59 replies to this topic

[AplusWebMaster]

FYI...

DHS-themed Ransomware in the wild
- https://www.us-cert....emed-Ransomware
Last revised: March 22, 2013 - "US-CERT has received reports of apparently DHS-themed ransomware occurring in the wild. Users who are being targeted by the ransomware receive an email message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware... US-CERT and DHS encourage users and administrators to use caution when encountering these types of email messages..."

Screenshot: http://news.softpedi...nsomware-2.jpg/
March 21, 2013

- http://www.reuters.c...E92K0Z920130321
Mar 21, 2013

Edited by AplusWebMaster, 22 March 2013 - 09:34 AM.

[AplusWebMaster]

FYI...

Ransomware leverages victims' browser histories for increased credibility
- https://www.computer...sed_credibility
April 1, 2013 - "... A new ransomware variant that employs this trick was spotted over the weekend by an independent malware analyst known online as Kafeine. Dubbed Kovter, this version stands out because it uses information gathered from the victim's browser history in order to make the scam message more credible, Kafeine said Friday in a blog post*. Kovter displays a fake warning allegedly from the U.S. Department of Justice, the U.S. Department of Homeland Security and the FBI, that claims the victim's computer was used to download and distribute illegal content. The message also lists the computer's IP address, its host name and a website from which the illegal material was allegedly downloaded. The malware checks if any of the sites already present in the computer's browser history is present in a remote list of porn sites whose content is not necessarily illegal, and if there's a match, it displays it in the message. By using this technique and naming a site that the victim has actually visited as the source for the alleged illegal content, the ransomware authors attempt to increase the credibility of their message. If no match is found when checking the browser history against the remote list, the malware will just use a random porn site in the message... The authors of police-themed ransomware are constantly trying to improve their success rate and this is just the latest in a long series of tricks they have added. Some variants are actually using the computer's webcam, if one is present, to take a picture of the user and include it in the message in order to give the impression that the authorities are recording the user. Another variant gives victims a deadline of 48 hours to pay the made-up fine before their computer drive is reformatted and their data is destroyed. The average number of daily infection attempts with police-themed ransomware has doubled during the first months of 2013..."
*Screenshot: https://d1piko3ylsjh...e_kovter_01.png

[AplusWebMaster]

FYI...

Ransomware - Reveton.B...
- https://www.net-secu...ews.php?id=2497
May 17, 2013 - "... Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds. It is being delivered on the victims' computer via the Blackhole exploit kit, and on the surface acts like it always did: locks the computer screen and demands money to unlock it:
> https://www.net-secu...on-17052013.jpg
... in the background, the malware downloads a password-stealer component from its C&C server and runs it. "PWS:Win32/Reveton.B can steal passwords for a comprehensive selection of file downloaders, remote control applications, FTP, poker, chat and e-mail clients, as well as passwords stored by browsers and in protected storage," say* the researchers. "However, as it can load almost any DLL served by the C&C on the fly, this might change." Keeping your OS and software updates should minimize the possibility of being faced with malware, they say, but in case you do get hit by a Reveton infection, it's a good idea to change all your passwords once you remove the malware from the computer."
* http://blogs.technet...ll-pay-off.aspx

[AplusWebMaster]

FYI...

Top 5 Fake Security Rogues of 2013
- http://blog.webroot....rogues-of-2013/
June 27, 2013 - "We see users on the internet getting infected with Rogue Security Malware all the time. In fact, it’s one of the most common and obvious type of infections we see. The Rogues lock-down your computer and prevent you from opening any applications so you’re forced to read their scam. Although they use various tactics and convincing GUIs to get onto your computer, they all share a common goal: To get your money.
Here are the top 5 rogues reported this year (Screenshots):
System Care Antivirus: https://webrootblog....virus.jpg?w=750
Internet Security: https://webrootblog....urity.png?w=736
Disk Antivirus Professional: https://webrootblog....virus.png?w=752
System Doctor 2014: https://webrootblog....-2014.jpg?w=801
AVASoft professional antivirus: https://webrootblog....virus.jpg?w=796
... The most common install from fake Adobe update installers and malicious URLs linked from pictures that look like this:
1) https://webrootblog....1...w=296&h=145
2) https://webrootblog....1...w=560&h=145
Once you click on images like this in the wild and receive the payload from the malicious URLs, you’ll have effectively given permission and installed the Rogue onto your computer.
> https://webrootblog....enter.jpg?w=869
Don’t give them your credit card information.
... New variants of these rogues come out constantly so there are millions of unique signatures being dropped on computers everyday..."

