I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.
Several months ago I wrote a blog post about an adware downloader which after execution downloaded a few adware programs and installed them on the computer, giving no chance for the user to skip or bypass their installation. This time, we will analyze an application, which installs similar types of adware programs on user computers.
We received a file which appeared to be a crack of Pinnacle Studio HD Ultimate. After displaying the initial splash screen, it offers the user to install Pinnacle Pixie Activation 500. After confirmation, the crack is installed, but in addition to the crack, other programs and toolbars unexpectedly appeared on the compromised computer. Pinnacle was not the only target of this kind of attack. Cracks for programs like Sims, Nero, Rosetta Stone, and Pro Evolution Soccer 2013 were also used in distribution.
In this blog post, we will look at the attack originating from hxxp://www.spc.or.kr/ and targeting several major Korean banks.
As a malware analyst, I sometimes have to deal with files, which cannot be classified as computer virus or malware, but their behavior when executed by user is still considered unwanted or suspicious. In this blogpost, we will look at an adware downloader. It comes in two different versions, one tiny – having only about 17KB and being written in .NET, and the other one bigger, using getrighttogo downloader builder. In user’s computer, downloader was found in the following directory.
C:\Documents and Settings\Administrador\Meus documentos\Downloads\filme(1).exe
Users’ computer got infected via one of many sites similar to following ones – websites offering to download movies. After clicking on download links, .exe files were offered to download.
Figure 1 – Example of site the downloader was originally downloaded from
In this blog post, I would like to introduce one variant of the widely spread malware family, often detected by avast! as “Reveton.” Reveton is classified as ransomware; a program which locks your computer and expects an action, usually the payment of money. Unless the desired amount of money is paid or the malicious application is removed, you cannot do anything with your computer.
In the screenshot below (figure 1), you can see an example of the fake United States Cyber Security notice. Cybercrooks cleverly try to convince the user that activities which violate the law have been detected on his computer. In the sample we analyzed, the user is being accused of illegally downloading and distributing copyrighted contents.
To mimic a realistic look, the United States Cyber Authority logo as well as basic information about the user’s location (IP, Location, IPS) are shown in the upper left corner. A black and white image resembling a web camera is shown in the upper right corner. This creates a feeling that the user is being watched by authorities right now via an integrated web camera. Most computers nowadays have integrated web cameras, however, at the computer where our analysis was performed, no web camera was present, but the video recording image was still shown.
Imagine a program that scans your computer, detects some errors, and offers to fix them. There are many legitimate programs that do this (for example, antivirus programs), but there are also many fake programs, which do nothing beneficial – they just pretend to do a scan of your computer, they pretend to fix some errors, but in reality there are no errors and nothing is being fixed. You didn’t install such a program, you don’t even know how it got installed on your computer. It’s just there, wanting to trick you to buy a license.
Have you ever wondered what happens when you “buy” the activation key? Will the program really do something for you, will it just disappear… or, maybe, it will keep annoying you. Let’s look at a program called “S.M.A.R.T. Repair”.