Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

Archive

Author Archive
October 22nd, 2013

Win32:Reveton-XY [Trj] saves hundreds of computers worldwide and cybercriminals know it!!!

It has been more than a year, since we last time reported about Reveton lock screen family. The group behind this ransomware is still very active and supplies new versions of their ransomware regularly.

reveton-xy_000-mainpicture Read more…

Categories: analyses, Virus Lab Tags: ,
August 20th, 2013

No problem bro – ransom decryption service

If thieves gain control of sensitive personally identifiable information (PII) on your computer, your identity can be stolen.  Information such as your social security number, driver’s license number, date of birth, or full name are examples of files that should be encrypted.  Confidential business data like individual customer information or intellectual property should also be encrypted for your safety.

In this blog post we will look at a service offering file decryption. This service helps you to decrypt files which were previously encrypted. But this is no helpful ‘Tips and Tricks’ blog for people who forgot the password to their documents and ask for help recovering it. Although breaking weak passwords is quite possible, noproblembro.com specializes in a different type of service.

01-noproblembro

Read more…

Categories: analyses, Virus Lab Tags: , ,
Comments off
August 12th, 2013

Your documents are corrupted: From image to an information stealing trojan

InfoStealer is a Trojan that collects sensitive information about the user from an affected computer system and forwards it to a predetermined location. This information, whether it be financial information, log in credentials, passwords, or a combination of all of them, can then be sold on the black market. AVAST detects this infostealer as MSIL:Agent-AKP.

In this blogpost, we will look at a malicious .NET file served to a victim’s computer via an exploit kit. After opening the file in decompiler, we noticed resources containing only noisy images similar to the figure below.

msil-img-00

Read more…

Categories: analyses, Virus Lab Tags:
Comments off
July 24th, 2013

Urausy Lockscreen: Your computer will remain locked for 3 days, 11 hours and 20 minutes!

Yes, if your computer gets infected by Urausy Lockscreen, it will get locked. Luckily, not forever! Avast protects you against it. In this blogpost we will introduce an infamous lockscreen called Urausy. We will look at its special anti-debugging and anti-reverse engineering tricks, at its communication protocol, and determine what the conditions (if any) are for self-deleting from the compromised system.

00-urausy_mainlogo

Read more…

Categories: Uncategorized Tags:
July 3rd, 2013

Fake Flash Player installer spreads via Twitter and Facebook

Recently we identified a threat which uses Twitter and Facebook to spread. The origin of the infection begins by clicking malicious tweets or Facebook posts.

fakeflash_sc01
Read more…

June 18th, 2013

Your Facebook connection is now secured! Thank you for your support!

The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim’s email account.

The incoming email has the following subject, ‘Hey <name> your Facebook account has been closed!‘ or ‘Hi <name> your Facebook account is blocked!‘. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that “Your Facebook connection is now secured! Thank you for your support!” It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.

Let’s look inside the executable file!

fbsec01

Read more…

Comments off
May 29th, 2013

Analysis of a self-debugging Sirefef cryptor

Recently I wrote a blog post about a legitimate website spreading Sirefef malware. Then I continued with a deeper analysis and noticed that it uses an interesting cryptor.

Malware authors spread many new variants of malware every day. These variants often look completely different at the first glance. That’s why regular updates of your antivirus is important. However, when we look deeper into most malware spreading these days, we see that the core functions do not change very often. Most of the variability of today’s malware is caused by encapsulating it by so-called “cryptors.”

In most cases, these cryptors are pretty boring pieces of software. They usually take seemingly random data from the malicious file, reshuffle them in a correct way, so that these bytes then become an executable code, and then they execute them. However, authors of Sirefef malware often come up with more interesting methods of loading their programs, and we will look at their method in this blog post.

Now, let’s get to Sirefef. Soon after it is executed, we can see the following scheme.

Read more…

Categories: analyses, Virus Lab Tags: ,
Comments off
May 3rd, 2013

Regents of Louisiana spreading Sirefef malware

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

govt_la_000 Read more…

Categories: analyses, Virus Lab Tags:
April 17th, 2013

Make money fast via torrents

Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.

We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.

adw_dn_01

Read more…

Comments off
March 19th, 2013

Analysis of Chinese attack against Korean banks

In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.

The site, spc.or.kr, is a legitimate Korean website which belongs to Korea Software Property Right Council (SPC). After opening the site and showing its source code, we looked into the included script /js/common1.js. This script includes another two javascripts ( the third one is commented out ). When we opened both of these scripts, we noticed a suspicious iframe tag at the end of /js/screen1.js. This iframe tag led us to rootadmina2012.com, which is the main attack site.

01-original_website Read more…

Categories: analyses, Virus Lab Tags: