Page 4 of 4 FirstFirst 1234
Results 31 to 36 of 36

Thread: Rogue AV/AS prolific

  1. #31
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down CryptoLocker - demands $2,000 for overdue ransom

    FYI...

    CryptoLocker - demands $2,000 for overdue ransom
    - http://blog.malwarebytes.org/cyber-c...verdue-ransom/
    Nov 4, 2013 - "The criminals behind the infamous CryptoLocker ransomware that encrypts all your personal files are now offering a late payment option, albeit at a higher cost... news was first reported on the Bleeping Computer forums early last Saturday*... exercise -extreme- caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver..."
    * http://www.bleepingcomputer.com/foru...ption-service/

    Cryptolocker: Time to Backup
    - http://www.threattracksecurity.com/i...r-time-backup/
    Nov 5, 2013 - "... nasty piece of Malware which takes great delight in encrypting files on an infected PC, rendering them all but unreachable unless the victim is willing to pay the Malware authors..."

    Also see: http://forums.spybot.info/showthread...l=1#post446009

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #32
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation CryptoLocker Emergence connected to Blackhole Exploit Kit Arrest

    FYI...

    CryptoLocker Emergence connected to Blackhole Exploit Kit Arrest
    - http://blog.trendmicro.com/trendlabs...it-kit-arrest/
    Nov 8, 2013 - "... We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest. The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware... We reiterate that users should absolutely -not- open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat."

    - http://blog.trendmicro.com/trendlabs...achment-found/
    Nov 13. 2013 - "... we came across rather unusual spam samples...
    > http://blog.trendmicro.com/trendlabs.../11/upatre.png
    These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other. The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns. The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here. Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure..."
    ___

    - http://www.nationalcrimeagency.gov.u...computer-users
    Nov 15, 203 - "The NCA's National Cyber Crime Unit are aware of a mass email spamming event that is ongoing, where people are receiving emails that appear to be from banks and other financial institutions. The emails may be sent out to tens of millions... appear to be targeting small and medium businesses in particular.... The emails carry an -attachment- that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact a -malware- that can install Cryptolocker – which is a piece of ransomware..."

    Last edited by AplusWebMaster; 2013-11-16 at 22:07.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #33
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down CryptoLocker -variant- spreads via removable drives

    FYI...

    New CryptoLocker -variant- spreads via removable drives
    - http://blog.trendmicro.com/trendlabs...ovable-drives/
    Dec 25, 2013 - "... a CryptoLocker -variant- that had one notable feature — it has propagation routines. Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants. Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware — often UPATRE — to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems -without- the need to create (and send) spammed messages. Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability. The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals. Users should -avoid- using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should -never- connect their drives into unfamiliar or unknown machines..."

    - http://www.welivesecurity.com/2013/1...on-or-copycat/
    19 Dec 2013
    ___

    - http://www.secureworks.com/cyber-thr...er-ransomware/
    18 Dec 2013

    Last edited by AplusWebMaster; 2013-12-27 at 18:21.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #34
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Tracking CryptoLocker ...

    FYI...

    Tracking CryptoLocker ...
    - http://garwarner.blogspot.com/2013/1...overy-iid.html
    Dec 29, 2013 - "... some IP addresses that Malcovery* thinks you should -block- immediately because they are linked to CryptoLocker... 46.149.111.28, 62.76.45.1, 83.69.233.25, 83.69.233.176, 95.59.26.43, 95.172.146.68, 109.234.154.254, 188.65.211.137, 188.120.255.37, 195.2.77.48 ..."
    (More detail at the URL above.)
    * http://www.malcovery.com/

    - https://www.virustotal.com/en/ip-add...8/information/

    - https://www.virustotal.com/en/ip-add...1/information/

    - https://www.virustotal.com/en/ip-add...5/information/

    - https://www.virustotal.com/en/ip-add...3/information/

    - https://www.virustotal.com/en/ip-add...8/information/

    - https://www.virustotal.com/en/ip-add...4/information/

    - https://www.virustotal.com/en/ip-add...7/information/

    - https://www.virustotal.com/en/ip-add...7/information/

    - https://www.virustotal.com/en/ip-add...8/information/

    Last edited by AplusWebMaster; 2013-12-30 at 19:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #35
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down DailyMotion infected - serving Fake AV Malware

    FYI...

    DailyMotion infected - serving Fake AV Malware
    - http://threatpost.com/dailymotion-st...malware/104003
    Jan 31, 2014 - "More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is -still- infected. A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up. Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos. The attack was originally reported Jan. 7* when malicious ads were discovered on the site. Those ads were -redirecting- visitors to a fake AV scam. Invincea said today** that the same threat is happening on the site... a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software... With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection..."
    * http://www.invincea.com/2014/01/dail...ake-av-threat/
    Jan 7, 2014

    ** http://www.invincea.com/2014/01/k-i-...fakeav-threat/
    Jan 31, 2014

    FakeAV Threat ...
    - https://www.youtube.com/watch?v=7xKmAsSzJv0#t=38
    Jan 31, 2014 Video 1:26

    93.115.82.246
    - https://www.virustotal.com/en/ip-add...6/information/
    2014-02-04
    ___

    - https://net-security.org/malware_news.php?id=2697
    Feb 3, 2014 - "... Not only do the victims get saddled with malware, but they are likely to pay for the "full version" of the fake AV (some $100) and have their credit card details stolen in the process... the malware served in this attack is still detected only by a handful of commercial AV solutions, so avoiding DailyMotion's website is a good idea for now."

    Last edited by AplusWebMaster; 2014-02-04 at 18:27.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  6. #36
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Thumbs down Rogue AV still finds a niche ...

    FYI...

    Rogue AV still finds a niche...
    - http://www.threattracksecurity.com/i...l-finds-niche/
    Oct 31, 2014 - "... recently observed the Asprox botnet distributing malicious spam – like the image below of a purported WhatsApp voicemail notification – with attachments infected with Kuluoz, a downloader for Asprox, that is used to drop affiliate payloads onto PCs.
    WhatsApp spam delivers Kuluoz downloader dropping Rango Rogue AV:
    > http://www.threattracksecurity.com/i...tsApp-Spam.jpg
    Kuluoz dropping Rango - rogue AV from the Fakerean family of rogues:
    > http://www.threattracksecurity.com/i.../10/Rango1.png
    Once infected with Rango – which can dynamically change its name depending on the OS environment in which it is installed – it will begin alerting users that their machine is infected with malware and directing them to purchase Rango.
    Rango generates dire warnings designed to scare users into purchasing false protection:
    > http://www.threattracksecurity.com/i.../10/Rango3.png
    Victims who make it this far - hand over their credit card information...:
    > http://www.threattracksecurity.com/i.../10/Rango4.png
    Rango even goes as far as to create a fake Windows Action Screen to help persuade users into accepting it as a recognized and trusted antivirus program... Rango also stops users from running applications, falsely claiming they are malicious... users who mistakenly -pay- the ransom for Fakerean rogues typically download an .exe file which removes any fake files and stops blocking access to applications. Subsequent “scans” with the rogue typically will not show any future false detections. A ThreatAnalyzer dynamic malware analysis report of Rango is available here*."
    * http://www.threattracksecurity.com/i...s-fakerean.pdf

    Last edited by AplusWebMaster; 2014-11-01 at 04:47.
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •