In our blog, we wrote several times about various types of Ransomware, most recently about CryptoLocker. In most cases, ransomware has pretended to be a program installed into a victim’s computer by the police. Because of some alleged suspicious activities found on the user’s computer, ransomware blocks the user from using the computer and demands a ransom to unlock the machine or files.
Different ransomware families have different graphics and skins, usually showing intimidating images of handcuffs, logos of various government and law enforcement organizations, policemen performing inspections, government officials, etc… You can read some of our previous analyses on our blog – Reveton, Lyposit, Urausy – are the most prolific examples of such ransomware.
In this blog post, we will look at the functionally of the same type of ransomware, but one which displays more annoying and disturbing photos. After showing the message saying, “Your computer has been suspended on the grounds of viewing illegal content,” accompanied with the current IP address, name of internet service provider (ISP) and the geographical location, it displays several pictures of child pornography!
Today we are going to talk to those of you who use Bitcoin digital currency to pay for a variety of goods and services – along with a warning about yet another source of Bitcoin miners – the sharing services. You may think that if you avoid cracks and keygens while browsing the web you will be safe. Well, we would recommend that you reconsider that position. Recently we found that on the uloz.to file sharing service someone uploaded a lot of fake files containing Bitcoin miners!
Bitcoin Mining service
First a little background for the uninitiated: Bitcoins can be obtained by trading real currency, goods, or services with people who have them or alternatively, through mining. The mining process involves running software that performs complex math problems for which you’re rewarded a share of the income. There are a finite amount of Bitcoins to be had, and mining for them can be compared to extracting gold or diamonds from the earth. The more you get, the fewer there are to be had, so it becomes increasingly harder and more expensive. Here’s a descriptive article about mining.
Bitcoin mining services such as bitminter.com use shared computer resources of their users to mine new Bitcoins. In order to participate, the mining users have to create an account and then register their computers (workers) with the service. Then they simply run the Bitcoin miner program provided with their credentials on as many computers as they have. In the end, if they had enough computation power and time they might end up with a few Bitcoins.
It can be expected that some people will not be satisfied just using their own machines so they will try to use the computing power of unsuspecting victims. And that’s exactly what the authors of this malware are doing: They use hardware that does not belong them to generate more money.
It’s not a Bitcoin problem; it’s a people problem
We must stress that there’s nothing wrong with Bitcoin or its mining services. The problem is that some greedy people are misusing them.
Some of them can be seen on the following image. The word “cestina” means that the file should contain Czech localization of the referenced program. All of them contain a hidden feature, and sometimes the name is a complete fabrication. For example, The-Night-of-the-Rabbit-cestina.exe contains a crack for Call of Duty 4. Notice too, that all these files have an elevated popularity; no doubt a result of tampering. Some downloaders already suspect something fishy about these files.
Grum, one of the largest spamming botnets, suspected to be responsible for over 17% of worldwide spam (as described here), which was “killed” in July 2012, still lives. We have been tracking its activity since January 2013. We can confirm spiderlab’s doubts about the grum killing published in March 2013. The following article provides some details about registered grum activity.
We have seen grum activity on following sites:
Every bot client generates its own identification number (ID) on its first run. The length of the ID is 32 characters. The first three correspond with a bot version and the other 29 characters are randomly generated. It is also set to the HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\BITS\ID registry key, which is queried on every run.
After the bot sets its ID, it tries to connect to a C&C server.
1) The bot contacts C&C server with a HTTP GET request to get the FQDN of the client’s computer
2) The information is used to contact one of the SMTP servers obtained from DNS MX records from following domains which are used for sending spam:
3) Then the C&C server is contacted by the following request
The smtp variable is set to ‘ok’ when the bot successfully contacts one of the SMTP servers and set to ‘bad’ if it does not.
4) The C&C server answers with a message which looks like a typical BASE64 encoding
Actually the message is encrypted by RC4 algorithm with key equals to the bot’s ID and then it is encoded by BASE64.
The whole decryption algorithm written in C# could look like this:
The bot id is 72176717204370682282907051332175 for the mentioned message.
After decryption process we can see the message:
5) The bot remembers the ot variable and sends the HTTP task request without the ot variable.
6) The C&C answers with spamming instructions including spam mail template which is also encrypted by the schema mentioned above.
The interesting thing is that sent spam is similiar to scam described on our blog in the past.
Finally, we provide a screenshot of encrypted instructions, a spam email and an example of decrypted instructions .
Received: by work.ozucfx.net (Postfix, from userid %W_RND_INT)
id E%W_RND_INTCE%W_RND_INTE; %DATE
From: Work at Home <%FROM_EMAIL>
Subject: Your second chance in life just arrived
Content-Type: text/html; charset=us-ascii
Let us present the long-term analysis of malware which was designed to steal credentials from more than 25 largest banking and payment systems in Brazil. The unique features of this banking malware include the usage of valid digital certificates, 3 years of evolution and stealing credentials from e-commerce admin pages. This feature opens doors for attackers, who can then log in to e-commerce systems and steal information about customers and their payments.
This malware family combines all of these powerful functionalities and serves as a comprehensive tool for stealing money and sensitive personal data with dangerous efficiency.
The Android:FakeInst family of malware seems to be never ending story. Its creators have been trying to trick users into sending premium rate SMS messages for several months now. Just a few days ago, we discovered 25 more apps placed on alternative markets that are all based on very similar concepts as was the one in the story we wrote about before Christmas.
This time malicious Android applications are hosted on several domains:
All these sites were registered a week ago so it looks like they were supposed to serve as a malware hosting for the bad guys from the very beginning. Also if someone tries to access these sites from the browser, the visitor only receives a 404 error message which does not look like a legitimate site. Analyzing the trail the malware creators left for us, we’ve discovered a few sites they have used in order to attract users and all of them target Russian speaking people and look like an alternative markets. In reality, these sites exist for a short period of time and offers only fake downloaders. Read more…
The Duqu malware has raised the specter of Stuxnet II, with some in the security community claiming that this new Trojan is a reverse-engineered copy of Stuxnet – the infamous malware that may have sold more newspapers than it damaged nuclear centrifuges. Unlike Stuxnet, Duqu is designed to steal data from the targeted organization, not just destroy equipment. First noticed this summer, Duqu self-destructed after 30 days, than vanished again into cyberspace.
When analyzing flash malware, you can be sure that sooner or later a sample shows up that tries very hard to hide its purpose from anyone who wants to look under the hood. This is one of the things that make them suspicious and interesting to analyze. Today, I will show you a sample which is like an onion – every time you get rid of one layer of protection, you will find another one.
When analysing malware you are most likely to encounter samples which use all kinds of obfuscation in order to hide from antivirus software that protects your computer. This is also true for malware written in flash (more specifically, ActionScript). Flash is very popular among malware writers these days because many people use it on daily basis. Sometimes, they don’t even know it’s flash that runs all the fancy stuff which takes place on their screen! Recently I came across a sample that uses a very nice trick to hide its purpose from everyone who tries to look under its hood. What is more interesting, this sample is actually smaller than 140 bytes, which means it could fit in a Twitter message! That is rather unusual for flash files, which tend to be considerably larger. But don’t worry, this is not a case of malware spreading through Twitter in its binary form. Maybe via malicious links, but that is another story.