By now most users will already be familiar with ransomware, either because they have been affected by it themselves at some point or because they have seen it on a friend’s PC. Ransomware usually refers to a special category of malware that essentially tries to hold a user’s computer and files hostage and demands payment of a ransom in exchange for returning control of the computer back to the user. The general method of operation so far has been to simply confront the user with fictitious legal accusations. However there is a slight chance that in the not so distant future these accusations may no longer be fabricated.
Just a few days ago the “Commission on the Theft of American Intellectual Property” released their 84-page report. Amidst a large amount of rather naive ideas there is one idea that strikes us as particularly insane: The report proposes the use of malware to determine whether or not you are pirating intellectual property and if you are, to lock your computer and holds all your files hostage until you call the police and confess to your crime:
Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized user’s computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved.
It gets even better:
While not currently permitted under U.S. law, there are increasing calls for creating a more permissive environment for active network defense that allows companies not only to stabilize a situation but to take further steps, including actively retrieving stolen information, altering it within the intruder’s networks, or even destroying the information within an unauthorized network. Additional measures go further, including photographing the hacker using his own system’s camera, implanting malware in the hacker’s network, or even physically disabling or destroying the hacker’s own computer or network.
Use of malware to stop piracy isn’t a new idea
Admittedly, this idea, as insane as it may sound, isn’t new at all. In fact, the very first PC virus, Brain, was created for exactly that purpose. Brain’s author, Amjad Farooq Alvi, used it in January 1986 to prevent his medical software from being copied illegally. According to him, the virus was supposed to target copyright infringers only and asked infected users to contact his software development firm to purchase a cure. Now almost 30 years later we know that his initial idea didn’t turn out that well and Brain went on to infect a lot of innocent users’ computers as well.
But we don’t even have to go back that far. Sony thought it would be a wise idea to use rootkits to protect their DVDs and CDs from being ripped just 8 years ago. The public outcry in late 2005 when Sony’s actions came to users’ attention was tremendous, and rightfully so. This was not only because the Sony rootkit didn’t pose any serious obstacle for any of the actual pirates out there, who weren’t affected by it at all, but because the rootkit posed a significant security and stability risk for everyone who purchased Sony’s content legally.
This was mainly due to various bugs within the rootkit itself. The rootkit lacked any kind of verification of which programs were actually allowed to take advantage of it and which weren’t. In fact the rootkit simply hid all files with names that contained a simple string of text. It didn’t take long for actual malware to appear that included this particular marker in their file name, essentially using the Sony rootkit for their malicious purposes. The rootkit itself contained several bugs that could trigger a blue screen of the system during certain operations or could be used by a normal user to obtain administrative rights on a system. Similar issues were found in the dedicated removal tool that Sony offered on their website, which could either be used by hackers to run arbitrary code on a user’s system simply by visiting a website or resulted in loss of access to their CD and DVD drives after they removed the rootkit.
There is no “good malware”
The fallacy in all of this is that the commission clearly believes that something like “good malware” can exist. The reality is, there is no such thing. The amount of different computer configurations out there alone is simply too large to guarantee that a particular program (or malware) will never cause any unwanted bugs or side effects. A false positive in such a system would be disastrous. Given the nature of ransomware and rootkits in general, they often have to rely on undocumented Windows system internals which almost guarantees security vulnerabilities will arise. These vulnerabilities would then be used by software with actual malicious intent to infect the computers of innocent users, leaving the actual pirates unharmed and surely using rips and copies that have the malware-like DRM removed instead.
So where does this leave you as an Emsisoft user, if Congress decides to ignore all the outcry this report will surely cause and pass the requested legislation anyway? The answer is rather simple: We as a company don’t believe in “legal malware”. It doesn’t matter whether a country, Hollywood, or a Russian backyard crimeware gang created it. Malware will always be malicious, no matter the intentions. We have therefore never adhered to requests by law enforcement agencies to whitelist their malware in the past and we don’t plan to do so in the future. This is especially true for our behavior blocking technology, which is technically incapable of reliably determining the origin of a malware file, making it impossible for us to whitelist certain malware based on its origin even if we wanted to or were legally forced to do so.
