59 replies to this topic

[AplusWebMaster]

FYI...

Flash-Based Fake AV - drive-by exploits and SPAM
- http://www.symantec....-risk-minimizer
23 Mar 2012 - "... relatively new fake antivirus application called Windows Risk Minimizer. The -fake- antivirus software was promoted through spam sent from a popular webmail service. This is slightly unusual as normally fake antivirus infections arrive through drive-by exploits. Spam messages promoting the fake antivirus software contained links to compromised domains, which then -redirected- users to the fake antivirus site. We witnessed over 300 compromised domains being used in just a few hours. When opening the fake antivirus site, the user is greeted with a JavaScript alert message, whereby the fake antivirus (referred to here as "Windows Secure Kit 2012") claims that your machine is infected... The page uses Flash making it look more convincing with realistic icons, progress bars, and dialog boxes. Unsurprisingly, the fake antivirus detects plenty of viruses. Decompressing the Flash file and analyzing it shows a huge list of files contained within it. The Flash movie then simply picks some of these at random and claims they are infected (with equally random virus names). Once the scan is complete, a Windows Security Alert dialog appears with a summary of the scan. This dialog can be moved around the screen and (for reasons unknown) the different infections can be selected and unselected... To avoid getting infected with fake antivirus software, ensure you keep your operating system, Web browser, and antivirus software up-to-date with all security patches..."
(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

New Fake AV scareware attempts to extort Torrent users
- http://www.theregist...onware_hyrbrid/
13 April 2012 - "Security researchers have discovered a strain of fake anti-virus software that tries to intimidate supposed file-sharers* into paying for worthless software. SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages. But this particular strain of malware goes further than this by stopping Process Explorer (procexp.exe) and preventing browsers from loading – tactics designed to force marks to complete the ‘input credit card details’ screen and hand over money for the scamware... SFX Fake AV, first detected by freebie antivirus scanner firm Malwarebytes, blends the features of scareware with those more associated with ransomware Trojans. The malware stops any legitimate anti-virus package from running on compromised PCs, something common to other other scareware packages... the malware also performs a fake scan that classifies Windows Registry Editor as a porn tool. Bruce Harrison, VP Research at Malwarebytes, said: "SFX Fake AV is morphing at a relatively fast rate, so it is something that signature-based vendors will have to watch out for as there will be an increasing number of variants in the wild. Also, the use of Dropbox as a delivery mechanism is a something that the industry is going to have to take into account and protect against, as it is an emerging trend."
* http://regmedia.co.u...t_scareware.jpg

[AplusWebMaster]

FYI...

Ransomware police trojan - now targets USA and Canada ...
- http://blog.trendmic...usa-and-canada/
May 9, 2012 - "The Police Trojan* has been targeting European users for about a year... the latest incarnations of this obnoxious malware have started targeting the United States and Canada. In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that -spoofs- the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available...
> http://blog.trendmic..._screenshot.jpg
... the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks..."
* http://blog.trendmic...-police-trojan/
"... plagued by so called Police Trojans that lock their computer completely until they pay a fine of 100 euros..."

[AplusWebMaster]

FYI...

More extortion thru Ransomware
- http://www.ic3.gov/m...012/120530.aspx
May 30, 2012 - "... new Citadel malware platform used to deliver ransomware, named Reveton*. The ransomware lures the victim to a drive-by download website, at which time the ransomware is installed on the user's computer. Once installed, the computer freezes and a screen is displayed warning the user they have violated United States Federal Law. The message further declares the user's IP address was identified by the Computer Crime & Intellectual Property Section as visiting child pornography and other illegal content. To unlock their computer the user is instructed to pay a $100 fine to the US Department of Justice, using prepaid money card services. The geographic location of the user's IP address determines what payment services are offered. In addition to the ransomware, the Citadel malware continues to operate on the compromised computer and can be used to commit online banking and credit card fraud. Below is a screenshot of the warning:
> http://www.ic3.gov/images/120530.png
... This is an attempt to extort money with the additional possibility of the victim’s computer being used to participate in online bank fraud. If you have received this or something similar do -not- follow payment instructions..."

Reveton removal instructions:
* https://www.f-secure...2_reveton.shtml

[AplusWebMaster]

FYI...

Fake AV malware campaign - 2012-06-19
- https://isc.sans.edu...l?storyid=13501
Last Updated: 2012-06-19 10:26:16 UTC - "... 'vulnerabilityqueerprocessbrittleness . in' is currently one of 600+ domains that link to a quite prevalent "Fake Anti-virus" malware campaign. Currently, the domains associated to this scam all point to web servers hosted in the 204.152.214.x address range, but of course the threat keeps "moving around" as usual... The current set of threats involves frequently changing malware EXEs (or EXEs inside of ZIPs) with low coverage on virustotal. The download URLs usually follow the pattern of http ://bad-domain. in/16 character random hex string/setup.exe or /setup.zip .
Example: http ://fail-safetytestingcontrol. in/fc1a9d5408b7e17d/setup.exe ..."

[AplusWebMaster]

FYI...

Ransomware-as-a-Service spotted in the wild
- http://blog.webroot....ed-in-the-wild/
Sep 20, 2012 - "... recently advertised DIY (do-it-yourself) managed voucher-based Police Ransomware service exclusively targeting European users...
Sample underground forum advertisement of the managed DIY Police Ransomware service:
> https://webrootblog....ice_managed.png
According to the advertisement, the actual malicious executable is both x32 and x64 compatible, successfully blocking system keys and other attempts to kill the malicious application. The cybercriminals behind the managed service have already managed to localize their templates in the languages of 13 prospective European countries such as Switzerland, Greece, France, Sweden, Netherlands, Italy, Poland, Belgium, Portugal, Finland, Spain, Germany, and Austria...
Sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog...._managed_01.png
... thousands of users are being successfully infected with the ransomware variants, with the command and control service capable of displaying statistics for the affected countries, and the operating system in use by the affected parties.
Second sample screenshot of the DIY managed Ransomware-as-a-service command and control interface:
> https://webrootblog...._managed_02.png
The managed service relies primarily on the Ukash voucher-based payment system*, and the command and control interface conveniently displays the voucher codes and their monetary value, allowing the users of the service an easy way to claim the money from the vouchers..."
* http://en.wikipedia.org/wiki/Ukash
___

- http://atlas.arbor.n...ndex#-685203363
Severity: Elevated Severity
Sep 21, 2012
Ransomware, which can be quite destructive - is being sold as a service in the underground economy.
Analysis: Ransomware can sometimes be cleaned from a system, however if it is done properly by the criminals, victims of the infection will need to rely on backups to recover from having their files encrypted...

Edited by AplusWebMaster, 22 September 2012 - 07:11 PM.

[AplusWebMaster]

FYI...

"Scareware" Marketer FTC Case Results in $163 Million Judgment ...
- http://www.ftc.gov/o...0/winfixer.shtm
10/02/2012 - "At the Federal Trade Commission’s request, a federal court imposed a judgment of more than $163 million on the final defendant in the FTC’s case against an operation that used computer “scareware” to trick consumers into thinking their computers were infected with malicious software, and then sold them software to “fix” their non-existent problem. The court order also permanently prohibits the defendant, Kristy Ross, from selling computer security software and any other software that interferes with consumers’ computer use, and from any form of deceptive marketing.
In 2008, as part of the FTC’s efforts to protect consumers from spyware and malware, the FTC charged Ross and six other defendants with conning more than one million consumers into buying software to remove malware supposedly detected by computer scans. The FTC charged that the operation used elaborate and technologically sophisticated Internet advertisements placed with advertising networks and many popular commercial websites. These ads displayed to consumers a “system scan” that invariably detected a host of malicious or otherwise dangerous files and programs on consumers’ computers. The bogus “scans” would then urge consumers to buy the defendants’ software for $40 to $60 to clean off the malware.
The U.S. District Court for the District of Maryland subsequently ordered a halt to the massive scheme, pending litigation. Under a settlement announced in 2011, defendant Marc D’Souza and his father, Maurice D’Souza, were ordered to give up $8.2 million in ill-gotten gains. Two other defendants previously settled the charges against them; the FTC obtained default judgments against three other defendants..."
* http://www.ftc.gov/o...ixeropinion.pdf

[AplusWebMaster]

FYI...

