Blog

I recently got an important clue how the ransom exchange takes place between a victim and cyber criminals. One of readers who became a victim of this ransomware dropped an email to the author at the address otrazhenie_zla@mail.ru for his files to be recovered. This was the response by the author:

"Transfer into account pay pal 50 dollars here email pay pal otrazhenie_zla@mail.ru'

Interestingly, instead of asking him for the standard $10 ransom (as mentioned in his earlier message) he asked him for $50 - typical criminal mentality, isn't it?  Unfortunately his greed doesn't end here. This malware instance came bundled in a fake 'SWF video codec' file.  Upon execution, this setup file installs three different pieces of malware on the victim machine including this ransomware.

Continue reading »

The security industry is waiting eagerly for Finjan to release more technical details about their recent discovery of a multi-million sized botnet.  I got a chance to speak with Fijan's representatives at RSA on April 23rd.  I asked them about this new un-named / un-identified botnet, Unlucky me, Finjan couldn't give any more information, saying that currently they are working with law enforcement agencies so they are not in a position to talk more on this right now.

This did not stop me from carrying my investigation further.  I need to assess the severity of this threat myself and have to make sure that our customers are protected against this particular threat.  As far as I'm concerned, it's not cops or other law enforcement agencies that will protect those poor 1.9 million victims, its the job of the security industry.  The challenge in front me was that Finjan did not disclose any clear information which could lead other security researchers to the true identity of this un-named botnet.

There were a few hints in the Finjan report which could be used to explore some hidden aspects of this botnet.  The first hint was that this botnet had been seen to download Hexzone around March 29. I have covered Hexzone in detail in a previous article.  ESET has also come up with a very good write-up about Hexzone here. The second hint was the joebox analysis report.  This report showed a list of additional malware components downloaded by the un-named botnet. 

Continue reading »

At RSA 2009 today, Finjan announced that their research team has discovered a new botnet which they believe has already infiltrated about 1.9 million computers across the globe.  Although Finjan did not mention the name of the botnet in their blog post, VirusTotal scan results (for one of the secondary downloads) shown in their article identified it as the dropper for a known Trojan called Hexzone.

Hexzone coincidentally caught my attention while I was gathering material for my recent article about some emerging ransomware.  Hexzone has recently been seen downloading Trojan.Ransomlock, which blocks the user's access to all Windows resources and asks
the victim for money (ransom) in return for unlocking their system.  For details please refer to Ransomware on the loose..

Continue reading »

Update: A little more investigation revealed to me how this SMS-based ransom works. These SMS codes use paid "rooms".  These "rooms" have a concept like 1900 numbers where it costs money to phone in.  Every time someone sends an SMS to one of these rooms, a fixed amount of money is deducted from the sender's balance and it gets transferred to the owner of the room.

There has been a disturbing uptick in "Ransomware" over the past couple weeks. Most modern malware try their hardest to keep the user from knowing their presence on the system, but due to the type of malware that Rogue AVs and Ransomware are, they are as in-your-face as they can be. Recently I got a chance to analyze a couple of these pieces of malware.  One of the samples I looked at was  6211D3AF9D2EE3DCD44C948A4ECF6633. Upon execution, this malware blocks the user's access to all Windows resources and asks the victim for money (ransom) in return for unlocking their system.

Continue reading »

BotnetWeb: Readers may not be familiar with this term, as I coined it recently. I define it as the following:

“A collection of heterogeneous Botnets being operated in conjunction with each other controlled by one or more closely linked cyber criminal group(s)”

This type of relationship among different malware is not something new. We have already seen similar relationships among the top spam Botnets like Pushdo, Srizbi, Cutwail, Mega-D/Ozdok, and Rustock.

For a quick recap readers may reference these articles:

https://www.fireeyesolution.com/research/2008/08/srizbi-and-rust.html
https://www.fireeyesolution.com/research/2008/08/srizbi-and-ru-1.html
https://www.fireeyesolution.com/research/2008/09/new-axis-of-evi.html

Continue reading »

Unlike the previous Conficker variants which generated 250 random domains
per day, the new Conficker.C variant can generate up to 50,000 domains in a day.  This was in direct response to the actions the security community took to preregister the domains, much like FireEye did with Srizbi just a few months ago.  One can sense a 'catch me if you can' kind of attitude with this recent move.  Since its appearance in Nov of last year,  Conficker's author(s?) have been trying to introduce different tricks to make the hijacking of Conficker very difficult.

I find it very unlikely that the Conficker worm will be used as an active botnet in the near future. There are lots of differences in the way the normal botnets are run and how Conficker is being maintained by its authors.  Below I'll highlight a few of those differences.

Continue reading »

This post is the first in a new series of articles about E-Bandits. In these articles I will talk about some of the low profile malware currently involved in various data stealing and phishing scams.
Data stealing is not just about stealing credit card information or login credentials. Some of these malware are capable of taking pictures and/or capturing video from your webcam and uploading them to remote servers.  The worst types of privacy breaches include taking screenshots of your desktop, monitoring your chatting sessions, and grabbing pictures from your 'My Pictures' folder.

Continue reading »

On the FireEye blog we have talked a lot about Botnets, their CnC coordinates, bad ISPs, etc. You may be curious to know who actually runs these Botnets. Who are these puppet masters and what is their business model? How they work and who are their customers?

There are many questions but the answers are scarce. In this post I will try to answer some of them which often pop up in my mind as well.

It’s no secret that most of the SPAM Botnets are invented in Russia and controlled by Russian cyber-criminals.  Why should I believe this to be the case?  Srizbi’s recent comeback gave me some valuable hints to confirm the industry suspicion. Here is one email sent by Srizbi that day:

From: "herbie eliot" <dabliktom@centrum.cz>
To: <info@****lends.com>
Subject: =?koi8-r?B?88HNwdEg3MbGxcvUydfOwdEg0sXLzMHNwQ==?=
Date: Thu, 12 Feb 2009 04:28:14 +0000
MIME-Version: 1.0
Content-Type: text/plain;
.charset="koi8-r"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2720.3000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2727.1300

.. ….. ….. ……….. ….. ………. ….. ……. - http://advert1.ru

Continue reading »