CertLock Trojan Blocks Security Programs by Disallowing Their Certificates

8/26/2018 CertLock Trojan Blocks Security Programs by Disallowing Their Certificates
Home  News  Security 106
 CertLock Trojan Blocks Security Programs by Disallowing Their Certi cates
CertLock Trojan Blocks Security

Programs by Disallowing Their
Certificates
By Lawrence Abrams June 8, 2017 12:00 PM 0
A new trend in adware and unwanted program purveyors is to

install protection software that makes it more difficult
for Windows users to run their security programs and clean
infections. This was seen with the SmartService rootkit that
blocked AV software from running and now with a protection
program being called CertLock.
Since the end of May, security forum helpers have noticed

reports that people are not able to install and run security
programs on their infected computers. When they try to run
the programs, they are greeted with an alert that states that the
publisher has been blocked from running on the computer.
It turns out that this is being caused by CertLock disallowing a

security vendor's certificate on the affected computer so that
Windows does not allow the program to run.
CertLock disallows security vendor


certificates
https://www.bleepingcomputer.com/news/security/certlock-trojan-blocks-security-programs-by-disallowing-their-certificates/ 1/25
Being commonly detected as Ceram or Wdfload by anti-virus

vendors, CertLock is distributed by unwanted programs
bundles, such as miners. Once installed, CertLock will block a
security vendor's certificate by adding them to a special
Windows registry key. This causes Windows to not execute any
programs that are signed with that certificate.
CertLock blocks a certificate by creating a subkey named using

the thumbprint of the certificate it wants to block to the
following key:
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates\
As an example, one of ESET's certificates has a thumbprint

of F83099622B4A9F72CB5081F742164AD1B8D048C9. To
block this certificate, CertLock will create a Registry key
called:
HKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates
\F83099622B4A9F72CB5081F742164AD1B8D048C9
Under this key will be a single BLOB value that contains the
certificate information. You can see an example of the registry
key used to block the ESET certificate below.
If a certificate is added to the Disallowed list, when a user tries

to run a program that is signed by this certificate they will be
greeted with an error that states "The publisher has been
blocked from running software on your machine". You can see
an example of the ESET installer being blocked using this 
method below.
Blocked ESET Installer
While blocking certificate prevents signed installers from

running, it also prevents already installed programs that use
the blocked cert from executing as well. For example, when
Malwarebytes' code-signing certificates are blocked, users are
greeted with errors when they try to run the program. These
errors state:
Unable to start
Unable to connect the Service.
or
Error
Runtime Error (at 49:120):
Could not call proc.
You can see examples of these errors below:
Unable to connect the Service Error
Malwarebytes 49:120 Error
This trojan really does not like Avast

While CertLock already disallows the use of the AVAST
certificate, it also goes a step further to make sure Avast is
unable to run. It does this by pointing many Avast.com
hostnames to 127.0.0.1 using the Windows HOSTs file so that
the computer cannot connect to them.
CertLock generates the list of Avast hosts to block by

downloading the files.avast.com/iavs9x/servers.def file. This
file contains a list of hostnames associated with Avast security
program. It then parses this file and adds them to the Windows
HOSTS file as shown below.
Modi ed HOSTS File 
By adding the hostnames to the HOSTS file and pointing them

to 127.0.0.1, it effectively blocks the computer from reaching
these servers.
How to remove Certificates

Disallowed by CertLock
ToolsLib.com co-administrator and Malwarebytes AdwCleaner
developer Jérôme.B has created a tool called AVCertClean that
will scan the Disallowed registry key for legitimate blocked
keys and remove them. To use the tool, simply download and
execute it. The program will then automatically remove
blocked certificates
AVCertClean
When the program has finished, it will display a log that lists
the certificates that were cleaned by AVCertClean.
AVCertClean Log
Now that the certificates are no longer being blocked, users can
install and run their security programs in order to clean their
computer. In some situations, user's may need to restart the
application in order to get them to run.
For example, for Malwarebytes to run after cleaning the certs,

users should go into the Windows Service Manager
(services.msc) and restart the Malwarebytes Service.
Related Articles:
Malwarebytes Browser Extension Blocks Malware, Scams, Ads,
& Trackers
Fake Websites for Keepass, 7Zip, Audacity, Others Found