- https://blogs.techne...Redirected=true
27 Jun 2013

Edited by AplusWebMaster, 06 July 2013 - 06:00 AM.

[AplusWebMaster]

FYI...

Ransomware targets Apple Mac OS X users
- http://blog.malwareb...mac-os-x-users/
July 15, 2013 - "... Cyber-criminals, well known for not re-inventing the wheel, have ‘ported’ the latest ransomware to OS X, not by using some complicated exploit but rather leveraging the browser and its ‘restore from crash’ feature.
Screenshot: http://cdn.blog.malw...ransomware1.png
The ransomware page is being pushed onto unsuspecting users browsing regular sites but in particular when searching for popular keywords. Warnings appearing to be from the FBI tell the victim: “you have been viewing or distributing prohibited Pornographic content.. To unlock your computer and to avoid other legal consequences, you are obligated to pay a release fee of $300.” A quick look at the address bar shows an interesting URL: fbi.gov.id657546456-3999456674.k8381 . com, the bad guys are clearly trying to fool users. If you choose to ignore the message (which you should), you cannot get rid of the page:
> http://cdn.blog.malw...13/07/lock1.png
If you “force quit” the application, the same ransomware page will come back the next time to restart Safari because of the “restore from crash” feature which loads backs the last URL visited before the browser was quit unexpectedly. Talk about a vicious circle... There -is- a way to get rid of it (without clicking on the prompt 150 times) and more importantly without paying the $300 ransom. Click on the Safari menu and then choose “Reset Safari”:
> http://cdn.blog.malw...13/07/reset.png
Make sure all items are marked and hit the Reset button:
> http://cdn.blog.malw...3/07/reset2.png
You can bet many people are going to fall for this scam and pay the ransom money, filling the bad guys’ pockets. Whenever alarming messages are displayed, it is important to take the time to review them, call a friend or talk to someone about it. The bad guys know how to use social engineering to entice victims as, for example, I was lead to this locked page by doing a search for Taylor Swift on Bing images. The victim will feel they may have actually being doing something wrong and got caught and ashamed, will pay the “fine.” This scam is unfortunately all too efficient and is not going away anytime soon. Watch this tutorial* on how to get rid of the FBI ransomware for OS X..."
*
___

- https://www.ic3.gov/...3/130718-2.aspx
July 18, 2013

Edited by AplusWebMaster, 19 July 2013 - 06:39 AM.

[AplusWebMaster]

FYI...

DHS-themed ransomware - in the wild...
- https://www.us-cert....nsomware-UPDATE
July 30, 2013 - "US-CERT has received reports of increased activity concerning an apparently DHS-themed ransomware malware infection occurring in the wild. Users who are being targeted by the ransomware receive a message claiming that use of their computer has been suspended and that the user must pay a fine to unblock it. One iteration of this malware also takes a webcam (if available) photo or video of a recipient and posts it in a pop-up to add to the appearance of legitimacy. The ransomware -falsely- claims to be from the U.S. Department of Homeland Security and the National Cyber Security Division. Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware..."

- https://www.ic3.gov/...013/130729.aspx
July 29, 2012

[AplusWebMaster]

FYI...

