View Full Version : Rogue AV/AS prolific

2011-07-20, 08:31

Google finds a million scareware infections...
- http://krebsonsecurity.com/2011/07/google-your-computer-appears-to-be-infected/
July 19, 2011 - "Google today began warning more than a million Internet users that their computers are infected with a malicious program that hijacks search results and tries to scare users into purchasing fake antivirus software... the malware apparently arrives on victim desktops as fake antivirus or “scareware” programs that use misleading warnings about security threats to trick people into purchasing worthless security software... The malware intercepts traffic destined for high profile domains like google.com, yahoo.com and bing.com, and routes it through intermediate hosts or “proxies” controlled by the attackers. The proxies are used to modify the search results that a victim sees for any given search term, and to redirect traffic to pay-per-click schemes that pay for traffic to specific Web sites. Fortunately, the traffic generated by the malware has a unique “signature” that Google is able to use to alert victims. Google is placing a prominent notification* at the top of victims’ Google search results; it includes links to resources to help remove the infection... the hard work will be in the cleanup: Search hijackers are notorious for blocking users from visiting antivirus Web sites or other popular sources of malware removal tools."
* http://krebsonsecurity.com/wp-content/uploads/2011/07/googhij.png

- http://googleonlinesecurity.blogspot.com/2011/07/using-data-to-protect-people-from.html
Updated July 20, 2011


2011-07-25, 17:51

Fake video codecs - with scareware
- http://threatpost.com/en_us/blogs/get-your-new-video-codecs-and-scareware-072511
July 25, 2011 - "... Most scareware programs rely on Web-based pop-ups that appear when a victim visits a site that has been compromised. The user sees a dialog box that typically looks a lot like the Windows security center interface informing him that his machine is full of scary sounding malware... The goal, of course, is to get the unwitting victim to click on the dialog box and install whatever rogue AV tool they're pushing and then get him to pony up for the license fee. Now, researchers at GFI Labs* have come across a new breed of rogue AV that takes a less direct route to the victim's wallet. This attack, which is related to the FakeVimes family of scareware that Google recently began warning users about, installs some files on users' machines, but doesn't immediately start demanding payment in return for fictitious security services. Instead, it waits for a victim to try to play a Web video..."
* http://sunbeltblog.blogspot.com/2011/07/fakevimes-infection-offers-up-home.html
"... a sample of some of the files found on the infected machine:
c:\Documents and Settings\All Users\Application Data\7f0924\VD7f0_2326.exe
c:\Documents and Settings\All Users\Application Data\ip\e.exe
c:\Documents and Settings\All Users\Application Data\ip\FRed32.dll
c:\Documents and Settings\All Users\Application Data\ip\instr.ini
c:\Documents and Settings\All Users\Application Data\ip\SmartGeare.exe
c:\Documents and Settings\All Users\Application Data\ip\spoof.avi
c:\WINDOWS\system32\c_726535.nls ..."


2012-01-30, 13:19

Rogue activity spikes ...
- https://blogs.technet.com/b/mmpc/archive/2012/01/29/when-imitation-isn-t-a-form-of-flattery.aspx?Redirected=true
29 Jan 2012 - "... Lately, we have seen a resurgence in rogue activity (one particularly obnoxious threat going by the name Security Defender – aka Win32/Defmid – has been making the rounds of late); rogue security programs attempt to trick users into paying for -fake- antivirus software... Think twice before handing over your credit card details to a third party you cannot verify – like one displaying pop-ups, or on the end of an unsolicited phone call."
(Screenshots available at the URL above.)


2012-03-02, 17:06

Rogue rash ...
- https://blogs.technet.com/b/mmpc/archive/2012/03/01/a-rogue-by-any-other-name.aspx?Redirected=true
1 Mar 2012 - "Rogue:Win32/FakePAV reappeared about two weeks ago after a brief hiatus and since then we’ve been seeing variants with new names for themselves just about every day. The latest versions call themselves names like “Windows Threats Destroyer”, “Windows Firewall Constructor”, "Windows Attacks Preventor" and “Windows Basic Antivirus”... Each sample of FakePAV is distributed as a self-extracting RAR archive, which contains a second self-extracting RAR archive. This second, “inner” archive contains the rogue executable itself, but it is password-protected; simply trying to extract it without knowing the password doesn’t work... In the last few days they’ve started obfuscating these scripts, probably to make it harder for anti-malware scanners to detect them. Because RAR self-extractor scripts are stored as part of the archive comment, essentially anything that the self-extractor doesn’t recognize as an instruction is ignored, meaning pretty much any text can be added without changing the functionality... These kind of tactics are aimed at making it difficult for anti-malware scanners to look inside the malware’s distribution package, and they highlight the need for real-time malware protection. For the malware to work, the malicious executable has to be written to disk at which point real-time protection can not only detect it but stop it from being executed..."
(Screenshots available at the URL above.)