Pushing Adware
BlackTech APT Steals D-Link Cert for Cyber-Espionage

Campaign
Fake Adult Sites Pushing Unwanted Extensions, Miners, and

Adware
All-Radio 4.27 Portable Can't Be Removed? Then Your PC is

Severely Infected
IOCs
Hashes:
b1cbe0ee129bc96cc3e3d2aa4bc2ce3f6b7403045bd0ffc8956b7b7af4d070f5 -
Installer (Password Protected)
b529ca4dd148fdfcee0c1f267bc6821cc5168c121363fa690536a72e0f447c19 -
CertLock (Thx Aura)
Registry Entiries Associated with CertLock:
\03D22C9C66915D58C88912B64C1F984B8344EF09
\0F684EC1163281085C6AF20528878103ACEFCAAB
\1667908C9E22EFBD0590E088715CC74BE4C60884
\18DEA4EFA93B06AE997D234411F3FD72A677EECE
\2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
\249BDA38A611CD746A132FA2AF995A2D3C941264
\31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
\331E2046A1CCA7BFEF766724394BE6112B4CA3F7
\3353EA609334A9F23A701B9159E30CB6C22D4C59
\373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
\3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
\3D496FA682E65FC122351EC29B55AB94F3BB03FC
\4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
\42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
\4420C99742DF11DD0795BC15B7B0ABF090DC84DF
\4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
\5240AB5B05D11B37900AC7712A3C6AE42F377C8C
\5DD3D41810F28B2A13E9A004E6412061E28FA48D
\7457A3793086DBB58B3858D6476889E3311E550E
\76A9295EF4343E12DFC5FE05DC57227C1AB00D29
\775B373B33B9D15B58BC02B184704332B97C3CAF
\872CD334B7E7B3C3D1C6114CD6B221026D505EAB
\88AD5DFE24126872B33175D1778687B642323ACF
\9132E8B079D080E01D52631690BE18EBC2347C1E
\982D98951CF3C0CA2A02814D474A976CBFF6BDB1
\9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361 
\9C43F665E690AB4D486D4717B456C5554D4BCEB5
\9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
\A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
\A5341949ABE1407DD7BF7DFE75460D9608FBC309
\A59CC32724DD07A6FC33F7806945481A2D13CA2F
\AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
\AD4C5429E10F4FF6C01840C20ABA344D7401209F
\AD96BB64BA36379D2E354660780C2067B81DA2E0
\B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
\CDC37C22FE9272D8F2610206AD397A45040326B8
\D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
\DB303C9B61282DE525DC754A535CA2D6A9BD3D87
\DB77E5CFEC34459146748B667C97B185619251BA
\E22240E837B52E691C71DF248F12D27F96441C00
\E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
\ED841A61C0F76025598421BC1B00E24189E68D54
\F83099622B4A9F72CB5081F742164AD1B8D048C9
\FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
\FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\[computer_na
me] %temp%\[temp_name].tmp.exe
Files Associated with CertLock:

%temp%\[temp_name].tmp.exe
Disallowed Certi cates (Thumbprints):
Security Vendor Thumbprint
AVAST AD4C5429E10F4FF6C01840C20ABA344D7401209F 
AVAST DB77E5CFEC34459146748B667C97B185619251BA
AVG 3D496FA682E65FC122351EC29B55AB94F3BB03FC
AVG AB7E760DA2485EA9EF5A6EEE7647748D4BA6B947
AVG Technologies E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF
Adaware 9132E8B079D080E01D52631690BE18EBC2347C1E
Avira A1F8DCB086E461E2ABB4B46ADCFA0B48C58B6E99
BitDefender 18DEA4EFA93B06AE997D234411F3FD72A677EECE
BitDefender ED841A61C0F76025598421BC1B00E24189E68D54
BullGuard A5341949ABE1407DD7BF7DFE75460D9608FBC309
Bullguard 76A9295EF4343E12DFC5FE05DC57227C1AB00D29
Checkpoint 5240AB5B05D11B37900AC7712A3C6AE42F377C8C
Software
Comodo 03D22C9C66915D58C88912B64C1F984B8344EF09
Comodo 872CD334B7E7B3C3D1C6114CD6B221026D505EAB
CurioLab 9E3F95577B37C74CA2F70C1E1859E798B7FC6B13
Doctor Web 4420C99742DF11DD0795BC15B7B0ABF090DC84DF
Doctor Web FFFA650F2CB2ABC0D80527B524DD3F9FC172C138
ESET A59CC32724DD07A6FC33F7806945481A2D13CA2F
ESET F83099622B4A9F72CB5081F742164AD1B8D048C9
Emsisoft 4C0AF5719009B7C9D85C5EAEDFA3B7F090FE5FFF
Emsisoft 5DD3D41810F28B2A13E9A004E6412061E28FA48D
F-Secure 0F684EC1163281085C6AF20528878103ACEFCAAB
FRISK 1667908C9E22EFBD0590E088715CC74BE4C60884

GData 2026D13756EB0DB753DF26CB3B7EEBE3E70BB2CF
K7 Computing 42727E052C0C2E1B35AB53E1005FD9EDC9DE8F01
K7 Computing 7457A3793086DBB58B3858D6476889E3311E550E
Kaspersky 3850EDD77CC74EC9F4829AE406BBF9C21E0DA87F
Kaspersky D3F78D747E7C5D6D3AE8ABFDDA7522BFB4CBD598
Malwarebytes 249BDA38A611CD746A132FA2AF995A2D3C941264
Malwarebytes B8EBF0E696AF77F51C96DB4D044586E2F4F8FD84
McAfee 775B373B33B9D15B58BC02B184704332B97C3CAF
McAfee 88AD5DFE24126872B33175D1778687B642323ACF
PC Tools 4243A03DB4C3C15149CEA8B38EEA1DA4F26BD159
Panda FBB42F089AF2D570F2BF6F493D107A3255A9BB1A
SUPERAntiSpyware 373C33726722D3A5D1EDD1F1585D5D25B39BEA1A
Safer Networking 982D98951CF3C0CA2A02814D474A976CBFF6BDB1
Symantec 31AC96A6C17C425222C46D55C3CCA6BA12E54DAF
Symantec AD96BB64BA36379D2E354660780C2067B81DA2E0
ThreatTrack 9C43F665E690AB4D486D4717B456C5554D4BCEB5
Security
ThreatTrack DB303C9B61282DE525DC754A535CA2D6A9BD3D87
Security
Total Defense E22240E837B52E691C71DF248F12D27F96441C00
Trend Micro 331E2046A1CCA7BFEF766724394BE6112B4CA3F7
Trend Micro CDC37C22FE9272D8F2610206AD397A45040326B8
Webroot 3353EA609334A9F23A701B9159E30CB6C22D4C59

Webroot 9A08641F7C5F2CCA0888388BE3E5DBDDAAA3B361
ADWARE CERTIFICATES
LAWRENCE ABRAMS  
Lawrence Abrams is the creator and owner of
BleepingComputer.com. Lawrence's area of expertise includes
malware removal and computer forensics. Lawrence Abrams is a co-
author of the Winternals Defragmentation, Recovery, and
Administration Field Guide and the technical editor for Rootkits for
Dummies.
 PREVIOUS ARTICLE NEXT ARTICLE 
Post a Comment Community Rules
You need to login in order to post a comment
Login
Not a member yet? Register Now
You may also like:
POPULAR STORIES
Bitdefender Disables
Anti-Exploit
Monitoring in
Chrome After Google
Policy Change
Smartphones From
11 OEMs Vulnerable
to Attacks via Hidden
AT Commands
NEWSLETTER
SIGN UP 
To receive
periodic updates
and news from
BleepingComputer,
please use the
form below.
Email Address...
Submit
NEWSLETTER SIGN UP
Email Address... SUBMIT
Follow us:     
MAIN SECTIONS
News
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
File Database
Glossary
COMMUNITY
Forums
Forum Rules
Chat
USEFUL RESOURCES
Welcome Guide
Sitemap
COMPANY
About BleepingComputer

Contact Us
Advertising
Write for BleepingComputer
Social & Feeds
Changelog
Terms of Use - Privacy Policy
Copyright @ 2003 - 2018 Bleeping Computer® LLC - All Rights Reserved

CertLock Trojan Blocks Security Programs by Disallowing Their Certificates

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CertLock Trojan Blocks Security Programs by Disallowing Their Certificates

Uploaded by

Copyright:

Available Formats

8/26/2018 CertLock Trojan Blocks Security Programs by Disallowing Their Certificates

Home  News  Security 106

 CertLock Trojan Blocks Security Programs by Disallowing Their Certi cates

CertLock Trojan Blocks Security

By Lawrence Abrams June 8, 2017 12:00 PM 0

A new trend in adware and unwanted program purveyors is to

Since the end of May, security forum helpers have noticed

It turns out that this is being caused by CertLock disallowing a

CertLock disallows security vendor

Being commonly detected as Ceram or Wdfload by anti-virus

CertLock blocks a certificate by creating a subkey named using

As an example, one of ESET's certificates has a thumbprint

If a certificate is added to the Disallowed list, when a user tries

Blocked ESET Installer

While blocking certificate prevents signed installers from

Runtime Error (at 49:120):

Could not call proc.

You can see examples of these errors below:

Unable to connect the Service Error

Malwarebytes 49:120 Error

This trojan really does not like Avast

CertLock generates the list of Avast hosts to block by

Modi ed HOSTS File 

By adding the hostnames to the HOSTS file and pointing them

How to remove Certificates

For example, for Malwarebytes to run after cleaning the certs,

Fake Websites for Keepass, 7Zip, Audacity, Others Found

BlackTech APT Steals D-Link Cert for Cyber-Espionage

Fake Adult Sites Pushing Unwanted Extensions, Miners, and

All-Radio 4.27 Portable Can't Be Removed? Then Your PC is

Registry Entiries Associated with CertLock:

Files Associated with CertLock:

Disallowed Certi cates (Thumbprints):

Security Vendor Thumbprint

AVG Technologies E513EAB8610CFFD7C87E00BCA15C23AAB407FCEF

Doctor Web 4420C99742DF11DD0795BC15B7B0ABF090DC84DF

Doctor Web FFFA650F2CB2ABC0D80527B524DD3F9FC172C138

Safer Networking 982D98951CF3C0CA2A02814D474A976CBFF6BDB1

Total Defense E22240E837B52E691C71DF248F12D27F96441C00

Trend Micro 331E2046A1CCA7BFEF766724394BE6112B4CA3F7

Trend Micro CDC37C22FE9272D8F2610206AD397A45040326B8

 PREVIOUS ARTICLE NEXT ARTICLE 

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

Email Address... SUBMIT

Terms of Use - Privacy Policy

Copyright @ 2003 - 2018 Bleeping Computer® LLC - All Rights Reserved

You might also like