Jaromír Hořejší

Jaromír Hořejší

17 February 2014

Fake Korean bank applications for Android - PT 1

About a year ago, we published this analysis about a pharming attack against Korean bank customers. The banks targeted by cybercriminals included NH Bank, Kookmin Bank, Hana Bank, ShinHan Bank, and Woori Bank. With the rise of Android-powered devices, these attacks now occur not only on the Windows platform, but also on the Android platform. In this blogpost we will look at a fake bank application and analyze several malware families which supposedly utilize them.

Original bank application

We will show just one bank application for brevity. For other banks the scenario is similar. The real Hana Bank application can be downloaded from Google Play. It has the following layout and background.
korea-08

Read More

Mobile Security, Threat Research, Security News

Jaromír Hořejší

22 January 2014

Win32/64:Blackbeard & Pigeon: Stealthiness techniques in 64-bit Windows, Part 2

1608606_777513882262041_947320490_n

Last week we promised to explain in detail how the "Blackbeard" Trojan infiltrates and hide itself in a victim’s system, especially on its 64-bit variant. Everything described in this blogpost happens just before Pigeon (clickbot payload) gets downloaded and executed. The most interesting aspects are the way it bypasses the Windows' User Access Control (UAC) security feature and switches the run of 32-bit code of the Downloader to 64-bit code of the Payload. And finally, how the persistence is achieved.

From 32-bit Loader to 64-bit Payload

As almost all other malware, this downloader is encapsulated with a cryptor. After removing the first layer cryptor, we can see that the downloader is written in a robust way. The same code can be run under either a 32-bit or 64-bit environment, which the code itself decides on the fly based on the entrypoint of the unpacked layer. Authors can therefore encapsulate their downloader in either a 32-bit or 64-bit cryptor and it will get executed well in both environments.

Read More

Threat Research, Security News

Jaromír Hořejší

21 November 2013

Ransomware shocks its victims by displaying child pornography pictures

In our blog, we wrote several times about various types of Ransomware, most recently about CryptoLocker. In most cases, ransomware has pretended to be a program installed into a victim's computer by the police. Because of some alleged suspicious activities found on the user's computer, ransomware blocks the user from using the computer and demands a ransom to unlock the machine or files.

Different ransomware families have different graphics and skins, usually showing intimidating images of handcuffs, logos of various government and law enforcement organizations, policemen performing inspections, government officials, etc... You can read some of our previous analyses on our blog - Reveton, Lyposit, Urausy - are the most prolific examples of such ransomware.

In this blog post, we will look at the functionally of the same type of ransomware, but one which displays more annoying and disturbing photos. After showing the message saying, "Your computer has been suspended on the grounds of viewing illegal content," accompanied with the current IP address, name of internet service provider (ISP) and the geographical location, it displays several pictures of child pornography!
01_censored

Read More

Threat Research, Security News

Jaromír Hořejší

4 November 2013

A report from RSA Conference Europe 2013

In today's world where malware evolves and develops rapidly, sharing security information is the key element for success. Companies which ignore this fact sooner of later suffer from the consequences of their bad decision. Malware researchers from all over the world regularly meet at various IT security conferences, where they learn from each other how to fight with malware and how to make the IT world a safer place.

rsac_01

Read More

Threat Research, Security News

Jaromír Hořejší

22 October 2013

Win32:Reveton-XY [Trj] saves hundreds of computers worldwide and cybercriminals know it!!!

It has been more than a year, since we last time reported about Reveton lock screen family. The group behind this ransomware is still very active and supplies new versions of their ransomware regularly.

reveton-xy_000-mainpicture

Read More

Threat Research, Security News

Jaromír Hořejší

20 August 2013

No problem bro - ransom decryption service

If thieves gain control of sensitive personally identifiable information (PII) on your computer, your identity can be stolen. Information such as your social security number, driver's license number, date of birth, or full name are examples of files that should be encrypted. Confidential business data like individual customer information or intellectual property should also be encrypted for your safety.

In this blog post we will look at a service offering file decryption. This service helps you to decrypt files which were previously encrypted. But this is no helpful 'Tips and Tricks' blog for people who forgot the password to their documents and ask for help recovering it. Although breaking weak passwords is quite possible, noproblembro.com specializes in a different type of service.

01-noproblembro

Read More

Threat Research, Security News

Jaromír Hořejší

12 August 2013

Your documents are corrupted: From image to an information stealing trojan

InfoStealer is a Trojan that collects sensitive information about the user from an affected computer system and forwards it to a predetermined location. This information, whether it be financial information, log in credentials, passwords, or a combination of all of them, can then be sold on the black market. AVAST detects this infostealer as MSIL:Agent-AKP.

In this blogpost, we will look at a malicious .NET file served to a victim's computer via an exploit kit. After opening the file in decompiler, we noticed resources containing only noisy images similar to the figure below.

msil-img-00

Read More

Threat Research

Jaromír Hořejší

24 July 2013

Urausy Lockscreen: Your computer will remain locked for 3 days, 11 hours and 20 minutes!

Yes, if your computer gets infected by Urausy Lockscreen, it will get locked. Luckily, not forever! Avast protects you against it. In this blogpost we will introduce an infamous lockscreen called Urausy. We will look at its special anti-debugging and anti-reverse engineering tricks, at its communication protocol, and determine what the conditions (if any) are for self-deleting from the compromised system.

00-urausy_mainlogo

Read More

Jaromír Hořejší

3 July 2013

Fake Flash Player installer spreads via Twitter and Facebook

Recently we identified a threat which uses Twitter and Facebook to spread. The origin of the infection begins by clicking malicious tweets or Facebook posts.

fakeflash_sc01

Read More

Tips, Threat Research, Security News

Jaromír Hořejší

19 June 2013

Your Facebook connection is now secured! Thank you for your support!

The title of this blog post may make you think that we will discuss the security of your Facebook account. Not this time. However, I will analyze an attack which starts with a suspicious email sent to the victim's email account.

The incoming email has the following subject, 'Hey <name> your Facebook account has been closed!' or 'Hi <name> your Facebook account is blocked!'. The email has a ZIP file attachment with name <name>.zip, which contains a downloader file named <name>.exe. <name> stands for a random user name. After a user downloads and executes the executable file, he is presented with the message saying that "Your Facebook connection is now secured! Thank you for your support!" It tries to convince you that there was a problem with your Facebook account, which was later successfully solved by executing the application from the email attachment.

Let's look inside the executable file!

fbsec01

Read More

Tips, Threat Research, Security News