New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CrunchyViewer.exe #489

Closed
erengy opened this Issue Nov 4, 2017 · 20 comments

Comments

Projects
None yet
10 participants
@erengy
Owner

erengy commented Nov 4, 2017

What happened?

Crunchyroll's website was hijacked, displaying a page with the following fake announcement:

A New Beginning, A New Media Player…
Crunchyroll Viewer
Stream your favorites animes in full 4k HD from anywhere! Support lasts crunchyroll features, inbuilt microtransactions management. Get your FREE trial now !

Unsuspecting users downloaded and executed a file named CrunchyViewer.exe, which was a malicious program.

Crunchyroll restored their website to normal, and published a blog post regarding the details of the attack.

What is the connection with Taiga?

Simply put, CrunchyViewer.exe is a modified version of Taiga, bundled with a virus. The people behind this incident took the source code of Taiga and renamed some instances of "Taiga" to "Crunchyroll" or "crunchyroll viewers". They didn't bother with changing them all, or distributing the application along with its data files. I imagine that they wanted to make it look like a legitimate application, with minimal effort.

Am I infected?

If you downloaded CrunchyViewer.exe and ran it on your Windows machine, then your system is likely infected. Otherwise, you should be safe.

How can I clean my system?

  1. Run regedit, go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and delete the registry value named Java.
  2. Open %AppData% directory (e.g. C:\Users\YOUR_USERNAME\AppData\Roaming\) and delete the file named svchost.exe.

If you don't know how, Bleeping Computer has a guide with pictures, describing these steps.

You may also want to block 145.239.41.131:6969.

Note that following these instructions may not suffice, so you should take other precautions such as scanning your computer with Malwarebytes.

See Hybrid Analysis and Blaze's Security Blog for technical details.

@bela333

This comment has been minimized.

Show comment
Hide comment
@bela333

bela333 Nov 4, 2017

Is it possible to set up some sort of tracking, so we know how "popular" the malicious version of this software is?
It seems like it GETs "taiga.moe/update/update_beta.xml" with the User Agent "Crunchyroll/1.3" whenever it starts up.

bela333 commented Nov 4, 2017

Is it possible to set up some sort of tracking, so we know how "popular" the malicious version of this software is?
It seems like it GETs "taiga.moe/update/update_beta.xml" with the User Agent "Crunchyroll/1.3" whenever it starts up.

@erengy

This comment has been minimized.

Show comment
Hide comment
@erengy

erengy Nov 4, 2017

Owner

My server logs indicate that there are currently 3000+ IP addresses using Crunchyroll/1.3 as their user-agent string.

Owner

erengy commented Nov 4, 2017

My server logs indicate that there are currently 3000+ IP addresses using Crunchyroll/1.3 as their user-agent string.

@Azraelle

This comment has been minimized.

Show comment
Hide comment
@Azraelle

Azraelle Nov 4, 2017

So i tried that new fork. It works pretty nice, snatches stuff directly from cr based on my mal preferences. And it even mines bitcoins for me! Really nice piece of software. Switching now.

Azraelle commented Nov 4, 2017

So i tried that new fork. It works pretty nice, snatches stuff directly from cr based on my mal preferences. And it even mines bitcoins for me! Really nice piece of software. Switching now.

@Sunconure11

This comment has been minimized.

Show comment
Hide comment
@Sunconure11

Sunconure11 Nov 4, 2017

These are the IPs and ports associated with it:

145.239.41.131:6969

104.131.84.31:80

151.101.0.133:443

Sunconure11 commented Nov 4, 2017

These are the IPs and ports associated with it:

145.239.41.131:6969

104.131.84.31:80

151.101.0.133:443

@ShaunV2

This comment has been minimized.

Show comment
Hide comment

ShaunV2 commented Nov 4, 2017

@erengy

This comment has been minimized.

Show comment
Hide comment
@erengy

erengy Nov 4, 2017

Owner

I'm thinking if it'd be possible for me to release a targeted update to all infected machines, using Taiga's auto-update mechanism.

Is there anyone who can give me clear instructions on how to completely get rid of the malware? I'm not sure if simply deleting a registry key and an executable file suffices, and I don't have a testing environment at the moment.

At the very least, I might be able to release a pseudo-update to infected machines to inform the users about the incident and direct them to some useful web page.

Owner

erengy commented Nov 4, 2017

I'm thinking if it'd be possible for me to release a targeted update to all infected machines, using Taiga's auto-update mechanism.

Is there anyone who can give me clear instructions on how to completely get rid of the malware? I'm not sure if simply deleting a registry key and an executable file suffices, and I don't have a testing environment at the moment.

At the very least, I might be able to release a pseudo-update to infected machines to inform the users about the incident and direct them to some useful web page.

@agrecascino

This comment has been minimized.

Show comment
Hide comment
@agrecascino

agrecascino commented Nov 4, 2017

https://github.com/agrecascino/CRCleaner
Deploy this maybe?

erengy added a commit that referenced this issue Nov 4, 2017

Add fix for CrunchyViewer
See #489 for more information.
@erengy

This comment has been minimized.

Show comment
Hide comment
@erengy

erengy Nov 4, 2017

Owner

@bartblaze has informed me that deleting the registry value and the executable file is indeed sufficient. I've gone ahead and created a new branch called crunchyfix. If anyone would like to test it, you may download it from here.

@agrecascino It seems that our code is quite similar. Is it necessary for the application to be run as administrator?

Owner

erengy commented Nov 4, 2017

@bartblaze has informed me that deleting the registry value and the executable file is indeed sufficient. I've gone ahead and created a new branch called crunchyfix. If anyone would like to test it, you may download it from here.

@agrecascino It seems that our code is quite similar. Is it necessary for the application to be run as administrator?

@agrecascino

This comment has been minimized.

Show comment
Hide comment
@agrecascino

agrecascino Nov 4, 2017

You could remove the check and test.
I'm not sure how windows registry operations work.

agrecascino commented Nov 4, 2017

You could remove the check and test.
I'm not sure how windows registry operations work.

@agrecascino

This comment has been minimized.

Show comment
Hide comment
@agrecascino

agrecascino Nov 4, 2017

It also kills the process if it's still running, and I'm not sure if that works without admin.

agrecascino commented Nov 4, 2017

It also kills the process if it's still running, and I'm not sure if that works without admin.

@bartblaze

This comment has been minimized.

Show comment
Hide comment
@bartblaze

bartblaze Nov 4, 2017

Since the registry key is in HKCU, administrator permission is not needed. Same goes for the process, as it runs in user-mode.

And, while indeed removing the registry key and the binary is sufficient, I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.

Hope this helps, and thanks to @erengy for including a fix!

bartblaze commented Nov 4, 2017

Since the registry key is in HKCU, administrator permission is not needed. Same goes for the process, as it runs in user-mode.

And, while indeed removing the registry key and the binary is sufficient, I can't speak for any second-stage payload that may have been downloaded in the early stage of the attack - however; when I investigated shortly after, I didn't observe any secondary malware.

Hope this helps, and thanks to @erengy for including a fix!

@erengy

This comment has been minimized.

Show comment
Hide comment
@erengy

erengy Nov 4, 2017

Owner

@agrecascino I did test on two separate machines. The application was able to delete the registry value, terminate the process, and delete the executable file, all without being elevated. I was just wondering if it might behave differently on different systems, as I'm not that familiar with how permissions work.

Owner

erengy commented Nov 4, 2017

@agrecascino I did test on two separate machines. The application was able to delete the registry value, terminate the process, and delete the executable file, all without being elevated. I was just wondering if it might behave differently on different systems, as I'm not that familiar with how permissions work.

@agrecascino

This comment has been minimized.

Show comment
Hide comment
@agrecascino

agrecascino Nov 4, 2017

@erengy awesome, this can be automagically deployed?

agrecascino commented Nov 4, 2017

@erengy awesome, this can be automagically deployed?

@erengy

This comment has been minimized.

Show comment
Hide comment
@erengy

erengy Nov 4, 2017

Owner

I've now deployed an update that specifically targets infected machines. It displays this message to the user (let me know if you think that the wording can be improved):

IMPORTANT NOTICE: Crunchyroll's website was hacked. Unfortunately, you downloaded a file named "CrunchyViewer.exe" from there, which is in fact a virus.

If you press the Download button, this application will download an update that will try to clean your system automatically.

Otherwise, you may try to do it manually by following the instructions at this page: (link)

It should work, but I'd really appreciate it if someone with an infected VM could confirm.

Owner

erengy commented Nov 4, 2017

I've now deployed an update that specifically targets infected machines. It displays this message to the user (let me know if you think that the wording can be improved):

IMPORTANT NOTICE: Crunchyroll's website was hacked. Unfortunately, you downloaded a file named "CrunchyViewer.exe" from there, which is in fact a virus.

If you press the Download button, this application will download an update that will try to clean your system automatically.

Otherwise, you may try to do it manually by following the instructions at this page: (link)

It should work, but I'd really appreciate it if someone with an infected VM could confirm.

@agrecascino

This comment has been minimized.

Show comment
Hide comment
@agrecascino

agrecascino Nov 5, 2017

@erengy Can confirm it works.

agrecascino commented Nov 5, 2017

@erengy Can confirm it works.

@Atario

This comment has been minimized.

Show comment
Hide comment
@Atario

Atario Nov 5, 2017

@erengy, you are awesome.

Atario commented Nov 5, 2017

@erengy, you are awesome.

@sachaw

This comment has been minimized.

Show comment
Hide comment
@sachaw

sachaw Nov 5, 2017

way to save crunchyroll's ass for them @erengy
Would be interesting to dig through all forks and work out who the culprit is (only if they did fork it).

sachaw commented Nov 5, 2017

way to save crunchyroll's ass for them @erengy
Would be interesting to dig through all forks and work out who the culprit is (only if they did fork it).

@wopian

This comment has been minimized.

Show comment
Hide comment
@wopian

wopian Nov 5, 2017

Contributor

Why would they have forked it? Easier to just clone it and make changes locally, leaving no traces (or even an account) behind.

Contributor

wopian commented Nov 5, 2017

Why would they have forked it? Easier to just clone it and make changes locally, leaving no traces (or even an account) behind.

@sachaw

This comment has been minimized.

Show comment
Hide comment
@sachaw

sachaw Nov 6, 2017

look at things like this in the past, its surprising how stupid people are.

sachaw commented Nov 6, 2017

look at things like this in the past, its surprising how stupid people are.

@erengy

This comment has been minimized.

Show comment
Hide comment
@erengy

erengy Dec 24, 2017

Owner

It's been over a month since the incident, so I think we can consider this issue closed. For those who'd like to learn more, I've written a detailed blog post to share the events from my point of view.

Owner

erengy commented Dec 24, 2017

It's been over a month since the incident, so I think we can consider this issue closed. For those who'd like to learn more, I've written a detailed blog post to share the events from my point of view.

@erengy erengy closed this Dec 24, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment