Monday, April 12, 2010

Copyright Violation Alert Themed Ransomware in the Wild


The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.


We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."


Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0


This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Copyright Violation Alert Themed Ransomware in the Wild


UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM

The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.

The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:

"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.


We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."


Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com

Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.

What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.

Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)

Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0


This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.

Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?

SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting Northwestern Bank's Client-Side Exploits Serving Site Compromise


It's one thing to indirectly target a bank's reputation by brand-jacking it for phishing or malware servince purposes, and entirely another when the front page of the bank (NorthWesternBankOnline.com) itself is embedded with an iFrame leading to client-side exploits, to ultimately serve a copy of Backdoor.DMSpammer.
This is exactly what happened on Friday, with the front page of the Northwestern Bank of Orange City and Sheldon, Iowa acting as an infection vector. And although the site is now clean, the compromise offers some interesting insights into the multitasking on behalf of some of the most prolific malware spreaders for Q1, 2010.
How come? The iFrame domain used in the Northwestern Bank's campaign, is parked on the very same IP (59.53.91.192 - AS4134, CHINA-TELECOM China Telecom) that is still active, and was profiled in last month's spamvertised "Zeus Crimeware/Client-Side Exploits Serving Campaign in the Wild" campaign.


The iFrame embedded on the front page of Northwestern Bank's web site, mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru, redirects through the following directories, to ultimately attempt to serve client-side exploits through the copycat Phoenix Exploit Kit web malware exploitation kit:

- mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru
    - sobakozgav.net /index.php - 59.53.91.192
        - sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324
            - sobakozgav.net /l.php?i=16
                - sobakozgav.net /statistics.php

Parked on the same IP (59.53.91.192) are also the following domains, all of which have been seen serving client-side exploits in previous campaigns:
aaa.fozdegen.com - Email: mated@freemailbox.ru
bbb.fozdegen.com - Email: mated@freemailbox.ru
cogs.trfafsegh.com - Email: maple@qx8.ru
countrtds.ru - Email: thru@freenetbox.ru
dogfoog.net - Email: drier@qx8.ru
eee.fozdegen.com - Email: mated@freemailbox.ru
fff.sobakozgav.net - Email: mated@freemailbox.ru
fozdegen.com - Email: mated@freemailbox.ru
lll.sobakozgav.net - Email: mated@freemailbox.ru
mumukafes.net - Email: mated@freemailbox.ru
sobakozgav.net - Email: mated@freemailbox.ru
trfafsegh.com - Email: maple@qx8.ru


Moreover, there are also active ZeuS C&Cs on the same IP - 59.53.91.192, with the following detection rates for the currently active binaries:
- exe1.exe - Trojan/Win32.Zbot.gen; Trojan-Spy.Win32.Zbot - Result: 32/38 (84.22%)
- exe.exe - Backdoor.DMSpammer - Result: 23/39 (58.97%)
- svhost.exe - Trojan.Win32.Swisyn; Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85%)
- vot.exe - Trojan.Spy.ZBot.EOR; TSPY_ZBOT.SMG - Result: 15/38 (39.48%)

Detection rates for the campaign files obtained through Northwestern Bank's client-side exploit serving campaign:
- js.js - Mal/ObfJS-CT; JS/Crypted.CV.gen - Result: 3/39 (7.7%)
- newplayer.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42%)
- update.exe - Backdoor.DMSpammer - Result: 24/39 (61.54%)

The sampled update.exe phones back to the following locations: 
usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, AS38356, TimeNet - Email: paulapruyne13@gmail.com
usrdomainn.net /n2/tuktuk.php
usrdomainn.net /n2/getemails.php
usrdomainnertwesar.net /n2/getemails.php
usrdomainnertwesar.net /n2/checkupdate.txt
usrdomainnertwesar.net /n2/tuktuk.php
 

AS38356, TimeNet is most recently seen in the migration of the money mule recruiters "Keeping Money Mule Recruiters on a Short Leash - Part Four", with tuktuk.php literally translated as herehere.php.

The site is now clean, however, the iFrame domains and ZeuS C&Cs remain active.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.