The security industry is waiting eagerly for Finjan to release more technical details about their recent discovery of a multi-million sized botnet.  I got a chance to speak with Fijan's representatives at RSA on April 23rd.  I asked them about this new un-named / un-identified botnet, Unlucky me, Finjan couldn't give any more information, saying that currently they are working with law enforcement agencies so they are not in a position to talk more on this right now.

This did not stop me from carrying my investigation further.  I need to assess the severity of this threat myself and have to make sure that our customers are protected against this particular threat.  As far as I'm concerned, it's not cops or other law enforcement agencies that will protect those poor 1.9 million victims, its the job of the security industry.  The challenge in front me was that Finjan did not disclose any clear information which could lead other security researchers to the true identity of this un-named botnet.

There were a few hints in the Finjan report which could be used to explore some hidden aspects of this botnet.  The first hint was that this botnet had been seen to download Hexzone around March 29. I have covered Hexzone in detail in a previous article.  ESET has also come up with a very good write-up about Hexzone here. The second hint was the joebox analysis report.  This report showed a list of additional malware components downloaded by the un-named botnet. 

Continue reading »

At RSA 2009 today, Finjan announced that their research team has discovered a new botnet which they believe has already infiltrated about 1.9 million computers across the globe.  Although Finjan did not mention the name of the botnet in their blog post, VirusTotal scan results (for one of the secondary downloads) shown in their article identified it as the dropper for a known Trojan called Hexzone.

Hexzone coincidentally caught my attention while I was gathering material for my recent article about some emerging ransomware.  Hexzone has recently been seen downloading Trojan.Ransomlock, which blocks the user's access to all Windows resources and asks
the victim for money (ransom) in return for unlocking their system.  For details please refer to Ransomware on the loose..

Continue reading »

Update: A little more investigation revealed to me how this SMS-based ransom works. These SMS codes use paid "rooms".  These "rooms" have a concept like 1900 numbers where it costs money to phone in.  Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.

There has been a disturbing uptick in "Ransomware" over the past couple weeks. Most modern malware try their hardest to keep the user from knowing their presence on the system, but due to the type of malware that Rogue AVs and Ransomware are, they are as in-your-face as they can be. Recently I got a chance to analyze a couple of these pieces of malware.  One of the samples I looked at was  6211D3AF9D2EE3DCD44C948A4ECF6633. Upon execution, this malware blocks the user's access to all Windows resources and asks the victim for money (ransom) in return for unlocking their system.

Continue reading »

BotnetWeb: Readers may not be familiar with this term, as I coined it recently. I define it as the following:

“A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s)”

This type of relationship among different malware is not something new. We have already seen similar relationships among the top spam Botnets like Pushdo, Srizbi, Cutwail, Mega-D/Ozdok, and Rustock.

For a quick recap readers may reference these articles:

https://www.fireeyesolution.com/research/2008/08/srizbi-and-rust.html
https://www.fireeyesolution.com/research/2008/08/srizbi-and-ru-1.html
https://www.fireeyesolution.com/research/2008/09/new-axis-of-evi.html

Continue reading »