Jump to content

[SOLVED] Alert with obfuscated Claud.sim module


oreonutz

Recommended Posts

Hello Everyone! I am new to these forums, and don't typically post to forums, so I apologize if I don't know all the rules. I am usually extremely good at searching for solutions on my own, but in this case it seems limited information is available. 

 

I run Windows 7 64 bit on a AMD Octo-Core Processor running at 3.5Ghz, 24GBRam, and am running the OS on a 256GB Samsung 850Pro. I read that you might want that info, so hopefully that about covers it. 

 

I recently about 2 months ago started recording my TV shows with Windows Media Center with a HD Homerun Pro Network TV Tuner. For the First month I had no problems. Now, about 2 weeks ago, even though the recordings are recording fine, I keep getting a MBAE pop up message saying that AntiExploit has blocked a Heap Memory Exploit from WMPlayer.exe. I realize that WMPlayer isn't Windows Media Center, but because I don't use WMPlayer AT ALL, I figured it must be related. I get this pop up now more than 15 times daily.

 

Now, all the sudden, out of no where, I started getting a new popup saying that "The File Claud.Sim has been blocked", and thats located in the 'C:\Program Files (x86)\Windows Media Player\' Folder! 

 

Before this new alert happened, I assumed that this might have been a false positive, and I updated the my Premium Anti Exploit to the newest version a few days ago. I thought that solved the problem at first, but then it continued the day after I updated, and has only gotten worse since. I am glad it is blocking the attempt, but I would like to know how to stop the attack completely. I attached my logs, thank you in advance for any help you can provide.

 

Matt

Malwarebytes Anti-Exploit.zip

Link to post
Share on other sites

hmm, the info along you gave along with the included zip should aid someone more qualified help you. In the mean time, do you by chance have any CyberLink programs on your system (they are popular with OEMS)?

 

Funny thing is I am an Independently Contracted IT Administrator for local companies out here in Vegas. I am constantly asking Clients if they are using all of the CyberLink Bloatware that comes with their OEM builds. I'd say more than 90 percent of the time they are not, so I usually stop the processes from starting with Windows, or I uninstall it altogether depending on the client. In my case I have a Self Built System with a retail version of Windows 7 Ultimate 64 Bit, I don't know why I said Pro earlier, I think I am just so used to saying it, but any way, I like it because it comes with minimal bloatware, including NO Cyber Link Junk.

 

The Funny thing about that is, that I recently, maybe 3 to 4 months ago, purchased a Blu-Ray Burner that came with CyberLink software, that I discovered I needed to play freaking Blu-Rays. I didn't realize that VLC wasn't capable of playing Blurays. So Now, Yes, I do have a paid Version of CyberLinks PowerDVD 10, lol. But I start the processes Manually myself when I need them, which is not very often, and I just verified that they are not running now.

 

But You Have me Curious. Do CyberLink Processes and Services have a habit of triggering False Positives with MBAE?

Link to post
Share on other sites

So upon more digging, I found why you asked me if I have CyberLink Software. There is apparently a legitimate file named "CLAud.sim", which is used for audio decoding in Cyberlink's PowerDVD. I do have that file on my computer, and it is located within the program files of PowerDVD. But the file that is being reported by MBAE doesn't report it with the CLA capital, instead the .SIM is capital, and it reports it as being in "C:\Program Files (x86)\Windows Media Player" and I have checked immediately each time it was reported, that file does not exist, even with hidden files and system files showing.

 

I have even logged in to a Linux Boot Disc and checked that folder, and searched the contents of the entire drive, and I cannot locate that file anywhere else, except for in the CyberLink Program Files Directory. I also noticed that the Claud.sim alerts ONLY happen when my computer has been inactive for more then 10 minutes. Whenever I move the mouse and wake the screen up, depending on how long its been, I'll have a few alerts waiting for me.

 

The most recent program I have installed is Remote Potato, the alerts started maybe a week after installing that program, but it wasn't right away. I have a feeling it is tied to Windows Media Center, but I don't know what exactly is the cause and would love to find out. Whatever it is, whether its a legitimate attack, or just a reoccurring false positive, it is persistent and annoying. Thank You in advance for any help you can provide me. I will be happy to provide any other files you think Necessary.

 

Thank You!

 

Matt

Link to post
Share on other sites

  • Staff

Hi Matt welcome to the forum and thanks for posting.

 

The detection you are seeing is probably due to some overzealous media player plugin that uses some form of obfuscation and runtime packing.

 

As a workaround please do the following:

 

Open the MBAE UI -> Settings -> Advanced settings -> Advanced Memory Protection -> Uncheck Return Address detection for Media Players -> Apply

 

Restart your media players (or even better, your computer) and you should be good to go.

Link to post
Share on other sites

Hi Matt welcome to the forum and thanks for posting.

 

The detection you are seeing is probably due to some overzealous media player plugin that uses some form of obfuscation and runtime packing.

 

As a workaround please do the following:

 

Open the MBAE UI -> Settings -> Advanced settings -> Advanced Memory Protection -> Uncheck Return Address detection for Media Players -> Apply

 

Restart your media players (or even better, your computer) and you should be good to go.

 

Thank You pbust, I appreciate your help and have done what you asked. And I hate to be a pain in your side, but I just want to make sure that I shouldn't be worried about this supposed creating of Claud.SIM in my Windows Media Player Program files that it is supposedly stopping, the file is never there when I check, and it only happens when My computer is inactive. I guess I just want to make sure I uncheck this and then all hell breaks loose, LOL!

 

I unchecked it and restarted any way, and you are probably right, just want to make sure I shouldn't be worried about this creation of Claud.Sim. Again, Thanks For Your Help!

 

Matt

Link to post
Share on other sites

  • Staff

And I hate to be a pain in your side, but I just want to make sure that I shouldn't be worried about this supposed creating of Claud.SIM in my Windows Media Player Program files that it is supposedly stopping, the file is never there when I check, and it only happens when My computer is inactive. I guess I just want to make sure I uncheck this and then all hell breaks loose, LOL!

No pain at all. No worries I am sure. We have been seeing this Claud.sim and Claud.ax components for quite some time now. We've analyzed them in the past and found them to use obfuscation techniques which trigger MBAE proactive techniques. But these Claud.* files are not malicious in nature.

Link to post
Share on other sites

I wasn't familiar with the .sim files and my google searches had only turned up CyberLink and trojans so I wanted to see if you were using one of their programs. I had also created a VM to try and re-create the issue which invloved installing a few but I wasn't able to see the alert on my end. Other plugins being the answer and a quick tweak provided by an expert puts an end to that endeavour. Glad to see it's sorted!

Link to post
Share on other sites

FYI. I found the Culprit. Haali Media Spitter. After I turned off the detection method, I noticed it creating the files in Windows Media Players program files folder, whenever I started to watch a show. I installed it shortly after I started using WMC along with some Codecs so I could watch MKV files in WMC if I wanted. And after further study, it appears that it does use obfuscation techniques when paired with WMC, which uses WMPlayer to play files. So definitely no harm, I am just hoping that turning off that detection method doesn't open me up to an attack somewhere down the line. But I suppose I don't really need to watch MKV files in WMC, as I prefer VLC, so I may just uninstall Haali Media Splitter and turn back on the detection method. Either way, I thank You PBust for helping me solve the mystery of the CLAUD.SIM!

 

Thank You!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.