Description

What is BitGuard?

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

File information

BitGuard.exe

SHA256: 9d5fb2bac4bd9c579c5be6ef12ee916b2f029d49ab42a312a0007ee636d414bd

SHA1: a565b44a687c8e7050692c9249d56eb7711945b4

MD5: 7f8becfb26f2655e281406c6c341f416

File size: 2.9 MB ( 3029472 bytes )

File type: Win32 EXE

BitGuard.dll

SHA256: b3b132f86ebfe6976a483917caa93d467255418142f9b545e40149a1422eec00

SHA1: ba760a4e1e5afcd66160648e99fc57ec3c01443a

MD5: 4708cbd3a820f48fa5e390c9211971b5

File size: 2.6 MB ( 2700768 bytes )

File type: Win32 DLL

An archive containing these 2 files can be downloaded here (pass: infected).

Detection

Antivirus detection

BitGuard.exe

Virustotal: https://www.virustotal.com/en/file/9d5fb2bac4bd9c579c5be6ef12ee916b2f029d49ab42a312a0007ee636d414bd/analysis/1380002372/

Detection ratio: 15 / 48 (2013-09-24)

BitGuard.dll

Virustotal: https://www.virustotal.com/en/file/b3b132f86ebfe6976a483917caa93d467255418142f9b545e40149a1422eec00/analysis/1380002373/

Detection ratio: 18 / 48 (2013-09-24)

Network indicators

None

Host based indicators

Services

The Volatility svcscan plugin confirms that a service is installed on the infected machine:

$ python vol.py -f /data/tmp/img.mdd svcscan
Volatile Systems Volatility Framework 2.3_beta
[SNIP]
Offset: 0x913130
Order: 34
Process ID: 1596
Service Name: BitGuard
Display Name: BitGuard
Service Type: SERVICE_WIN32_SHARE_PROCESS
Service State: SERVICE_RUNNING
Binary Path: D:\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-
d99a27784753}\BitGuard.exe

It's also confirmed by the pstree plugin that the service is running:

$ python vol.py -f /data/tmp/img.mdd pstree
Volatile Systems Volatility Framework 2.3_beta
Name                               Pid   PPid   Thds   Hnds Time
-------------------------------- ------ ------ ------ ------ ----
[SNIP]
 0x8a5d4830:System                   4      0    116   1635 1970-01-01 00:00:00 UTC+0000
. 0x886de020:smss.exe             1524      4      3     19 2013-09-23 07:13:23 UTC+0000
.. 0x891bd670:winlogon.exe        1672   1524     24    651 2013-09-23 07:13:28 UTC+0000
... 0x88892498:services.exe       1716   1672     16    521 2013-09-23 07:13:29 UTC+0000
.... 0x8916dda0:BitGuard.exe      1596   1716      3     71 2013-09-23 07:13:57 UTC+0000
..... 0x88e757a8:BitGuard.exe     4676   1596     18    341 2013-09-23 07:15:14 UTC+

Files

BitGuard installs in following location:

INCOMPLETE SECTION OR ARTICLE

This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Analysis

In our analysis, PID 2428 corresponds to Tor. This latest shows handles to BitGuard:

$ python vol.py -f /data/tmp/img.mdd handles -p 2428 -s
Volatile Systems Volatility Framework 2.3_beta
Offset(V)     Pid     Handle     Access Type             Details
---------- ------ ---------- ---------- ---------------- -------

[SNIP]

0x88597f50   2428       0x44   0x12019f File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\BitGuard.settings
0x8854c9d8   2428       0x48   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\BitGuard.dll
0x8851e298   2428       0x4c   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\BitGuard.exe
0x8852ee50   2428       0x50   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\BitGuard.settings
0x8853b950   2428       0x54   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\bl
0x885c5770   2428       0x58   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\dm
0x885252c0   2428       0x5c   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\uninstall.exe
0x88532ee8   2428       0x60   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\00
0x891fd9d0   2428       0x64   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\01
0x88536e50   2428       0x68   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\02
0x88519e50   2428       0x6c   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\03
0x885349b8   2428       0x70   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\10
0x88531e50   2428       0x74   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\11
0x88522368   2428       0x78   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\12
0x885222d0   2428       0x7c   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\13
0x8852de50   2428       0x80   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\20
0x8853c8f0   2428       0x84   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\21
0x88532778   2428       0x88   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\22
0x8853cb40   2428       0x8c   0x120089 File             \Device\HarddiskVolume3\documents and Settings\All Users\Application Data\BitGuard\2.6.1673.238\{16cdff19-861d-48e3-a751-d99a27784753}\traking_settings\23
0x8882dda0   2428       0x94   0x100000 Event            HSW/gELKeEp50PAH7Y1bgDCCy8b2IG0tS2iy+tO+pSBGZI=_2.6.1673.238

[SNIP]

0x892bb948   2428      0x110   0x1f0001 Mutant           {16cdff19-861d-48e3-a751-d99a27784753}SettingsSyncjDPsEMmo2+kotJeaDBT2alSlJMopUkgnPuCCSUu0Wg8=_2.6.1673.238
0xe2ce4ca8   2428      0x114    0xf001f Section          {16cdff19-861d-48e3-a751-d99a27784753}SettingsjDPsEMmo2+kotJeaDBT2alSlJMopUkgnPuCCSUu0Wg8=_2.6.1673.238

References

• http://nicolascoolman.webs.com/apps/blog/entries/show/32979753-pup-bitguard
• http://www.411-spyware.com/fr/fichier-bitguard-exe
• http://www.avira.com/en/support-threats-summary-product?tid=8157&tlang=en

Comments