We received so many spam emails about BBB (Better Business Bureau) and IRS (Internal Revenue Service) that we had a closer look at it.
The emails come from spoofed addresses, such as alert[at]irs.com, subscriptions[at]irs.com, accounts[at]irs.com, etc.
Dear Accountant Officer,
Hereby you are notified that your Tax Return Appeal id#[NUMBER] has been REJECTED. If you consider that the IRS did not properly examine you case due to a misinterpretation of the facts, be prepared to clarify and support your position. You can access the rejection report and re-submit your appeal by using the following link Online Tax Appeal.
When clicking on the link provided in the email, the user will not be taken to the official BBB or IRS site, but will instead land on a compromised page which contains the BlackHole Exploit. The following are some of the malicious URL’s found in the email:
The victim will see this screen in his default browser:
Please wait, till tax confirmation is ready.
It will take few minutes.
In the background, it tries to exploit some known vulnerabilities and will contact the server to download a malicious file called “wpbt0.dll”, which it saves to the temp folder.
Based on whois information, the domain was just created a few days ago and is hosted in the US (IP 22.214.171.124).
Domain Name: 110hobart.com
Created on..............: 2012-02-16
Expires on..............: 2013-02-16
801 Bridlepath Ln
CHARLOTTE, NC 28211
The downloaded file is detected as Trojan-Downloader.Win32.Spy or Worm.Win32.Cridex by Emsisoft Anti-Malware, and it is packed with UPX and a custom packer. After being unpacked, some parts are still encrypted and the malware also has no IAT yet.
The malware will then decrypt some data from its body using “OwRzkxlBNrxDp2jKZPN” as key, and try to rebuild the IAT on-the-fly.
After running, the malware performs several actions including copying the malware file to the Application Data directory and deleting the original file, creating an autorun key in the Registry, attempting to infect removable drives, and injecting itself into explorer.exe.
Once injected, explorer.exe will send a query to another server by sending some information such as the computer name. To determine which server it will contact, the malware generates the domain name based on a calculation. If the target URL is not responding, the malware will re-generate it.
The URL format and some of produced domain name is as follows:
Generate domain name procedure:
After that the server sends the following data:
As illustrated in the picture above, there are hundreds of URLs related to these online banking sites. No doubt, they want to steal your money.
News about the death of Steve Jobs has been exploited by cyber-criminals by sending spam emails associated with this incident. The spam email has a subject like “Steve Jobs: Not Dead Yet!“, “Is Steve Jobs Really Dead?“, “Steve Jobs Alive!“, or “Steve Jobs Not Dead!“.
Clicking on the link provided will take the user to a site that has installed a number of exploits part of BlackHole exploit that will download and execute malware.
When executed, the malware will download other files and in a minute will make the victim’s machine as a spam machine:
Some malicious links provided in the email:
Currently the detection rate is very low, only 3 of 43 antivirus able to detect this malware. Emsisoft Anti-Malware detects this malware as Trojan.Win32.Spambot.
Internet has come of age, and with it malicious software and related infections. Viruses, Trojans and advertising software and popups have been there and the numbers have increased with time. With the advent of new century, especially in last 5 years, there has been an introduction to newer types of malicious software, namely spywares and rogue security software. The evolution of rogue security software is no less interesting than human evolution; from a simple windows installer based malware to the recent web exploit or even fake warnings and blue screens, the path is incredible. Today the industry is billion dollars based, and there is a new variant/rogue or more every day, and the main strategy lies in exploiting social engineering to fool users to get scared and buy/purchase their fake products to have false sense of security. Let’s go a little deeper. The rogue security industry has either big fishes those have been around for some time and just spoons out new variants every now and then, or one time malwares those come , spreads like epidemic and then suddenly vanishes. There is a strong “maybe”, that most of them are inter connected somewhere but, that’s another story. Two notable big fishes are winfixer and XPAntivirus, with Spysheriff being one of the early trouble makers.
The initial ways of infection were not something that stands out.
Just like any normal setup installer, which user would manually install and the malware is in the machine and uninstaller along with it, but let’s see how this evolved with time.
The whole industry completely overhauled itself, and the change is scary. Much have been targeted towards Microsoft’s own security initiatives, namely, Security Center ( more explained below ), Windows Defender, MSRT, and even Windows Vista ( or OEM products) sales and DVD package imposters.
Lets look at how the rogue software started exploiting the “Security Center” of Microsoft Windows.
The image looks very similar and anyone using Windows, have once or more come across the same while trying to configure their Firewall or Automatic Updates options. If we look a little closer, we can see the fakeness of the products and the try to fool normal user in a make belief attempt. One very common characteristic, though very surprising, is the errors found in the language itself.
“Windows Security center reports that XP Deluxe Protector is inable.” There is also the lure to get the user “purchase” the fake product as we can see the same in the fake Security Centers.
The funny thing is, the craziness of duplication did not end there. Let us look at another instance
And if the user clicks the same, they will again be redirected to either the product download or registration page, which again have been manufactured in a way to fool the user
It is amazing how we as end user get manipulated so easily , that this industry which is completely based on tricking user to buy a “fake” security product so that they can feel they are protected from warnings such as below!
In the above images, two looks similar but different product names, thus proving similarity in coding or UI design and the other has similar strategy with different UI. It is very easy for an end user who just uses computer for email, online shopping or just browsing to get tricked by these flashy and at your face prompts, and that’s where the awareness should come into play. The creators of these fake products have tried and are always bringing out new attempts to trick users, in every possible ways and I have tried to show a few of them.
The process of infection has also evolved over time. If we take the earlier infections, it was either by harmless user install or with some third party bundlewares. The earlier versions of XPAntivirus or even SpySheriffs would have product related websites, where user would stumble upon or get redirected as part of either user consent installation or bundled installation. This changed dramatically but steadily. The malware industry is well integrated, and quite a few different malware types, like spambots, Trojan downloaders and rogue softwares serve as a complete infection chain. As recent as within a year, instances like CNN website related infections or MSNBC, malwares like cbeplay and then Trojan downloaders downloading rogue softwares at the end of infection chain. The mechanism of infection starts with vectors like exploited or hacked websites with infected codes, where user either mistakenly clicks on links or prompts which stares at their face. The other prevalent way is through a spam mail, where once user clicks, he is infected with Trojan downloader which in turn either shows balloon like warnings , disguised like Windows taskbar prompts or even browser prompts like , in either case tricking user to go ahead and then download the fake malware.
As I mentioned at the start of the blog, earlier there were no such lures or tricks, but as the industry grew with time and understood the huge prospect in the Security field they are now working to make full use of it. Trust is a huge factor nowadays, and very few on the web that exist have trust from a user. Let’s take another example.
This was back in 2006
And these are recent images
Source – http://img.bleepingcomputer.com/swr-guides/a/antivirus-2009/fake-google-warning.jpg and http://www.precisesecurity.com/blogs/wp-content/uploads/2009/04/google-has-detected-page.gif
The level of tricks kept itself going with the passage of time, and ever changing for an end- user to keep up to. Let’s look at the attempts below
Blue Screen of Death ( Infamous BSOD) have always put Microsoft Windows user in a kind of “What the heck happened” situation, and the malware creators did not leave that area behind too. To suddenly have a restart, and even when the restart process have been made up as another Fake Advertising, or sudden Blue Screen with error messages having characteristic wrong English are supposed to put end-user in enough confusions to fall prey to these tactics. And that’s where We at Emsisoft are trying to aware you, as an end-user , about every possible tactics these malware creators are using and we will not stop. Do keep your antivirus and operating system updated, click only which you are sure about, and as always you can submit any suspicious file to us. Do visit http://www.emsisoft.com/en/support/malware/ for informations about different malwares we target.
At Emsisoft, we are continuously updating our signatures and our analysts are always on lookout for any undetected samples. Also, our behavioral based “Behavior Blocker” alerts you on a huge range of malicious related activities so that you are always aware of what is happening in your system. We make sure our customers are having a peace of mind and security should come naturally. It is not going to get any easier , and the industry will only get trickier, but we here at emsisoft are always a step ahead. We have the best protection and highest on detection than other security softwares, and we protect you from getting infected, and eradication of such threats. Especially with release of Version 5, we have overhauled our product in a lot of way, and we make sure our users remain protected from these threats today and tomorrow.