:mad: :fear:

2012-03-05, 18:53

Mass injection wave of WordPress sites - Rogue AV ...
- http://community.websense.com/blogs/securitylabs/archive/2012/03/05/mass-injection-of-wordpress-sites.aspx
5 Mar 2012 - "... Websense... has detected a new wave of mass-injections... The majority of targets are Web sites hosted by the WordPress content management system. At the time of writing, more than 200,000 Web pages have been compromised, amounting to close to 30,000 unique Web sites (hosts). The injection hijacks visitors to the compromised sites and redirects them to rogue AV sites that attempt to trick them into downloading and installing a Trojan onto their computer. The injected code is very short and is placed at the bottom of the page, just before </body> tag... After a three-level -redirection- chain, victims land on a fake AV site. In this example, the first chain is the ".rr.nu", and the landing site is the ".de.lv" top-level domain, but the landing site keeps changing. The rogue AV site appears to perform a scan on the computer and scares the user by displaying fake malware detections of various kinds of Trojans. The page looks like a Windows Explorer window with a "Windows Security Alert" dialogue box in it. The fake scanning process looks like a normal Windows application, however, it is only a pop-up window within the browser. The fake antivirus then prompts visitors to download and run their "antivirus tool" to remove the supposedly found Trojans. The executable is itself the Trojan... more than 85% of the compromised sites are in the United States, while visitors to these web sites are more geographically dispersed*... while the attack is specific to the US, everyone is at risk when visiting these compromised pages..."
* http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6082.14507_5F00_CUST_5F00_GeoIP.png

> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/8182.FakeAV3.png

- http://community.websense.com/blogs/securitylabs/archive/2012/03/13/i-have-the-latest-wordpress-version-am-i-protected.aspx
13 Mar 2012 - "... We checked several aspects of each of these compromised websites and concluded that most of them are served by Apache webserver and PHP environment*...
* http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/2844.WordPress_5F00_ditribution1s.png
... WordPress still serves the majority of the compromised websites; however, we did see a small amount of other CMS as well. We also noticed that an increasing number of Joomla sites** are also affected, with all other content managers making up a tinier slice...
** http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/3404.WordPress_5F00_ditribution2s.png
... having the latest version of WordPress does not make you immune to this threat...
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/1263.WordPress_5F00_ditribution3s.png
... some of the dominant attack vectors that websites using the latest WordPress version are likely to be exploited through:
• Weak passwords / stolen credentials
• Vulnerable third-party modules used in WordPress
• Security holes in the underlying server infrastructure, such as in the database server or the server side scripting engine (PHP in this case)..."


2012-03-15, 14:02

Rogue AV tweaked every 12 to 24 hours to avoid detection
- http://www.gfi.com/blog/vipre%C2%AE-report-for-february-2012-rogue-av-remains-a-popular-threat-tactic/
Mar 13, 2012 - "... the trend that criminals behind bogus AV software are now distributing via spam that has links to sites where users can be further infected with the Blackhole exploit..."
- http://www.gfi.com/page/117487/gfi-labs-tracks-resurgence-of-fake-antivirus-programs-plaguing-businesses-and-consumers
Mar 09, 2012 - "... Rogue AV programs are continually tweaked in an attempt to avoid detection, with newer variants of these malicious applications propagating every 12 to 24 hours... Trojans once again dominated the list, taking -half- of the top 10 spots..."
Top 10 Threat Detections for February
- http://www.gfi.com/content/cmsimages/top10detections-21084.png


2012-03-24, 22:48

Flash-based Fake AV - drive-by exploits and SPAM
- http://www.symantec.com/connect/blogs/flash-based-fake-antivirus-software-windows-risk-minimizer
23 Mar 2012 - "... relatively new fake antivirus application called Windows Risk Minimizer. The -fake- antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then -redirected- users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours. When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected... The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names). Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected... To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up-to-date with all security patches..."
(Screenshots available at the URL above.)


2012-04-13, 15:14

New Fake AV scareware attempts to extort Torrent users
- http://www.theregister.co.uk/2012/04/13/scareware_ransonware_hyrbrid/
13 April 2012 - "Security researchers have discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers* into paying for worthless software. SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages. But this particular strain of malware goes further than this by stopping Process Explorer (procexp.exe) and preventing browsers from loading – tactics designed to force marks to complete the ‘input credit card details’ screen and hand over money for the scamware... SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages... the malware also performs a fake scan that classifies Windows Registry Editor as a porn tool. Bruce Harrison, VP Research at Malwarebytes, said: "SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."
* http://regmedia.co.uk/2012/04/12/torrent_alert_scareware.jpg


2012-05-09, 19:17

Ransomware police trojan - now targets USA and Canada ...
- http://blog.trendmicro.com/police-trojan-crosses-the-atlantic-now-targets-usa-and-canada/
May 9, 2012 - "The Police Trojan* has been targeting European users for about a year... the latest incarnations of this obnoxious malware have started targeting the United States and Canada. In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that -spoofs- the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available...
> http://blog.trendmicro.com/wp-content/uploads/2012/05/police_trojan_screenshot.jpg
... the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks..."
* http://blog.trendmicro.com/trojan-on-the-loose-an-in-depth-analysis-of-police-trojan/
"... plagued by so called Police Trojans that lock their computer completely until they pay a fine of 100 euros..."

:fear: :mad:

2012-05-31, 13:02

More extortion thru Ransomware
- http://www.ic3.gov/media/2012/120530.aspx
May 30, 2012 - "... new Citadel malware platform used to deliver ransomware, named Reveton*. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares the user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content. To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud. Below is a screenshot of the warning:
> http://www.ic3.gov/images/120530.png
... This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do -not- follow payment instructions..."