Chinese Ransomlock malware changes Windows Login Credentials
- http://www.symantec....gin-credentials
21 Aug 2013 - "... new type of ransomlock malware that not only originates from China but also uses a new ransom technique to force users into paying to have their computers unlocked. This threat is written in Easy Programming Language and is spread mostly through a popular Chinese instant messaging provider. Once a computer is compromised, the threat changes the login credentials of the current user and restarts the system using the newly created credentials. The login password is changed to “tan123456789” (this was hardcoded in the sample we acquired) but the malware author may update the threat and change the password. The account name is changed to “contact [IM ACCOUNT USER ID] if you want to know the password” (English translation) so that once the computer has restarted, and the user is unable to log in, they will see the account name/message and contact the user ID in order to get the new password.
Login screen with changed account name after system restart
> https://www.symantec...igure1_Edit.png
If the victim contacts the provided user ID, who is more than likely the malware author, they will see a statement on the profile page asking for approximately 20 Chinese Yuan (US$3.25). The statement says that the login password will be sent as soon as the money is received and that if the malware author is pestered by the user they will be blocked. Symantec detects this threat as Trojan.Ransomlock.AF. For users already infected with this threat, there are several ways to restore system access:
1. Use password “tan123456789” to log into the system and reset the password (as mentioned before, this might -not- always work as the password may be changed by the malware author)
2. Use another administrator account to log into the system and reset the password
3. If your current account is not a super administrator account, enter safe mode and log in as super administrator and then reset the password
4. Use Windows recovery disk to reset the password."
___

Spear-Phishing E-mail with Missing Children Theme
- https://www.us-cert....-Children-Theme
August 22, 2013 - "The FBI is aware of a spear-phishing e-mail appearing as if it were sent from the National Center for Missing and Exploited Children. The subject of the e-mail is "Search for Missing Children," and a zip file containing 3 malicious files is attached. E-mail recipients should always treat links and attachments in unsolicited or unexpected e-mail with caution."

Edited by AplusWebMaster, 22 August 2013 - 11:54 AM.

[AplusWebMaster]

FYI...

Cryptolocker ransomware
- http://arstechnica.c...00-in-bitcoins/
Oct 17 2013 - "Malware that takes computers hostage until users pay a ransom is getting meaner, and thanks to the growing prevalence of Bitcoin and other digital payment systems, it's easier than ever for online crooks to capitalize on these "ransomware" schemes. If this wasn't already abundantly clear, consider the experience of Nic, an Ars reader who fixes PCs for a living and recently helped a client repair the damage inflicted by a particularly nasty title known as CryptoLocker. It started when an end user in the client's accounting department received an e-mail purporting to come from Intuit. Yes, the attached archived zip file with an executable inside should have been a dead giveaway that this message was malicious and was in no way affiliated with Intuit. But accounting employees are used to receiving e-mails from financial companies. When the receiver clicked on it, he saw a white box flash briefly on his screen but didn't notice anything else out of the ordinary. He then locked his computer and attended several meetings. Within a few hours, the company's IT department received word of a corrupt file stored on a network drive that was available to multiple employees, including the one who received the malicious e-mail. A quick investigation soon uncovered other corrupted files, most or all of which had been accessed by the accounting employee. By the time CryptoLocker had run its course, hundreds of gigabytes worth of company data was no longer available..."
> http://cdn.arstechni...ot1-640x498.jpg

Cryptolocker Prevention Kit
- http://www.thirdtier...prevention-kit/
Oct 14, 2013 - "The SMBKitchen Crew and Third Tier staff have put together a group materials that were published as part of our SMBKitchen Project and only available to subscribers. However because this virus is spreading so rapidly and is so serious we’ve decided to make these materials available to everyone. The kit includes an article on cleaning up after infection but more importantly provides materials and instruction for deploying preventative block using software restriction policies. The articles provide instruction for installing them via GPO on domain computers and terminal servers, and non-domain joined machines too. We have also provide GPO settings that you can important into your environment. We’ve zipped it up into a single file. Download it now*"
* http://www.thirdtier...eventionKit.zip
___

- http://atlas.arbor.n...ndex#1331587000
High Severity
21 Oct 2013
The CryptoLocker ransomware has been popular lately. Several serious outbreaks have taken place and this threat is harder to recover from unless proactive measures have been taken.
Source: http://nakedsecurity...p-and-recovery/

- http://windowssecret...rnicious-virus/
Oct 23, 2013

- https://isc.sans.edu...l?storyid=16871
Last Updated: 2013-10-22 14:09:38 UTC

CryptoLocker: Its Spam and ZeuS/ZBOT Connection
- http://blog.trendmic...bot-connection/
Oct 21, 2013 - "... the CryptoLocker malware that not only blocks accessing to the system, but also forces users to buy a $300 decrypting tool by locking or encrypting specific files in the system. Recently, we were alerted to a spam campaign that we determined to be responsible for CryptoLocker infections. The spammed messages contain malicious attachments belonging to TROJ_UPATRE, a malware family characterized by its having small file size and a simple downloading function. Using feedback provided by the Trend Micro Smart Protection Network, we searched for information linking CryptoLocker ransomware to this downloader and came across with a sample email containing a malicious attachment (detected as TROJ_UPATRE.VNA):
(Screenshot of spam with malicious attachment)
> http://blog.trendmic...ryptolocker.jpg
Once this attached file is executed, it connects to a URL to download another file, which is saved as cjkienn.exe (detected as TSPY_ZBOT.VNA). This malware then downloads the actual CryptoLocker malware (detected as TROJ_CRILOCK.NS).
(CryptoLocker infection chain)
> http://blog.trendmic...lock_edited.jpg
This threat is particularly troublesome for several reasons. First, ZeuS/ZBOT variants are known to steal information related to online banking credentials. The attackers can use the stolen information to start unauthorized banking transactions. Furthermore, because of the CryptoLocker malware, users will be unable to access their personal or important documents... Although the ransom note only in CryptoLocker specifies “RSA-2048” as the encryption used, our analysis shows that the malware uses AES + RSA encryption. RSA is asymmetric key cryptography, which means it uses two keys. One key is used to encrypt the data and another is used to decrypt the data. (One key is made available to any outside party and is called the public key; the other key is kept by the user and is called the private key.) AES uses symmetric keys (i.e., the same key is used to encrypt and decrypt information). The malware uses an AES key to encrypt files. The AES key for decryption is written in the files encrypted by the malware. However, this key is encrypted with an RSA public key embedded in the malware, which means that a private key is needed to decrypt it. Unfortunately, the said private key is not available. For information on which files are encrypted, users can check their system’s autostart registry.
> http://blog.trendmic...ryptolocker.jpg
... It is also important for users to be cautious when opening any attachments from email messages coming from unknown sources. Email reputation service also blocks the spam related to this threat."

CryptoPrevent Tool:
- http://www.bleepingc...n#cryptoprevent
Oct 20, 2013

Edited by AplusWebMaster, 24 October 2013 - 09:21 AM.

[AplusWebMaster]

FYI...

GWload - Mass Injection making its rounds ...
- http://community.web...its-rounds.aspx
29 Oct 2013 - "... a new mass injection campaign is making its rounds, compromising and injecting content into tens of thousands of legitimate websites... Our telemetry shows that, to date, at least 40,000 compromised pages have occurred on the Web, redirecting and tricking users to install rogue software. We see parallels of the injected websites with websites that were affected by the "cookiebomb" mass injection, which was mostly associated with delivering "ransomware" payloads...
Number of injected web pages spotted in the last 7 days:
> http://community.web...7_5F00_days.jpg
Users who browse to a compromised injected website are immediately redirected 'drive-by' style to a second compromised website that (a) effectively blocks all content of the legitimate website and (b ) shows them this notification: "VLC player is required for this website, click DOWNLOAD NOW". VLC media player is a legitimate open source media player (the official page is located here*). However, VLC player is also known to be abused and bundled with some non-legitimate software, and this is the case with -all- the "VLC media player" installations that take part in this mass injection campaign... The lure - how content is 'locked' with conditional access; this is what the user sees when browsing to an injected website:
> http://community.web...plashscreen.jpg
... If a user is convinced that it is necessary to download and run the file to access the website's content, then unexpected, -rogue- installations of software will commence on the user's machine... Looks like "VLC Player" Installation, but the small print allows for some extras:
> http://community.web...splashcreen.jpg
... We noticed that this mass injection uses a social engineering trick that locks legitimate websites' content to lure potential victims to install applications that participate in Cost Per Action (CPA) advertising schemes. This change in tactics that occurred in the past two weeks coincides with the arrest of the Blackhole Exploit Kit author 'Paunch,' which could suggest that actors adapt to change rapidly to keep their attack going. It was also apparent that certain scripts used by actors to serve social engineering-based attack vectors are interchangeable across different attack platforms; we witnessed with 'GWload' that code that mostly was used in social engineering-based attacks on -Facebook- has now migrated and is used with mass injections..."
* http://www.videolan.org/

Edited by AplusWebMaster, 29 October 2013 - 06:17 AM.

[AplusWebMaster]

FYI...

CryptoLocker - demands $2,000 for overdue ransom
- http://blog.malwareb...overdue-ransom/
Nov 4, 2013 - "The criminals behind the infamous CryptoLocker ransomware that encrypts all your personal files are now offering a late payment option, albeit at a higher cost... news was first reported on the Bleeping Computer forums early last Saturday*... exercise -extreme- caution before opening email attachments (one of the main infection vectors), keep your PC up-to-date, and make sure you have antivirus and anti-malware protection with real-time detection installed. Also, backing up your important data can be a life-saver..."
* http://www.bleepingc...yption-service/

Cryptolocker: Time to Backup
- http://www.threattra...er-time-backup/
Nov 5, 2013 - "... nasty piece of Malware which takes great delight in encrypting files on an infected PC, rendering them all but unreachable unless the victim is willing to pay the Malware authors..."

Also see: http://forums.whatth...e=4#entry834663
 

 

[AplusWebMaster]

FYI...

CryptoLocker Emergence connected to Blackhole Exploit Kit Arrest
- http://blog.trendmic...oit-kit-arrest/
Nov 8, 2013 - "... We’ve found that the Cutwail botnet responsible for the major Blackhole Exploit Kit spam runs started sending out runs carrying UPATRE (which ultimately leads to CryptoLocker) right around October, the same month of Paunch’s arrest. In fact, we have monitored multiple IPs involved in the transition – sending Blackhole Exploit Kit spam shortly before the arrest and sending CryptoLocker spam after the arrest. The Cutwail-UPATRE-ZEUS-CRILOCK infection chain we spotted on October 21 may be the most common infection chain used to spread CryptoLocker. The Cutwail botnet has the capability to send very high numbers of spam messages, which explains the high incidence of this recent spin in ransomware... We reiterate that users should absolutely -not- open attachments that they were not expecting to receive. This will help minimize the exposure of users to this threat."

- http://blog.trendmic...tachment-found/
Nov 13. 2013 - "... we came across rather unusual spam samples...
> http://blog.trendmic...3/11/upatre.png
These particular messages contain both a link to a malicious site, as well as a malicious attachment. Having a spam message that contains both kinds of threats is not common – generally, spam will have one or the other. The URLs linked to by these messages are generally compromised sites, which point to Javascript files in a similar manner to that used by the Blackhole Exploit Kit. We cannot confirm whether these Javascript files resulted in redirects to landing sites that would lead to exploit kits, but the added content to the compromised sites we have seen is almost identical to that used by Blackhole campaigns. The malicious attachment is another UPATRE variant, TROJ_UPATRE.SMB. This downloader installs a ZBOT variant onto the affected system. We had earlier identified that the Cutwail botnet had been sending out spam messages with UPATRE downloaders as attachments, and that is also the case here. Long term, it’s unclear what this indicates. It may mean that attackers are turning to another exploit kit to replace BHEK as a long-term solution, but we cannot say for sure..."
___

- http://www.nationalc...-computer-users
Nov 15, 203 - "The NCA's National Cyber Crime Unit are aware of a mass email spamming event that is ongoing, where people are receiving emails that appear to be from banks and other financial institutions. The emails may be sent out to tens of millions... appear to be targeting small and medium businesses in particular.... The emails carry an -attachment- that appears to be correspondence linked to the email message (for example, a voicemail, fax, details of a suspicious transaction or invoices for payment). This file is in fact a -malware- that can install Cryptolocker – which is a piece of ransomware..."
 

Edited by AplusWebMaster, 16 November 2013 - 02:05 PM.

[AplusWebMaster]

FYI...

New CryptoLocker -variant- spreads via removable drives
- http://blog.trendmic...movable-drives/
Dec 25, 2013 - "... a CryptoLocker -variant- that had one notable feature — it has propagation routines. Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants. Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware — often UPATRE — to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems -without- the need to create (and send) spammed messages. Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability. The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals. Users should -avoid- using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should -never- connect their drives into unfamiliar or unknown machines..."

- http://www.welivesec...ion-or-copycat/
19 Dec 2013
___

- http://www.securewor...ker-ransomware/
18 Dec 2013
 

Edited by AplusWebMaster, 27 December 2013 - 10:23 AM.

[AplusWebMaster]

FYI...

Tracking CryptoLocker ...
- http://garwarner.blo...covery-iid.html
Dec 29, 2013 - "... some IP addresses that Malcovery* thinks you should -block- immediately because they are linked to CryptoLocker... 46.149.111.28, 62.76.45.1, 83.69.233.25, 83.69.233.176, 95.59.26.43, 95.172.146.68, 109.234.154.254, 188.65.211.137, 188.120.255.37, 195.2.77.48 ..."
(More detail at the URL above.)
* http://www.malcovery.com/

- https://www.virustot...28/information/

- https://www.virustot....1/information/

- https://www.virustot...25/information/

- https://www.virustot...43/information/

- https://www.virustot...68/information/

- https://www.virustot...54/information/

- https://www.virustot...37/information/

- https://www.virustot...37/information/

- https://www.virustot...48/information/
 

 

Edited by AplusWebMaster, 30 December 2013 - 11:47 AM.

[AplusWebMaster]

FYI...

DailyMotion infected - serving Fake AV Malware
- http://threatpost.co...-malware/104003
Jan 31, 2014 - "More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is -still- infected. A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up. Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos. The attack was originally reported Jan. 7* when malicious ads were discovered on the site. Those ads were -redirecting- visitors to a fake AV scam. Invincea said today** that the same threat is happening on the site... a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software... With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection..."
* http://www.invincea....fake-av-threat/
Jan 7, 2014

** http://www.invincea....-fakeav-threat/
Jan 31, 2014

 

FakeAV Threat ...
- https://www.youtube....xKmAsSzJv0#t=38
Jan 31, 2014 Video 1:26
 

93.115.82.246
- https://www.virustot...46/information/

2014-02-04

___

- https://net-security...ews.php?id=2697
Feb 3, 2014 - "... Not only do the victims get saddled with malware, but they are likely to pay for the "full version" of the fake AV (some $100) and have their credit card details stolen in the process... the malware served in this attack is still detected only by a handful of commercial AV solutions, so avoiding DailyMotion's website is a good idea for now."
 

Edited by AplusWebMaster, 04 February 2014 - 10:26 AM.

[AplusWebMaster]

FYI...

Rogue AV still finds a niche...
- http://www.threattra...ll-finds-niche/
Oct 31, 2014 - "... recently observed the Asprox botnet distributing malicious spam – like the image below of a purported WhatsApp voicemail notification – with attachments infected with Kuluoz, a downloader for Asprox, that is used to drop affiliate payloads onto PCs.
WhatsApp spam delivers Kuluoz downloader dropping Rango Rogue AV:
> http://www.threattra...atsApp-Spam.jpg
Kuluoz dropping Rango - rogue AV from the Fakerean family of rogues:
> http://www.threattra...4/10/Rango1.png
Once infected with Rango – which can dynamically change its name depending on the OS environment in which it is installed – it will begin alerting users that their machine is infected with malware and directing them to purchase Rango.
Rango generates dire warnings designed to scare users into purchasing false protection:
> http://www.threattra...4/10/Rango3.png
Victims who make it this far - hand over their credit card information...:
> http://www.threattra...4/10/Rango4.png
Rango even goes as far as to create a fake Windows Action Screen to help persuade users into accepting it as a recognized and trusted antivirus program... Rango also stops users from running applications, falsely claiming they are malicious... users who mistakenly -pay- the ransom for Fakerean rogues typically download an .exe file which removes any fake files and stops blocking access to applications. Subsequent “scans” with the rogue typically will not show any future false detections. A ThreatAnalyzer dynamic malware analysis report of Rango is available here*."
* http://www.threattra...is-fakerean.pdf
 

 

Edited by AplusWebMaster, 31 October 2014 - 08:48 PM.