Rouge AV for Windows 8
- http://blog.trendmic...ging-windows-8/
31 Oct 2012 - "... cybercriminals are grabbing this chance to distribute threats leveraging Windows 8 and raise terror among users – just in time for Halloween. We were alerted to two threats that leverage the release of this new OS. The first one is a typical FAKEAV. Detected as TROJ_FAKEAV.EHM, this malware may be encountered when users visit malicious sites...
> http://blog.trendmic...nningresult.jpg
... the malware displays a fake scanning result to intimidate users to purchase the fake antivirus program – just like your run-of-the-mill FAKEAV variant. What is different with this malware, however, is that it is packaged as a security program made for Windows 8.
> http://blog.trendmic...AV_Windows8.jpg
The other threat is a phishing email that entices users to visit a website where they can download Windows 8 for free. Instead of a free OS, they are led to a phishing site that asks for personally identifiable information (PII) like email address, password, name that can be peddled in the underground market or used for other cybercriminal activities.
> http://blog.trendmic...il_Windows8.jpg
It is typical for cybercriminals to piggyback on the highly-anticipated release of any latest technology to take their malware, spam, malicious app to new heights... To stay safe, users must keep their cool and think twice before clicking links or visiting webpages, especially those that promise the latest items or programs for free. If it’s too good to be true – it probably is..."

Edited by AplusWebMaster, 01 November 2012 - 03:46 AM.

[AplusWebMaster]

FYI...

Win 8 not immune to Ransomware
- http://www.symantec....mune-ransomware
Updated: 13 Nov 2012 - "... Symantec ran several prevalent ransomware samples currently found in the wild in a default Windows 8 environment. While some samples ran poorly on Windows 8, it did not take long to find a ransomware variant (Trojan.Ransomlock.U*) that successfully locked a Windows 8 system, effectively holding it to ransom.
Figure. Ransomware-locked Windows 8 system
> https://www.symantec...mageW1-blog.jpg
The Trojan.Ransomlock.U* variant uses the geolocation of the compromised system to serve localized ransomware screens in the appropriate language. While the ransonware running on Windows 8 correctly identified our location, the cybercriminals in this case must not have realized that English is the main language spoken in Ireland (less than 15 percent of the population is actually able to read Irish language). Their ingenuity in this case has lowered the chance of the ransom attempt being successful. As more users adopt Windows 8, Symantec expects to see more malware targeting this new environment...
> http://www.symantec....wing-menace.pdf
PDF Pg.4 - "... Fake police ransomware can be installed on a computer in a few ways but the most common to date has been through Web exploits and drive-by downloads. Drive-by download is a term used to describe how a piece of malware is installed on a user’s computer without their knowledge when that user browses to a compromised website. The download occurs in the background and is invisible to the user. In a typical drive-by download, the user browses to a website... The attacker has inserted a hidden iFrame — a special redirect — into this website. This redirection causes the user’s browser to actually connect to a second website containing an exploit pack. Exploit packs contain multiple different exploits, which, if the computer is not fully patched, causes the browser to download a file (the malware)..."
* http://www.symantec....-100315-1353-99

[AplusWebMaster]

FYI...

Police Ransomware bears Fake Digital Signature
- http://blog.trendmic...ital-signature/
Nov 22, 2012 - "... We encountered two samples bearing the same fake digital signature, which Trend Micro detects as TROJ_RANSOM.DDR... the digital signature’s name and its issuing provider are very suspicious... the fake signature’s sole purpose is likely to elude digisig checks. Users may encounter these files by visiting malicious sites or sites exploiting a Java vulnerability... Once executed, TROJ_RANSOM.DDR holds the system “captive” and prevents users from accessing it. It then displays a warning message to scare its victims into paying a fee. To intimidate users further, this warning message often spoofs law enforcement agencies like the FBI, often claiming that they caught users doing something illegal (or naughty) over the Internet. Based on our analysis, the two samples we found impersonate two different law enforcement agencies. The first sample mimics the FBI...
> http://blog.trendmic..._ransomware.gif
... while the second one displays a warning message purportedly from the UK’s Police Central e-Crime Unit.
> http://blog.trendmic..._ransomware.gif
First seen in Russia in 2005, ransomware has since spread to other European countries and eventually, to the United States and Canada. These variants are known to extort money by taking control of systems and taunting users to pay for a fee (or “ransom”) thru selected payment methods. The most recent wave of these variants were found capable of tracking victim’s geographic locations. This tracking enables the attackers to craft variants that impersonate the victim’s local police/law enforcement agencies while holding their entire systems captive. Software vendors include digital signatures as a way for users to verify software/program legitimacy. But cybercriminals may incorporate expired or fake digital sigs or certificates into the malware to hoodwink users into executing it. Just last October, Adobe warned users of malicious utilities carrying Adobe-issued certificates. Certain targeted attacks like the notorious FLAME was also found to use malicious file components bearing certificates issued by Microsoft..."
___

- https://www.net-secu...ews.php?id=2331
23.11.2012

Edited by AplusWebMaster, 24 November 2012 - 07:26 AM.

[AplusWebMaster]

FYI...

Finnish website attack via Rogue Ad
- http://www.f-secure....s/00002468.html
Dec 5, 2012 - "... every so often, something "big" will occur in such a way that Finland becomes a kind of statistical laboratory... An advertising network used by one of Finland's most popular websites, suomi24.fi, was compromised during the December time period... all of that malware traffic was pushed by a -single- ad from a third-party advertiser's network. Just one ad... What was blocked? — Rogue Antivirus. As in fake security software...
> http://www.f-secure...._Rogue_Scan.png
These rogue programs aren't actually scanning your computer for threats, but still, they're more than happy to charge for their services. Rogues don't offer any free trials, they want payment up front... That's generally a good sign there's something amiss."

Rogue Yahoo! Messenger ...
- http://blog.trendmic...test-ym-update/
Dec 5, 2012 - "On the heels of Yahoo!’s recent announcement of upcoming updates for the Messenger platform*, certain bad guys are already taking this chance to release their own, malicious versions of Yahoo! Messenger... I encountered this particular file (detected by Trend Micro as TROJ_ADCLICK.TNH), which looks like a legitimate Yahoo! Messenger executable.
> http://blog.trendmic...senger_fake.gif
However, when I checked its file properties, I found that it is actually an AutoIt compiled file.
> http://blog.trendmic...YM_property.gif
Once users download and execute this file, which is saved as C:\Program Files\Yahoo Messenger.exe, the malware checks if an Internet connection is available by pinging Google. If it returns any value not equal to 0, it proceeds to checking the user’s existing Internet browser(s). Once a browser is found, it connects to the websites http ://{BLOCKED}y/2JiIW and http ://http://31c3f4bd.{BLOCKED}cks .com, as seen below:
> http://blog.trendmic...ites_fakeym.gif
... this threat doesn’t stop there... these sites further redirect users to other webpages. Some of these pages even result to several, almost endless redirections. From the looks of it, this scheme looks like a classic click fraud. By connecting to these sites, which are pay-per-click sites, the malware generates a “visit” that translates into profit for the site owners and/or the malware author... the people behind this threat is attempting to piggyback on Yahoo!’s recent announcement to reach out to as many users are possible. Unfortunately, this social engineering tactic has been proven effective, such as in the case of fake keygen applications for Windows 8 and malicious versions of Bad Piggies. To stay safe from these threats, users must be cautious when visiting sites or downloading files from the Internet. For better protection, users should bookmark trusted sites and refrain from visiting unknown pages. Cybercriminals and other bad guys on the Internet are good at crafting their schemes to make them more appealing to ordinary users... it pays to know more about social engineering tactics and what makes them work..."
* http://www.ymessenge...senger-features

[AplusWebMaster]

FYI...

Ransomware speaks...
- http://blog.trendmic...ware-it-speaks/
Dec 10, 2012 - "... we received a report that a new police Trojan variant even has a “voice”. Detected as TROJ_REVETON.HM*, it locks the infected system but instead of just showing a message, it now urges users to pay verbally. The user won’t need a translator to understand what the malware is saying – it speaks the language of the country where the victim is located...
> http://blog.trendmic.../12/LockNew.jpg
... ransomware has now leaped to other European countries, the United States and Canada. Because of the payment method ransomware employs, specifically electronic cash like Ukash, PaySafeCard and MoneyPak, the people behind this threat generate profit from it but with the benefit of having a faint money trail. Because of this, the gangs profiting from this malware can hide their tracks easily..."
* http://about-threats...TROJ_REVETON.HM

[AplusWebMaster]

FYI...

Rogue v ransomware - Fear and deception
- https://blogs.techne...Redirected=true
9 Jan 2013 - "... Rogues are a prime example of malware that uses fear appeals to force your hand. A common scenario you might face when encountering a rogue on your computer follows:
• You see a scanning interface on your screen, pretending to scan the file system (the scanning interface may appear while browsing the Internet or could be inadvertently downloaded).
• Upon completion of the scan, a large number of infections are reportedly found on your computer.
> https://www.microsof...roguevran/1.jpg
• A barrage of warnings related to these supposed infections are intermittently displayed to you in the form of dialog boxes and alerts popping up on your desktop or coming from your taskbar.
• Attempts to launch applications are thwarted by the rogue which blocks the applications from being launched and displays an alert, warning that the application is also infected.
• System security and firewall applications are usually targeted by the rogue as it attempts to terminate their processes, services and/or modify their registry entries, making it extremely difficult to remove the rogue from the computer.
... there is a point to all of these invasive and fear mongering tactics deployed by rogues, which is ultimately to force you to pay a fee using your credit card in order to "activate" the supposed security scanner and remove the reported infections. Rogue:Win32/Winwebsec, a rogue still in circulation and being actively updated by its creators, is an example of a rogue that contains all of these functionalities. Win32/Winwebsec, along with Win32/FakeRean, are two rogues that are still actively out in the wild, but on the whole, we have seen a steady decrease in the number of rogues in circulation in 2012.
> https://www.microsof...roguevran/2.jpg
... numbers broken down by family for most of 2012:
> https://www.microsof...roguevran/3.jpg
... rogues aren’t the only badware in town using fear appeals. In the last year, we’ve seen the rise of a new threat whose success also relies on persuading affected users to act on the receipt of a deceptive message in order to avoid an unpleasant consequence. This new(ish) badware goes by the unfortunate name of ransomware... You can find detailed information on ransomware here*..."
* http://www.microsoft...ransomware.aspx

[AplusWebMaster]

FYI...

Ransomware - fear and deception (part 2)
- https://blogs.techne...Redirected=true
15 Jan 2013 - "Ransomware’s approach is aggressive. It uses fear to motivate an affected user to pay a fee (usually not with a credit card but using another payment system – Green Dot Moneypak, Ukash, and others). It generally uses only one deceptive message and is quite specific: you receive a message, supposedly from the police or some other law-enforcement agency accusing you of committing some form of crime. Commonly, these messages accuse the receiver of crimes associated with copyright violations (for example, downloading pirated software or other digital intellectual property) and/or the possession of illicit pornographic material. And if this threat isn’t enough, it backs the message up by rendering the system unusable, presumably until the fine is paid...
> https://www.microsof...roguevran/4.jpg
... they are on the increase.
> https://www.microsof...roguevran/5.jpg
We’ve also seen an increasing number of different types of malware that use this tactic. What started as a fairly small number of families has blossomed during 2012 into an increasingly diverse group (although I will mention that this data has been affected by our increasing focus on this type of malware and our ability to identify them correctly). Reveton and Weelsof, for example, are families that have caused considerable pain to the user.
> https://www.microsof...roguevran/6.jpg
... while rogues still account for a lion’s share of total malware in comparison to ransomware, rogues are trending down while ransomware is on the up:
> https://www.microsof...roguevran/7.jpg
... some more recent rogues have started using similar tactics to ransomware. One FakeRean variant that calls itself Privacy Protection displays fake scan results that imply child pornography has been found on the affected computer.
> https://www.microsof...roguevran/8.jpg
... Legitimate security companies won’t try to scare you into using their scanners and law enforcement agencies aren’t going to pop up a message and scare you into paying a fine. If a message tries to frighten you, think very carefully about what it’s asking you to do, and more importantly, if it’s an unreasonable request (such as sending money), don’t do it."

[AplusWebMaster]

FYI...

Police arrest Ransomware cybercriminals
- http://blog.trendmic...ivity-nabbed-2/
Feb 13, 2013 - "... Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON. The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates. The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam. The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia..."

- http://news.yahoo.co...-201859529.html
Feb 13, 2013 - "... The gang, operating from the Mediterranean resort cities of Benalmadena and Torremolinos, made at least €1 million ($1.35 million) annually... The 27-year-old Russian alleged to be the gang's founder and virus developer was detained in the United Arab Emirates at the request of Spanish police while on vacation and an extradition petition is pending, Martinez said. Six more Russians, two Ukrainians and two Georgians were arrested in Spain last week... Money was also stolen from the victims' accounts via ATMs in Spain, and the gang made daily international money transfers through currency exchanges and call centers to send the funds stolen to Russia. Spanish authorities identified more than 1,200 victims but said the actual number could be much higher. The government's Office of Internet Security received 784,000 visits for advice on how to get rid of the virus. Those arrested face charges of money laundering, participation in a criminal operation and fraud."

- http://h-online.com/-1803788
14 Feb 2013

Edited by AplusWebMaster, 14 February 2013 - 12:04 PM.