Reveton removal instructions:
* https://www.f-secure.com/v-descs/trojan_w32_reveton.shtml


2012-06-19, 19:53

Fake AV malware campaign - 2012-06-19
- https://isc.sans.edu/diary.html?storyid=13501
Last Updated: 2012-06-19 10:26:16 UTC - "... 'vulnerabilityqueerprocessbrittleness . in' is currently one of 600+ domains that link to a quite prevalent "Fake Anti-virus" malware campaign. Currently, the domains associated to this scam all point to web servers hosted in the 204.152.214.x address range, but of course the threat keeps "moving around" as usual... The current set of threats involves frequently changing malware EXEs (or EXEs inside of ZIPs) with low coverage on virustotal. The download URLs usually follow the pattern of http ://bad-domain. in/16 character random hex string/setup.exe or /setup.zip .
Example: http ://fail-safetytestingcontrol. in/fc1a9d5408b7e17d/setup.exe ..."


2012-09-20, 20:09

Ransomware-as-a-Service spotted in the wild
- http://blog.webroot.com/2012/09/20/managed-ransomware-as-a-service-spotted-in-the-wild/
Sep 20, 2012 - "... recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users...
Sample underground forum advertisement of the managed DIY Police Ransomware service:
> https://webrootblog.files.wordpress.com/2012/09/ransomware_as_a_service_managed.png
According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria...
Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog.files.wordpress.com/2012/09/ransomware_as_a_service_managed_01.png
... thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.
Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog.files.wordpress.com/2012/09/ransomware_as_a_service_managed_02.png
The managed service relies primarily on the Ukash voucher-based payment system*, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers..."
* http://en.wikipedia.org/wiki/Ukash

- http://atlas.arbor.net/briefs/index#-685203363
Severity: Elevated Severity
Sep 21, 2012
Ransomware, which can be quite destructive - is being sold as a service in the underground economy.
Analysis: Ransomware can sometimes be cleaned from a system, however if it is done properly by the criminals, victims of the infection will need to rely on backups to recover from having their files encrypted...

:mad: :mad:

2012-10-02, 23:31

"Scareware" Marketer FTC Case Results in $163 Million Judgment ...
- http://www.ftc.gov/opa/2012/10/winfixer.shtm
10/02/2012 - "At the Federal Trade Commission’s request, a federal court imposed a judgment of more than $163 million on the final defendant in the FTC’s case against an operation that used computer “scareware” to trick consumers into thinking their computers were infected with malicious software, and then sold them software to “fix” their non-existent problem. The court order also permanently prohibits the defendant, Kristy Ross, from selling computer security software and any other software that interferes with consumers’ computer use, and from any form of deceptive marketing.
In 2008, as part of the FTC’s efforts to protect consumers from spyware and malware, the FTC charged Ross and six other defendants with conning more than one million consumers into buying software to remove malware supposedly detected by computer scans. The FTC charged that the operation used elaborate and technologically sophisticated Internet advertisements placed with advertising networks and many popular commercial websites. These ads displayed to consumers a “system scan” that invariably detected a host of malicious or otherwise dangerous files and programs on consumers’ computers. The bogus “scans” would then urge consumers to buy the defendants’ software for $40 to $60 to clean off the malware.
The U.S. District Court for the District of Maryland subsequently ordered a halt to the massive scheme, pending litigation. Under a settlement announced in 2011, defendant Marc D’Souza and his father, Maurice D’Souza, were ordered to give up $8.2 million in ill-gotten gains. Two other defendants previously settled the charges against them; the FTC obtained default judgments against three other defendants..."
* http://www.ftc.gov/os/caselist/0723137/121002winfixeropinion.pdf


2012-11-01, 02:32

Rouge AV for Windows 8
- http://blog.trendmicro.com/trendlabs-security-intelligence/theyre-here-threats-leveraging-windows-8/
31 Oct 2012 - "... cybercriminals are grabbing this chance to distribute threats leveraging Windows 8 and raise terror among users – just in time for Halloween. We were alerted to two threats that leverage the release of this new OS. The first one is a typical FAKEAV. Detected as TROJ_FAKEAV.EHM, this malware may be encountered when users visit malicious sites...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/FAKEAV_scanningresult.jpg
... the malware displays a fake scanning result to intimidate users to purchase the fake antivirus program – just like your run-of-the-mill FAKEAV variant. What is different with this malware, however, is that it is packaged as a security program made for Windows 8.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/FAKEAV_Windows8.jpg
The other threat is a phishing email that entices users to visit a website where they can download Windows 8 for free. Instead of a free OS, they are led to a phishing site that asks for personally identifiable information (PII) like email address, password, name that can be peddled in the underground market or used for other cybercriminal activities.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/10/phishingemail_Windows8.jpg
It is typical for cybercriminals to piggyback on the highly-anticipated release of any latest technology to take their malware, spam, malicious app to new heights... To stay safe, users must keep their cool and think twice before clicking links or visiting webpages, especially those that promise the latest items or programs for free. If it’s too good to be true – it probably is..."


2012-11-18, 21:06

Win 8 not immune to Ransomware
- http://www.symantec.com/connect/blogs/windows-8-not-immune-ransomware
Updated: 13 Nov 2012 - "... Symantec ran several prevalent ransomware samples currently found in the wild in a default Windows 8 environment. While some samples ran poorly on Windows 8, it did not take long to find a ransomware variant (Trojan.Ransomlock.U*) that successfully locked a Windows 8 system, effectively holding it to ransom.
Figure. Ransomware-locked Windows 8 system
> https://www.symantec.com/connect/sites/default/files/images/imageW1-blog.jpg
The Trojan.Ransomlock.U* variant uses the geolocation of the compromised system to serve localized ransomware screens in the appropriate language. While the ransonware running on Windows 8 correctly identified our location, the cybercriminals in this case must not have realized that English is the main language spoken in Ireland (less than 15 percent of the population is actually able to read Irish language). Their ingenuity in this case has lowered the chance of the ransom attempt being successful. As more users adopt Windows 8, Symantec expects to see more malware targeting this new environment...
> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ransomware-a-growing-menace.pdf
PDF Pg.4 - "... Fake police ransomware can be installed on a computer in a few ways but the most common to date has been through Web exploits and drive-by downloads. Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without their knowledge when that user browses to a compromised website. The download occurs in the background and is invisible to the user. In a typical drive-by download, the user browses to a website... The attacker has inserted a hidden iFrame — a special redirect — into this website. This redirection causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain multiple different exploits, which, if the computer is not fully patched, causes the browser to download a file (the malware)..."
* http://www.symantec.com/security_response/writeup.jsp?docid=2012-100315-1353-99


2012-11-23, 05:56

Police Ransomware bears Fake Digital Signature
- http://blog.trendmicro.com/trendlabs-security-intelligence/police-ransomware-bears-fake-digital-signature/
Nov 22, 2012 - "... We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR... the digital signature’s name and its issuing provider are very suspicious... the fake signature’s sole purpose is likely to elude digisig checks. Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability... Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet. Based on our analysis, the two samples we found impersonate two different law enforcement agencies. The first sample mimics the FBI...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/fake_fbiwarning_ransomware.gif
... while the second one displays a warning message purportedly from the UK’s Police Central e-Crime Unit.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/11/fake_pceuwarning_ransomware.gif
First seen in Russia in 2005, ransomware has since spread to other European countries and eventually, to the United States and Canada. These variants are known to extort money by taking control of systems and taunting users to pay for a fee (or “ransom”) thru selected payment methods. The most recent wave of these variants were found capable of tracking victim’s geographic locations. This tracking enables the attackers to craft variants that impersonate the victim’s local police/law enforcement agencies while holding their entire systems captive. Software vendors include digital signatures as a way for users to verify software/program legitimacy. But cybercriminals may incorporate expired or fake digital sigs or certificates into the malware to hoodwink users into executing it. Just last October, Adobe warned users of malicious utilities carrying Adobe-issued certificates. Certain targeted attacks like the notorious FLAME was also found to use malicious file components bearing certificates issued by Microsoft..."

- https://www.net-security.org/malware_news.php?id=2331


2012-12-06, 13:43

Finnish website attack via Rogue Ad
- http://www.f-secure.com/weblog/archives/00002468.html
Dec 5, 2012 - "... every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory... An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period... all of that malware traffic was pushed by a -single- ad from a third-party advertiser's network. Just one ad... What was blocked? — Rogue Antivirus. As in fake security software...
> http://www.f-secure.com/weblog/archives/Dec1_Rogue_Scan.png
These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front... That's generally a good sign there's something amiss."

Rogue Yahoo! Messenger ...
- http://blog.trendmicro.com/trendlabs-security-intelligence/rogue-yahoo-messenger-cashes-in-on-latest-ym-update/
Dec 5, 2012 - "On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform*, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger... I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/yahoo_messenger_fake.gif
However, when I checked its file properties, I found that it is actually an AutoIt compiled file.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/fake_YM_property.gif
Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s). Once a browser is found, it connects to the websites http://{BLOCKED}y/2JiIW and http://http://31c3f4bd.{BLOCKED}cks.com, as seen below:
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/payper_click_sites_fakeym.gif
... this threat doesn’t stop there... these sites further redirect users to other webpages. Some of these pages even result to several, almost endless redirections. From the looks of it, this scheme looks like a classic click fraud. By connecting to these sites, which are pay-per-click sites, the malware generates a “visit” that translates into profit for the site owners and/or the malware author... the people behind this threat is attempting to piggyback on Yahoo!’s recent announcement to reach out to as many users are possible. Unfortunately, this social engineering tactic has been proven effective, such as in the case of fake keygen applications for Windows 8 and malicious versions of Bad Piggies. To stay safe from these threats, users must be cautious when visiting sites or downloading files from the Internet. For better protection, users should bookmark trusted sites and refrain from visiting unknown pages. Cybercriminals and other bad guys on the Internet are good at crafting their schemes to make them more appealing to ordinary users... it pays to know more about social engineering tactics and what makes them work..."
* http://www.ymessengerblog.com/blog/2012/11/30/updates-to-yahoo-messenger-features


2012-12-10, 14:11

Ransomware speaks...
- http://blog.trendmicro.com/trendlabs-security-intelligence/latest-on-police-ransomware-it-speaks/
Dec 10, 2012 - "... we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM*, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2012/12/LockNew.jpg
... ransomware has now leaped to other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the people behind this threat generate profit from it but with the benefit of having a faint money trail. Because of this, the gangs profiting from this malware can hide their tracks easily..."
* http://about-threats.trendmicro.com/us/malware/TROJ_REVETON.HM


2013-01-11, 14:53

Rogue v ransomware - Fear and deception
- https://blogs.technet.com/b/mmpc/archive/2013/01/09/making-the-most-of-fear-and-deception-rogue-v-ransomware.aspx?Redirected=true
9 Jan 2013 - "... Rogues are a prime example of malware that uses fear appeals to force your hand. A common scenario you might face when encountering a rogue on your computer follows:
• You see a scanning interface on your screen, pretending to scan the file system (the scanning interface may appear while browsing the Internet or could be inadvertently downloaded).
• Upon completion of the scan, a large number of infections are reportedly found on your computer.
> https://www.microsoft.com/security/portal/blog-images/roguevran/1.jpg
• A barrage of warnings related to these supposed infections are intermittently displayed to you in the form of dialog boxes and alerts popping up on your desktop or coming from your taskbar.
• Attempts to launch applications are thwarted by the rogue which blocks the applications from being launched and displays an alert, warning that the application is also infected.
• System security and firewall applications are usually targeted by the rogue as it attempts to terminate their processes, services and/or modify their registry entries, making it extremely difficult to remove the rogue from the computer.
... there is a point to all of these invasive and fear mongering tactics deployed by rogues, which is ultimately to force you to pay a fee using your credit card in order to "activate" the supposed security scanner and remove the reported infections. Rogue:Win32/Winwebsec, a rogue still in circulation and being actively updated by its creators, is an example of a rogue that contains all of these functionalities. Win32/Winwebsec, along with Win32/FakeRean, are two rogues that are still actively out in the wild, but on the whole, we have seen a steady decrease in the number of rogues in circulation in 2012.
> https://www.microsoft.com/security/portal/blog-images/roguevran/2.jpg
... numbers broken down by family for most of 2012:
> https://www.microsoft.com/security/portal/blog-images/roguevran/3.jpg
... rogues aren’t the only badware in town using fear appeals. In the last year, we’ve seen the rise of a new threat whose success also relies on persuading affected users to act on the receipt of a deceptive message in order to avoid an unpleasant consequence. This new(ish) badware goes by the unfortunate name of ransomware... You can find detailed information on ransomware here*..."
* http://www.microsoft.com/security/portal/shared/ransomware.aspx


2013-01-16, 19:30

Ransomware - fear and deception (part 2)
- https://blogs.technet.com/b/mmpc/archive/2013/01/15/making-the-most-of-fear-and-deception-rogue-v-ransomware-part-2.aspx?Redirected=true
15 Jan 2013 - "Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency accusing you of committing some form of crime. Commonly, these messages accuse the receiver of crimes associated with copyright violations (for example, downloading pirated software or other digital intellectual property) and/or the possession of illicit pornographic material. And if this threat isn’t enough, it backs the message up by rendering the system unusable, presumably until the fine is paid...
> https://www.microsoft.com/security/portal/blog-images/roguevran/4.jpg
... they are on the increase.
> https://www.microsoft.com/security/portal/blog-images/roguevran/5.jpg
We’ve also seen an increasing number of different types of malware that use this tactic. What started as a fairly small number of families has blossomed during 2012 into an increasingly diverse group (although I will mention that this data has been affected by our increasing focus on this type of malware and our ability to identify them correctly). Reveton and Weelsof, for example, are families that have caused considerable pain to the user.
> https://www.microsoft.com/security/portal/blog-images/roguevran/6.jpg
... while rogues still account for a lion’s share of total malware in comparison to ransomware, rogues are trending down while ransomware is on the up:
> https://www.microsoft.com/security/portal/blog-images/roguevran/7.jpg
... some more recent rogues have started using similar tactics to ransomware. One FakeRean variant that calls itself Privacy Protection displays fake scan results that imply child pornography has been found on the affected computer.
> https://www.microsoft.com/security/portal/blog-images/roguevran/8.jpg
... Legitimate security companies won’t try to scare you into using their scanners and law enforcement agencies aren’t going to pop up a message and scare you into paying a fine. If a message tries to frighten you, think very carefully about what it’s asking you to do, and more importantly, if it’s an unreasonable request (such as sending money), don’t do it."

:mad: :fear:

2013-02-13, 22:56

Police arrest Ransomware cybercriminals
- http://blog.trendmicro.com/trendlabs-security-intelligence/key-figure-in-police-ransomware-activity-nabbed-2/
Feb 13, 2013 - "... Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON. The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia..."

- http://news.yahoo.com/spain-busts-ransomware-cybercrime-gang-201859529.html
Feb 13, 2013 - "... The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least €1 million ($1.35 million) annually... The 27-year-old Russian alleged to be the gang's founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week... Money was also stolen from the victims' accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia. Spanish authorities identified more than 1,200 victims but said the actual number could be much higher. The government's Office of Internet Security received 784,000 visits for advice on how to get rid of the virus. Those arrested face charges of money laundering, participation in a criminal operation and fraud."

- http://h-online.com/-1803788
14 Feb 2013

:fear: ;)

2013-03-22, 15:58

DHS-themed Ransomware in the wild
- https://www.us-cert.gov/ncas/current-activity/2013/03/21/Recent-Reports-DHS-themed-Ransomware
Last revised: March 22, 2013 - "US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware... US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages..."

Screenshot: http://news.softpedia.com/newsImage/US-CERT-Warns-About-DHS-Themed-Ransomware-2.jpg/
March 21, 2013

- http://www.reuters.com/article/2013/03/21/net-us-cybersecurity-usa-dhs-idUSBRE92K0Z920130321
Mar 21, 2013


2013-04-03, 16:50

Ransomware leverages victims' browser histories for increased credibility
- https://www.computerworld.com/s/article/9238040/Ransomware_leverages_victims_39_browser_histories_for_increased_credibility
April 1, 2013 - "... A new ransomware variant that employs this trick was spotted over the weekend by an independent malware analyst known online as Kafeine. Dubbed Kovter, this version stands out because it uses information gathered from the victim's browser history in order to make the scam message more credible, Kafeine said Friday in a blog post*. Kovter displays a fake warning allegedly from the U.S. Department of Justice, the U.S. Department of Homeland Security and the FBI, that claims the victim's computer was used to download and distribute illegal content. The message also lists the computer's IP address, its host name and a website from which the illegal material was allegedly downloaded. The malware checks if any of the sites already present in the computer's browser history is present in a remote list of porn sites whose content is not necessarily illegal, and if there's a match, it displays it in the message. By using this technique and naming a site that the victim has actually visited as the source for the alleged illegal content, the ransomware authors attempt to increase the credibility of their message. If no match is found when checking the browser history against the remote list, the malware will just use a random porn site in the message... The authors of police-themed ransomware are constantly trying to improve their success rate and this is just the latest in a long series of tricks they have added. Some variants are actually using the computer's webcam, if one is present, to take a picture of the user and include it in the message in order to give the impression that the authorities are recording the user. Another variant gives victims a deadline of 48 hours to pay the made-up fine before their computer drive is reformatted and their data is destroyed. The average number of daily infection attempts with police-themed ransomware has doubled during the first months of 2013..."
*Screenshot: https://d1piko3ylsjhpd.cloudfront.net/uploads/roboto/image/shared_content_image/1163/large_ransomware_kovter_01.png


2013-05-18, 14:07

Ransomware - Reveton.B...
- https://www.net-security.org/malware_news.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-security.org/images/articles/reveton-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet.com/b/mmpc/archive/2013/05/16/no-paysafecard-needed-your-passwords-will-pay-off.aspx

:sad: :fear:

2013-06-27, 18:14

Top 5 Fake Security Rogues of 2013
- http://blog.webroot.com/2013/06/27/top-5-fake-security-rogues-of-2013/
June 27, 2013 - "We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.
Here are the top 5 rogues reported this year (Screenshots):
System Care Antivirus: https://webrootblog.files.wordpress.com/2013/06/system-care-antivirus.jpg?w=750
Internet Security: https://webrootblog.files.wordpress.com/2013/06/internet-security.png?w=736
Disk Antivirus Professional: https://webrootblog.files.wordpress.com/2013/06/diskantivirus.png?w=752
System Doctor 2014: https://webrootblog.files.wordpress.com/2013/06/system-doctor-2014.jpg?w=801
AVASoft professional antivirus: https://webrootblog.files.wordpress.com/2013/06/avasoft-professional-antivirus.jpg?w=796
... The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:
1) https://webrootblog.files.wordpress.com/2013/06/rogue-alert-2.jpg?w=296&h=145
2) https://webrootblog.files.wordpress.com/2013/06/rogue-alert-1.jpg?w=560&h=145
Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.
> https://webrootblog.files.wordpress.com/2013/06/rogue-pay-center.jpg?w=869
Don’t give them your credit card information.
... New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday..."

- https://blogs.technet.com/b/mmpc/archive/2013/06/27/another-year-another-rogue-not-what-the-doctor-ordered.aspx?Redirected=true
27 Jun 2013

:mad: :mad:

2013-07-17, 16:25

Ransomware targets Apple Mac OS X users
- http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/
July 15, 2013 - "... Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.
Screenshot: http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/07/ransomware1.png
The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords. Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.” A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users. If you choose to ignore the message (which you should), you cannot get rid of the page:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/07/lock1.png
If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle... There -is- a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/07/reset.png
Make sure all items are marked and hit the Reset button:
> http://cdn.blog.malwarebytes.org/wp-content/uploads/2013/07/reset2.png
You can bet many people are going to fall for this scam and pay the ransom money, filling the bad guys’ pockets. Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it. The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.” This scam is unfortunately all too efficient and is not going away anytime soon. Watch this tutorial* on how to get rid of the FBI ransomware for OS X..."
* http://www.youtube.com/watch?v=Ip6tvti4UjU

- https://www.ic3.gov/media/2013/130718-2.aspx
July 18, 2013


2013-07-30, 20:15

DHS-themed ransomware - in the wild...
- https://www.us-cert.gov/ncas/current-activity/2013/07/30/Recent-Reports-DHS-Themed-Ransomware-UPDATE
July 30, 2013 - "US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild. Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware..."


2013-08-22, 19:36

Chinese Ransomlock malware changes Windows Login Credentials
- http://www.symantec.com/connect/blogs/chinese-ransomlock-malware-changes-windows-login-credentials
21 Aug 2013 - "... new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked. This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact if you want to know the password” (English translation) so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.
[i]Login screen with changed account name after system restart
> https://www.symantec.com/connect/sites/default/files/users/user-2598031/Figure1_Edit.png
If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:
1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might -not- always work as the password may be changed by the malware author)
2. Use another administrator account to log into the system and reset the password
3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
4. Use Windows recovery disk to reset the password."

Spear-Phishing E-mail with Missing Children Theme
- https://www.us-cert.gov/ncas/current-activity/2013/08/22/Spear-Phishing-E-mail-Missing-Children-Theme
August 22, 2013 - "The FBI is aware of a spear-phishing e-mail appearing as if it were sent from the National Center for Missing and Exploited Children. The subject of the e-mail is "Search for Missing Children," and a zip file containing 3 malicious files is attached. E-mail recipients should always treat links and attachments in unsolicited or unexpected e-mail with caution."


2013-10-17, 20:31

Cryptolocker ransomware
- http://arstechnica.com/security/2013/10/youre-infected-if-you-want-to-see-your-data-again-pay-us-300-in-bitcoins/
Oct 17 2013 - "Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker. It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings. Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available..."
> http://cdn.arstechnica.net/wp-content/uploads/2013/10/ScreenShot1-640x498.jpg

Cryptolocker Prevention Kit
- http://www.thirdtier.net/2013/10/cryptolocker-prevention-kit/
Oct 14, 2013 - "The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious we’ve decided to make these materials available to everyone. The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment. We’ve zipped it up into a single file. Download it now*"
* http://www.thirdtier.net/downloads/CryptolockerPreventionKit.zip

- http://atlas.arbor.net/briefs/index#1331587000
High Severity
21 Oct 2013
The CryptoLocker ransomware has been popular lately. Several serious outbreaks have taken place and this threat is harder to recover from unless proactive measures have been taken.
Source: http://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-how-it-works-learn-about-prevention-cleanup-and-recovery/

- http://windowssecrets.com/top-story/cryptolocker-a-particularly-pernicious-virus/
Oct 23, 2013

- https://isc.sans.edu/diary.html?storyid=16871
Last Updated: 2013-10-22 14:09:38 UTC

CryptoLocker: Its Spam and ZeuS/ZBOT Connection
- http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-its-spam-and-zeuszbot-connection/
Oct 21, 2013 - "... the CryptoLocker malware that not only blocks accessing to the system, but also forces users to buy a $300 decrypting tool by locking or encrypting specific files in the system. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and came across with a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):
(Screenshot of spam with malicious attachment)
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/spam-sample-cryptolocker.jpg
Once this attached file is executed, it connects to a URL to download another file, which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).
(CryptoLocker infection chain)
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/blog_cryptlock_edited.jpg
This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents... Although the ransom note only in CryptoLocker specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information). The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available. For information on which files are encrypted, users can check their system’s autostart registry.
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/10/registry-editor-cryptolocker.jpg
... It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Email reputation service also blocks the spam related to this threat."

CryptoPrevent Tool:
- http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information#cryptoprevent
Oct 20, 2013


2013-10-29, 13:25

GWload - Mass Injection making its rounds ...
- http://community.websense.com/blogs/securitylabs/archive/2013/10/29/gwload-new-mass-injection-making-its-rounds.aspx
29 Oct 2013 - "... a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites... Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software. We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads...
Number of injected web pages spotted in the last 7 days:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/7343.I_0C20_njected_5F00_Webpages_5F00_Last_5F00_7_5F00_days.jpg
Users who browse to a compromised injected website are immediately redirected 'drive-by' style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b ) shows them this notification: "VLC player is required for this website, click DOWNLOAD NOW". VLC media player is a legitimate open source media player (the official page is located here*). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with -all- the "VLC media player" installations that take part in this mass injection campaign... The lure - how content is 'locked' with conditional access; this is what the user sees when browsing to an injected website:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/6175.Splashscreen.jpg
... If a user is convinced that it is necessary to download and run the file to access the website's content, then unexpected, -rogue- installations of software will commence on the user's machine... Looks like "VLC Player" Installation, but the small print allows for some extras:
> http://community.websense.com/cfs-filesystemfile.ashx/__key/CommunityServer.Blogs.Components.WeblogFiles/securitylabs/0121.vlc_5F00_splashcreen.jpg
... We noticed that this mass injection uses a social engineering trick that locks legitimate websites' content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with 'GWload' that code that mostly was used in social engineering-based attacks on -Facebook- has now migrated and is used with mass injections..."
* http://www.videolan.org/

:mad: :fear::fear:

2013-11-05, 13:37

CryptoLocker - demands $2,000 for overdue ransom
- http://blog.malwarebytes.org/cyber-crime/2013/11/cryptolocker-ups-the-ante-demands-2000-for-overdue-ransom/
Nov 4, 2013 - "The criminals behind the infamous CryptoLocker ransomware that encrypts all your personal files are now offering a late payment option, albeit at a higher cost... news was first reported on the Bleeping Computer forums early last Saturday*... exercise -extreme- caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver..."
* http://www.bleepingcomputer.com/forums/t/512668/cryptolocker-developers-charge-10-bitcoins-to-use-new-decryption-service/

Cryptolocker: Time to Backup
- http://www.threattracksecurity.com/it-blog/cryptolocker-time-backup/
Nov 5, 2013 - "... nasty piece of Malware which takes great delight in encrypting files on an infected PC, rendering them all but unreachable unless the victim is willing to pay the Malware authors..."

