeviceDataService.exe
  4.     ConnectionManager.exe
  5.     DeviceManager.exe
  6.     Kies.exe
  7.     KiesPDLR.exe
  8.     KiesHelper.exe
  9.     KiesAirMessage.exe
  10.  
  11. File System:
  12.     C:\Users\[UserName]\AppData\Local\Temp\{A9E68544-3AA6-4AB9-9A4B-2BF631975A17}\
  13.     C:\Users\[username]\AppData\Local\Temp\KiesTemporary\
  14.     C:\Users\[username]\AppData\Local\Temp\MarkAny\
  15.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\
  16.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\
  17.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaAgent.exe
  18.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MAAuthProc.dll
  19.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACLICX13.dll
  20.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACLicX15.dll
  21.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACSMANAGER.dll
  22.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaCSMgr.exe
  23.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaCSProHook.dll
  24.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\mapshapi.dll
  25.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\mapwij10.dll
  26.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaSyncP.dll
  27.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaWAMP.dll
  28.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MAWebControl.exe
  29.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaWMP.dll
  30.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MPXBox.exe
  31.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MtpAccess.dll
  32.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAFileUpdate.dll
  33.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAUpdate.exe
  34.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAUpdateBoot.exe
  35.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MaUpdateClient.exe
  36.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UserShare.dll
  37.     C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\XSYNCClt.dll
  38.     C:\Users\[username]\AppData\Local\Samsung\
  39.     C:\Users\[username]\AppData\Local\Temp\KiesLiveupdateTemp\
  40.     C:\Users\[username]\AppData\Local\Temp\KiesTemporary\
  41.     C:\Users\[username]\AppData\Local\Temp\MarkAny\
  42.     C:\Users\[username]\AppData\Local\Temp\SAMSUNG\
  43.     C:\[KiesInstallPath]\Kies\External\FirmwareUpdate\AgentVer.txt
  44.     C:\[KiesInstallPath]\Kies\EULAVer.txt
  45.     C:\Users\[UserName]\AppData\Local\Temp\{A9E68544-3AA6-4AB9-9A4B-2BF631975A17}\WriteDescExecuteFileName.exe Software\Samsung\KIESSETUP Samsung Kies Installer 2.0
  46.     C:\[KiesInstallPath]\Kies\External\DeviceModules\ConnectionManager.exe
  47.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceManager.exe
  48.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceDataService.exe
  49.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceServiceModelDB.dll
  50.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceServiceCore.dll
  51.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceCommunication.dll
  52.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCADU.dll
  53.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAKOREAMITSOBEX.dll
  54.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONATOBEX.dll
  55.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONGM.dll
  56.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONOBEX.dll
  57.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAWM.dll
  58.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAOBEX.dll
  59.     C:\[KiesInstallPath]\Kies\External\DeviceModules\THNRProghelp.dll
  60.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DevFileService.dll
  61.     C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceSearch.dll
  62.     C:\[KiesInstallPath]\Kies\External\DeviceModules\RASWraper.dll
  63.     C:\[KiesInstallPath]\Kies\External\DeviceModules\BackupRestoreLib.dll
  64.     C:\[KiesInstallPath]\Kies\External\DeviceModules\CDBurnCOM.dll
  65.     C:\[KiesInstallPath]\Kies\External\DeviceModules\StarburnX12.dll
  66.     C:\[KiesInstallPath]\Kies\External\DeviceModules\UPNPDevice_Kies.dll
  67.     C:\[KiesInstallPath]\Kies\External\TransModules\TG_Dump0708.DLL
  68.     C:\[KiesInstallPath]\Kies\External\MediaModules\MP3FileInfoCOM.dll
  69.     C:\[KiesInstallPath]\Kies\External\MediaModules\OGGFileInfoCOM.dll
  70.     C:\[KiesInstallPath]\Kies\External\MediaModules\AStoreMarshal.dll
  71.     C:\[KiesInstallPath]\Kies\External\MediaModules\MACSReaderAVI.ax
  72.     C:\[KiesInstallPath]\Kies\External\MediaModules\NEDFilter4Samsung.ax
  73.     C:\[KiesInstallPath]\Kies\External\SyncModules\secman.dll
  74.     C:\[KiesInstallPath]\Kies\External\SyncModules\metastore2.dll
  75.     C:\[KiesInstallPath]\Kies\External\SyncModules\Synchronization2.dll
  76.     C:\[KiesInstallPath]\Kies\External\SyncModules\nktwab.dll
  77.     C:\Windows\SysWOW64\Redemption.dll
  78.     C:\[KiesInstallPath]\Kies\External\smdecryption.dll
  79.     C:\[KiesInstallPath]\Kies\External\PRPlayerCore.dll
  80.     C:\Windows\MusicCityDownload.exe
  81.  
  82. Registry:
  83.     HKEY_CURRENT_USER\Software\AppDataLow\Software\MarkAny
  84.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\090B0474CB502846DABF6D9B6BD86327
  85.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0C0EAADEC0B0BEC47056488271833ED1
  86.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\290A1BAC3852561E434EDCF37ADDC650
  87.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2F51676373E2C8FAFD1C3CB5D0FC6F78
  88.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32947F291B037BB37F4C94D15C71AFCC
  89.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\364651BA342348B03E7E38A50F61D602
  90.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3749FA404D1387FD0883E182C92F5AB1
  91.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4482C36BEE44B81F7D56DABE40984FCE
  92.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5390087D56653F56BFE40693A70A5A2A
  93.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\61F50ED3728E668469DD5A9B7663EEFF
  94.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F5AD8238986F445D49AC9AE6A9CDD06
  95.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\72798142C6A7CA8AEAFB493E6CA75C3D
  96.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\90F0105370096E802C973171912E5EC9
  97.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\93098AC90CB9B9D9E0B7DAF98117ABD6
  98.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B0BA626160FBB7AF5AF852DC3D4E8C5C
  99.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B245A3B6DB9BDEE94D368EAD00DF75C1
  100.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C0153905C28C684AD92906E7C31D656A
  101.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DAB70100ACFDAE9CF043224B28091403
  102.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E71E9BD78DFE557AE8AD19C38A450BD8
  103.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF765801CEFE877C538A6FB5CFB97515
  104.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB0AD455040F4F919919F27A26A877CA
  105.     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FDA9F652221F00D6C071019FF16552A4
  106.     HKEY_USERS\S-1-5-21-1034364882-3164073863-2110962517-1000\Software\AppDataLow\Software\MarkAny
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

jpfx

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 155
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #1 on: February 14, 2014, 05:35 PM »
I have kies 3 installed but none of the registry entries or files you've listed.
       |\      _,,,---,,_         
ZZZzzz /,`.-'`'    -.  ;-;;, 
      |,4-  ) )-,_. ,\ (  `'-'    
     '---''(_/--'  `-'\_)

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #2 on: February 14, 2014, 07:26 PM »
I have kies 3 installed but none of the registry entries or files you've listed.

Sounds like you're safe then. Just make sure to watch out for any future updates in case Samsung tries to sneak it in.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #3 on: February 15, 2014, 10:46 AM »
I had already decided not to go with Samsung for my next phone. This news just tells me that I was right in my decision.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #4 on: February 15, 2014, 06:28 PM »
A couple more searches and I ran across this gem on the XDA Developers forum.

I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.

MarkAny describes this process as "watermarking". This behaves like a rootkit because once the malware is running, it then attempts to HIDE this watermark to the normal OS I/O operations, in order for these files to appears as if they were still clean of any alternation.

BUT....

This watermarking process not only has a very intrusive effect (no this is not a keylogger process, but a process that will report to some internet server in Korea all media files that contain any other watermark inserted by "MarkAny ContentSAFER" from another PC/user. The watermark is personnally identifiable because MarkAny ContentSafer is installed SILENTLY as a REQUIRED bundle with other softwares requiring an online registration (for example when installing Samsung Kies, you need to register an account at Samsung, and this registration includes this personal data which is sent SILENTLY to MarkAny to associate your generated UUID which will be stored in YOUR media files, with YOUR identity).

Wow.

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,627
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #5 on: February 16, 2014, 05:49 AM »
Another approach could be like we do here: Despite the fact we have several Samsung phones and tablets, we never installed the Kies software, just let Windows install the usb-driver on first connect, required to access the memory, and install updates directly from the phone/tablet. :up:

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #6 on: February 16, 2014, 12:23 PM »
Another approach could be like we do here: Despite the fact we have several Samsung phones and tablets, we never installed the Kies software, just let Windows install the usb-driver on first connect, required to access the memory, and install updates directly from the phone/tablet. :up:

That was my initial plan. Unfortunately Windows couldn't find a driver so I was forced to install kies if I wanted to connect to the tablet's internal storage directly.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.
« Last Edit: February 16, 2014, 12:33 PM by Vurbal »

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,543
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #7 on: February 16, 2014, 05:31 PM »
I could be wrong, of course, but I can't see that this discussion has in fact so far identified any real risk/threat - it seems to be all supposition.
I would recommend great care. The link to the allegations of spyware in the Kies install is to a discussion here that levels alarmist criticism without actually proving/substantiating what is said. Even some of the comments in that thread seem to throw doubt on the validity of the alarmism.

If you wanted to contain/inhibit the "suspect" software or DLLs - just-in-case (nothing wrong with paranoia) - without disrupting anything or disabling the Kies installation, then it might be worth considering trying to do that via Windows Software Restrictions Policies.

By the way, TotalVirus and Malwarebytes do not seem to object to the software involved, but that's my copy of the installed software. Check your own software as it may be different.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,918
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #8 on: February 16, 2014, 09:28 PM »
I don’t think the poster at the XDA forum understands exactly what a rootkit is. This program ain't. It's not a nice program IMO, mainly because it does "watermark" your media files, and not just those downloaded from Samsung's service - at least from what I have read. MarkAny touts itself as the No. 1 DRM and watermarking company in the world, so their purpose is very clear. And if they only watermarked files downloaded from the service providing MAAgent.exe then simply don’t use that service.

It's reported that all parts of the program are removed upon normal installation. However if as the poster at XDA claims unrelated media files on your box are left with this "home-calling" watermarking, then it should be considered to be a bad program, and possibly even malware.

Jim

Vurbal

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 653
  • Mostly harmless
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #9 on: February 17, 2014, 05:05 AM »
I could be wrong, of course, but I can't see that this discussion has in fact so far identified any real risk/threat - it seems to be all supposition.
I would recommend great care. The link to the allegations of spyware in the Kies install is to a discussion here that levels alarmist criticism without actually proving/substantiating what is said. Even some of the comments in that thread seem to throw doubt on the validity of the alarmism.

I would recommend you check for yourself before making proclamations like this then.

That was not the sole reference I found to MarkAny's rootkit. Actually worm might be more accurate although technically it's not entirely either. At any rate every source I found which provided any level of detail about what ContentSAFER does all indicated it silently adds code to your media files without asking for permission first or notifying you afterwards. IMO that's inherently a threat.
I learned to say the pledge of allegiance
Before they beat me bloody down at the station
They haven't got a word out of me since
I got a billion years probation
- The MC5

Follow the path of the unsafe, independent thinker. Expose your ideas to the danger of controversy. Speak your mind and fear less the label of ''crackpot'' than the stigma of conformity.
- Thomas J. Watson, Sr

It's not rocket surgery.
- Me


I recommend reading through my Bio before responding to any of my posts. It could save both of us a lot of time and frustration.

Innuendo

  • Charter Member
  • Joined in 2005
  • ***
  • default avatar
  • Posts: 2,266
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #10 on: February 17, 2014, 07:24 AM »
....silently adds code to your media files without asking for permission first or notifying you afterwards. IMO that's inherently a threat.

That's text book behavior for a virus. I don't care what the program's called or what it's supposed to do, especially if what it is doing is for the benefit of someone other than the owner of the computer.

jpfx

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 155
    • View Profile
    • Donate to Member
Re: Beware the Samsung rootkit
« Reply #11 on: February 18, 2014, 09:50 AM »
found this software on a different pc with kies installed. so one with and one without.
I have to agree with IainB post. as far as I can tell this software was used by the samsung store for DRM and also signed content so it could be played on older samsung phones/mp3 players.
it uninstalled without issue too.
       |\      _,,,---,,_         
ZZZzzz /,`.-'`'    -.  ;-;;, 
      |,4-  ) )-,_. ,\ (  `'-'    
     '---''(_/--'  `-'\_)
« Last Edit: February 18, 2014, 09:57 AM by jpfx, Reason: clarify »