Main Area and Open Discussion > General Software Discussion
Beware the Samsung rootkit
Vurbal:
I feel kind of bad for waiting so long to post this but better late than never I guess...
A couple weeks ago my wife gave me a Samsung Galaxy 3 7" tablet. It didn't come with drivers and it seems Samsung only distributes them as part of their Kies transfer software so I went ahead and downloaded/installed it figuring I'd backup the drivers, check out the software, and then most likely uninstall it. Annoying but not surprisingly so.
A day or 2 later I happened to be looking at some files in my Windows folder and noticed one called MusicCityDownload.exe which naturally made me suspicious. A quick look at the PE headers using CFF Explorer made me even more suspicious but did at least provide me with the software vendor's name - MarkAny. A quick web search later and I figured out MarkAny is a Korean company which pretty well gave away the fact it was installed with Kies. A couple more searches and I ran across this gem on the XDA Developers forum.
To make a long story short, don't install Kies and if you already have it installed you should make a copy of the driver installer (located in the Kies program folder) and then immediately uninstall. The good news is Samsung's installer seems to be one of those rare ones that actually does the job right and unlike say the infamous Sony rootkit this one doesn't resist uninstallation. Also, conveniently, you can uninstall everything except the drivers.
If you need the drivers and haven't already installed Kies I'll be happy to send you the installer.
In case you want to be as thorough as possible when uninstalling here's a list of all the information I collected during my own little investigation. It's a combination of what I found on my own and the Kies install log. I didn't dig through the registry for all the Samsung entries so there's certainly more I'm missing. However, as I said, the uninstaller seemed to do a thorough job.
--- Code: Text ---Processes: KiesTrayAgent.exe DeviceDataService.exe ConnectionManager.exe DeviceManager.exe Kies.exe KiesPDLR.exe KiesHelper.exe KiesAirMessage.exe File System: C:\Users\[UserName]\AppData\Local\Temp\{A9E68544-3AA6-4AB9-9A4B-2BF631975A17}\ C:\Users\[username]\AppData\Local\Temp\KiesTemporary\ C:\Users\[username]\AppData\Local\Temp\MarkAny\ C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\ C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\ C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaAgent.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MAAuthProc.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACLICX13.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACLicX15.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MACSMANAGER.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaCSMgr.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaCSProHook.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\mapshapi.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\mapwij10.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaSyncP.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaWAMP.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MAWebControl.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MaWMP.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MPXBox.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\MtpAccess.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAFileUpdate.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAUpdate.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MAUpdateBoot.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UpdateClient\MaUpdateClient.exe C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\UserShare.dll C:\Users\[username]\AppData\Local\Temp\MarkAny\ContentSafer\XSYNCClt.dll C:\Users\[username]\AppData\Local\Samsung\ C:\Users\[username]\AppData\Local\Temp\KiesLiveupdateTemp\ C:\Users\[username]\AppData\Local\Temp\KiesTemporary\ C:\Users\[username]\AppData\Local\Temp\MarkAny\ C:\Users\[username]\AppData\Local\Temp\SAMSUNG\ C:\[KiesInstallPath]\Kies\External\FirmwareUpdate\AgentVer.txt C:\[KiesInstallPath]\Kies\EULAVer.txt C:\Users\[UserName]\AppData\Local\Temp\{A9E68544-3AA6-4AB9-9A4B-2BF631975A17}\WriteDescExecuteFileName.exe Software\Samsung\KIESSETUP Samsung Kies Installer 2.0 C:\[KiesInstallPath]\Kies\External\DeviceModules\ConnectionManager.exe C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceManager.exe C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceDataService.exe C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceServiceModelDB.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceServiceCore.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceCommunication.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCADU.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAKOREAMITSOBEX.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONATOBEX.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONGM.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAPARAGONOBEX.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAWM.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DCAOBEX.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\THNRProghelp.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DevFileService.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\DeviceSearch.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\RASWraper.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\BackupRestoreLib.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\CDBurnCOM.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\StarburnX12.dll C:\[KiesInstallPath]\Kies\External\DeviceModules\UPNPDevice_Kies.dll C:\[KiesInstallPath]\Kies\External\TransModules\TG_Dump0708.DLL C:\[KiesInstallPath]\Kies\External\MediaModules\MP3FileInfoCOM.dll C:\[KiesInstallPath]\Kies\External\MediaModules\OGGFileInfoCOM.dll C:\[KiesInstallPath]\Kies\External\MediaModules\AStoreMarshal.dll C:\[KiesInstallPath]\Kies\External\MediaModules\MACSReaderAVI.ax C:\[KiesInstallPath]\Kies\External\MediaModules\NEDFilter4Samsung.ax C:\[KiesInstallPath]\Kies\External\SyncModules\secman.dll C:\[KiesInstallPath]\Kies\External\SyncModules\metastore2.dll C:\[KiesInstallPath]\Kies\External\SyncModules\Synchronization2.dll C:\[KiesInstallPath]\Kies\External\SyncModules\nktwab.dll C:\Windows\SysWOW64\Redemption.dll C:\[KiesInstallPath]\Kies\External\smdecryption.dll C:\[KiesInstallPath]\Kies\External\PRPlayerCore.dll C:\Windows\MusicCityDownload.exe Registry: HKEY_CURRENT_USER\Software\AppDataLow\Software\MarkAny HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\090B0474CB502846DABF6D9B6BD86327 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0C0EAADEC0B0BEC47056488271833ED1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\290A1BAC3852561E434EDCF37ADDC650 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2F51676373E2C8FAFD1C3CB5D0FC6F78 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\32947F291B037BB37F4C94D15C71AFCC HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\364651BA342348B03E7E38A50F61D602 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3749FA404D1387FD0883E182C92F5AB1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\4482C36BEE44B81F7D56DABE40984FCE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\5390087D56653F56BFE40693A70A5A2A HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\61F50ED3728E668469DD5A9B7663EEFF HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F5AD8238986F445D49AC9AE6A9CDD06 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\72798142C6A7CA8AEAFB493E6CA75C3D HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\90F0105370096E802C973171912E5EC9 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\93098AC90CB9B9D9E0B7DAF98117ABD6 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B0BA626160FBB7AF5AF852DC3D4E8C5C HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B245A3B6DB9BDEE94D368EAD00DF75C1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C0153905C28C684AD92906E7C31D656A HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DAB70100ACFDAE9CF043224B28091403 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E71E9BD78DFE557AE8AD19C38A450BD8 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\EF765801CEFE877C538A6FB5CFB97515 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FB0AD455040F4F919919F27A26A877CA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\FDA9F652221F00D6C071019FF16552A4 HKEY_USERS\S-1-5-21-1034364882-3164073863-2110962517-1000\Software\AppDataLow\Software\MarkAny
jpfx:
I have kies 3 installed but none of the registry entries or files you've listed.
Vurbal:
I have kies 3 installed but none of the registry entries or files you've listed.
-jpfx (February 14, 2014, 05:35 PM)
--- End quote ---
Sounds like you're safe then. Just make sure to watch out for any future updates in case Samsung tries to sneak it in.
Innuendo:
I had already decided not to go with Samsung for my next phone. This news just tells me that I was right in my decision.
ewemoa:
A couple more searches and I ran across this gem on the XDA Developers forum.
-Vurbal (February 14, 2014, 03:11 PM)
--- End quote ---
I noted that this malware was actually monitoring ALL your media files that are in some known formats (MPEG, OGG... and even JPEG images), in order to MODIFY them on the fly, storing a personnally identifiable tracking ID in them, within some obscure extension subtags permitted in these formats.
MarkAny describes this process as "watermarking". This behaves like a rootkit because once the malware is running, it then attempts to HIDE this watermark to the normal OS I/O operations, in order for these files to appears as if they were still clean of any alternation.
BUT....
This watermarking process not only has a very intrusive effect (no this is not a keylogger process, but a process that will report to some internet server in Korea all media files that contain any other watermark inserted by "MarkAny ContentSAFER" from another PC/user. The watermark is personnally identifiable because MarkAny ContentSafer is installed SILENTLY as a REQUIRED bundle with other softwares requiring an online registration (for example when installing Samsung Kies, you need to register an account at Samsung, and this registration includes this personal data which is sent SILENTLY to MarkAny to associate your generated UUID which will be stored in YOUR media files, with YOUR identity).
--- End quote ---
Wow.
Navigation
[0] Message Index
[#] Next page
Go to full version