Monday, April 12, 2010

Copyright Violation Alert Themed Ransomware in the Wild


UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.


We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."


Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0


This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.