Also see: http://forums.spybot.info/showthread.php?24525-Rogue-AV-AS-prolific&p=446009&viewfull=1#post446009

:mad::mad: :fear:

2013-11-14, 14:36

CryptoLocker Emergence connected to Blackhole Exploit Kit Arrest
- http://blog.trendmicro.com/trendlabs-security-intelligence/cryptolocker-emergence-connected-to-blackhole-exploit-kit-arrest/
Nov 8, 2013 - "... We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest. The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware... We reiterate that users should absolutely -not- open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat."

- http://blog.trendmicro.com/trendlabs-security-intelligence/unusual-bhek-like-spam-with-attachment-found/
Nov 13. 2013 - "... we came across rather unusual spam samples...
> http://blog.trendmicro.com/trendlabs-security-intelligence/files/2013/11/upatre.png
These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other. The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns. The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here. Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure..."

- http://www.nationalcrimeagency.gov.uk/news/256-alert-mass-spamming-event-targeting-uk-computer-users
Nov 15, 203 - "The NCA's National Cyber Crime Unit are aware of a mass email spamming event that is ongoing, where people are receiving emails that appear to be from banks and other financial institutions. The emails may be sent out to tens of millions... appear to be targeting small and medium businesses in particular.... The emails carry an -attachment- that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact a -malware- that can install Cryptolocker – which is a piece of ransomware..."


2013-12-26, 16:06

New CryptoLocker -variant- spreads via removable drives
- http://blog.trendmicro.com/trendlabs-security-intelligence/new-cryptolocker-spreads-via-removable-drives/
Dec 25, 2013 - "... a CryptoLocker -variant- that had one notable feature — it has propagation routines. Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants. Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware — often UPATRE — to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems -without- the need to create (and send) spammed messages. Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability. The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals. Users should -avoid- using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should -never- connect their drives into unfamiliar or unknown machines..."

- http://www.welivesecurity.com/2013/12/19/cryptolocker-2-0-new-version-or-copycat/
19 Dec 2013

- http://www.secureworks.com/cyber-threat-intelligence/threats/cryptolocker-ransomware/
18 Dec 2013

:mad: :mad:

2013-12-30, 18:01

Tracking CryptoLocker ...
- http://garwarner.blogspot.com/2013/12/tracking-cryptolocker-with-malcovery-iid.html
Dec 29, 2013 - "... some IP addresses that Malcovery* thinks you should -block- immediately because they are linked to CryptoLocker...,,,,,,,,, ..."
(More detail at the URL above.)
* http://www.malcovery.com/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

- https://www.virustotal.com/en/ip-address/

:fear: :mad:

2014-02-01, 13:08

DailyMotion infected - serving Fake AV Malware
- http://threatpost.com/dailymotion-still-infected-serving-fake-av-malware/104003
Jan 31, 2014 - "More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is -still- infected. A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up. Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos. The attack was originally reported Jan. 7* when malicious ads were discovered on the site. Those ads were -redirecting- visitors to a fake AV scam. Invincea said today** that the same threat is happening on the site... a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software... With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection..."
* http://www.invincea.com/2014/01/dailymotion-com-redirects-to-fake-av-threat/
Jan 7, 2014

** http://www.invincea.com/2014/01/k-i-a-dailymotion-part-2-fakeav-threat/
Jan 31, 2014

FakeAV Threat ...
- https://www.youtube.com/watch?v=7xKmAsSzJv0#t=38
Jan 31, 2014 Video 1:26
- https://www.virustotal.com/en/ip-address/

- https://net-security.org/malware_news.php?id=2697
Feb 3, 2014 - "... Not only do the victims get saddled with malware, but they are likely to pay for the "full version" of the fake AV (some $100) and have their credit card details stolen in the process... the malware served in this attack is still detected only by a handful of commercial AV solutions, so avoiding DailyMotion's website is a good idea for now."

:fear::fear: :mad:

2014-11-01, 03:38

Rogue AV still finds a niche...
- http://www.threattracksecurity.com/it-blog/crypto-world-rogue-av-still-finds-niche/
Oct 31, 2014 - "... recently observed the Asprox botnet distributing malicious spam – like the image below of a purported WhatsApp voicemail notification – with attachments infected with Kuluoz, a downloader for Asprox, that is used to drop affiliate payloads onto PCs.
WhatsApp spam delivers Kuluoz downloader dropping Rango Rogue AV:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/10/WhatsApp-Spam.jpg
Kuluoz dropping Rango - rogue AV from the Fakerean family of rogues:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/10/Rango1.png
Once infected with Rango – which can dynamically change its name depending on the OS environment in which it is installed – it will begin alerting users that their machine is infected with malware and directing them to purchase Rango.
Rango generates dire warnings designed to scare users into purchasing false protection:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/10/Rango3.png
Victims who make it this far - hand over their credit card information...:
> http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/10/Rango4.png
Rango even goes as far as to create a fake Windows Action Screen to help persuade users into accepting it as a recognized and trusted antivirus program... Rango also stops users from running applications, falsely claiming they are malicious... users who mistakenly -pay- the ransom for Fakerean rogues typically download an .exe file which removes any fake files and stops blocking access to applications. Subsequent “scans” with the rogue typically will not show any future false detections. A ThreatAnalyzer dynamic malware analysis report of Rango is available here*."
* http://www.threattracksecurity.com/it-blog/wp-content/uploads/2014/10/analysis-fakerean.pdf

:fear::fear: :mad: