Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


August 19th, 2014

Reveton ransomware has dangerously evolved

The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.

Reveton

The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer.  This addition affects more than 110 applications and turns your computer to a botnet client.

Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.

Pony stealer module

Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.

The stealer includes 17 main modules like OS credentials, FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc and over 140 submodules.
Reveton modules

OS functions:

Deep System Info, ScreenSaver password, LSA local, Windows passwords and certificates, RAS, ASP/.NET credentials, Groups passwords, Proxy, WinSocks, WinInet pipe etc.

FTP Clients:

32bit, BulletProofFTP, BitKinex, ClassicFTP, CoffeeCup, CoreFTP, CuteFTP, DOpus, ExpanDrive, FAR, FFFTP, FTPCommander, FTPControl, FTPExplorer, FTPRush, FTPUploader, FileZilla, FlashFXP, Fling, FreeFTP, Frigate3, LeapFTP, NetDrive, SecureFX, SmartFTP, SoftX, TurboFTP, UltraFXP, WS_FTP, WebDrive, WebSitePublisher, WinSCP, Windows/Total Commander

RDP/VPN Clients:

CiscoVPN, FreeCall, PC Remote Control, Remote Desktop Connection, WinVNC

Instant Messaging Clients:

AIM, AIMPRO, Astra, CamFrog, Digsby, Excite, Faim, GTalk, Gaim, Gizmo, ICQ2003, ICQ99b, IM2, JAJC, LiveMessenger, MSN, Miranda, MySpace, Odigo, PSI, PalTalk, Pandion, Pidgin, QIP, QIPOnline, R&Q, SIM4, Trillian, VypressAuvis, Yahoo

Dialers/RAS:

DialerQueen, EDialer, FDialer, MDialer, VDialer

Download tools:

Download Master, FlashGet, GetRight, Internet Download Accelerator

Online Poker Clients:

888Poker, AbsoluteCommon, AbsolutePoker, CakePoker, FullTiltPoker, PartyPoker, PokerStars, TitanPoker, UltimateBetPoker

Browser clients:

Chrome, Firefox, Flock, IE, Opera, Safari, SeaMonkey, Thunderbird, + Browser_History, Browser_Socks, System_Socks

Email Clients / Accounts:

Becky, Eudora, ForteAgent, Gmail, GroupMailFree, IncrediMail, MailCommander, Outlook, POPPeeper, PocoMail, Scribe, TheBat, Windows Mail, mail.ru

 

Crypto currency module

The crypto currency module steals passwords of the most widely used wallets. The malware can close QT wallets and imitate the login screen after the next execute.

Fake QT wallet screen

List of wallets and crypto currencies:

*-QT wallets, Armory wallet, Electrum wallet, Multibit wallet, Multidodge wallet, Offspring wallet, BitCoin, BlackCoin, DarkCoin, DodgeCoin, LiteCoin, VertCoin

 

Banker module

The list of banks is based on geolocation. Our version includes 17 German banks. This module searches browser history and cookie files.

Banker module

List of banks:

bank1saar.de, berliner-bank.de, comdirect.de, commerzbanking.de, cortalconsors.de, deutsche-bank.de, dkb.de, bawagpsk.com, fiducia.de, flessabank.de, gecapital.de, haspa.de, hypovereinsbank.de, norisbank.de, psd-bank.de, postbank.de, sparda.de

 

Lockscreen module

This part of Reveton malware has been upgraded, too. The authors divided the program into multiple threads, changed the encryption, saved the payload to registry, and recreated communication with C&C servers.

Payload stored in registry

Reveton has also prepared another password stealer downloaded from the Papras family. This malware is not as effective as the Pony but contains a powerful AV kill/disable function.

AV list from Papras malware

Mysterious hashes

We found 2 md5 hashes hardcoded deep inside the Reveton payload. The first is used to verify the generated user ID. If it matches, the system does not send information about the infected computer. This probably protects the author while testing or developing malware. Unfortunately, the UserID calculation algo is too complex for hash cracking.
UsedID is MD5 hash of ({ComputerName}+{EnumDisplayDevices}+{HDD SerialNumber}) XOR 029Ah

UserID calculation

The second hash is used for verification of the inserted unlock key (ukash/paysafe code). Reveton can be terminated if the MD5 hash of the inserted key is identical to the hardcoded one. We call it “Hash of master unlock key.”

Try to break the hash, and help save infected computers.

Master unlock key hash

Disinfection:

  1. Boot to another OS from USB flash disk or DVD.
  2. Find suspicious .lnk file in Startup menu (explorer.lnk, system.lnk etc.)
  3. Find path to malware binary at lnk file properities. (probably .cpp file)
  4. Delete lnk file and malware binary from link path
  5. Boot to your system and check which service reports an error
  6. Remove that service from the system
  7. Find “ACID” string in the registry and delete keys around (hex=78,01,…)
  8. Reboot
  9. Change passwords for all accounts and online services!!!

* You can try to find RUNDLL32.EXE-*-F.txt file where all stolen passwords are stored.

Analyzed Samples:

209B606203E60B9C3ABDBB27D7F93A2D8A60A87C4AB2E7749A9522C17F4511F2
4998A47D1ECB8C80E3AC5BAF743E87CC3546322335EDF89CE4A9AB1EF5420F69

Protect yourself with regular backups

The best protection against LockScreen or CryptLocker malware is frequent backups of all your important files, documents, and photos. The most secure way is to backup to online storage or the cloud because some malware encrypts data on all connected devices, local network drives, and NAS servers. You can use our avast! BackUp solution for example.

Conclusion

As we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough. Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM…) are perfectly suited for spreading their malware and build stronger botnets.

The avast! Malware Analyst Workforce is preparing a white paper with a lot of deep technical and reversing details. Stay tuned!

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+. Business owners – check out our business products.