Independent Contractor. Bitcoin: 15Zvie1j8CjSR52doVSZSjctCDSx3pDjKZ Email: dancho.danchev@hush.com OMEMO: ddanchev@conversations.im | OTR: danchodanchev@xmpp.jp | TOX ID: 2E6FCA35A18AA76B2CCE33B55404A796F077CADA56F38922A1988AA381AE617A15D3D3E3E6F1
Monday, April 12, 2010
Copyright Violation Alert Themed Ransomware in the Wild
The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.
The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:
"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.
We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."
Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com
Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.
What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.
Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)
Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0
This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.
Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?
SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Copyright Violation Alert Themed Ransomware in the Wild
UPDATED: Wednesday, April 28, 2010: The universal license code required in the "Enter a previously purchased license code" window is RFHM2-TPX47-YD6RT-H4KDM
The copyright violation alert themed ransomware campaign (Copyright violation alert ransomware in the wild; ICPP Copyright Foundation is Fake) is not just a novel approach for extortion of the highest amount of money seen in ransomware variants so far, but also, offers interesting clues into the multitasking mentality of the cybercriminals whose campaigns have already been profiled.
The bogus ICPP Foundation (icpp-online.com - 193.33.114.77 - Email: ovenersbox@yahoo.com) describes itself as:
"We are a law firm which specialises in assisting intellectual property rights holders exploit and enforce their rights globally. Illegal file sharing costs the creative industries billions of pounds every year. The impact of this is huge, resulting in job losses, declining profit margins and reduced investment in product development. Action needs to be taken and we believe a coordinated effort is needed now, before irreparable damage is done.
We have developed effective and unique methods for organisations to enforce their intellectual rights. By working effectively with forensic IT experts, law firms and anti-piracy organisations, we seek to eliminate the illegal distribution of copyrighted material through our revolutionary business model. Whilst many companies offer anti-piracy measures, these are often costly and ineffective. Our approach is quite the opposite, it generates revenue for rights holders and effectively decreases copyright infringement in a measurable and sustainable way. We offer high quality advice and excellent client care by delivering a thorough and reliable service. If you are interested in our services, please contact us for a no obligation consultation."
Responding to the same IP (193.33.114.77) are also:
green-stat.com - Email: tahli@yahoo.com
media-magnats.com - Email: tahli@yahoo.com
Where do we know the tahli@yahoo.com email from? From the "The Koobface Gang Wishes the Industry "Happy Holidays" where it was used to register Zeus C&Cs as well as money mule recruitment domains, from the "Money Mule Recruitment Campaign Serving Client-Side Exploits" where it was used to register the client-side exploit serving mule recruitment site, and most recently from "Keeping Money Mule Recruiters on a Short Leash - Part Four" used in another mule recruitment site registration.
What's particularly interesting about the ransomware variant, is the fact that it has been localized to the following languages: Czech, Danish, Dutch, English, French, German, Italian, Portuguese, Slovak and Spanish, as well as the fact that it will attempt to build its torrents list from actual torrent files it is able to locate within the victim's hard drive.
Detection rates, for the ransomware:
- mm.exe - Win32/Adware.Antipiracy - Result: 2/39 (5.13%)
- iqmanager.exe - Rogue:W32/DotTorrent.A - Result: 5/39 (12.83%)
- uninstall.exe - Reser.Reputation.1 - Result: 1/39 (2.57%)
Upon execution, the sample phones back to 91.209.238.2/m5install/774/1 (AS48671, GROZA-AS Cyber Internet Bunker) with the actual affiliate ID "afid=774" found in the settings.ini file. Active on the same IP are also related phone back directories, from different campaigns"
91.209.238.2/r2newinstall/freemen/1
91.209.238.2/r2newinstall/02937/1
91.209.238.2/r2hit/7/0/0
This is perhaps the first recorded case of cybercriminals ignoring the basics of micro-payments, and emphasizing on profit margins by attempting to extort the amount of $400.
Related ransomware posts:
Mac OS X SMS ransomware - hype or real threat?
iHacked: jailbroken iPhones compromised, $5 ransom demanded
New LoroBot ransomware encrypts files, demands $100 for decryption
New ransomware locks PCs, demands premium SMS for removal
Scareware meets ransomware: “Buy our fake product and we’ll decrypt the files”
Who’s behind the GPcode ransomware?
How to recover GPcode encrypted files?
SMS Ransomware Displays Persistent Inline Ads
SMS Ransomware Source Code Now Offered for Sale
3rd SMS Ransomware Variant Offered for Sale
4th SMS Ransomware Variant Offered for Sale
5th SMS Ransomware Variant Offered for Sale
6th SMS Ransomware Variant Offered for Sale
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dissecting Northwestern Bank's Client-Side Exploits Serving Site Compromise
It's one thing to indirectly target a bank's reputation by brand-jacking it for phishing or malware servince purposes, and entirely another when the front page of the bank (NorthWesternBankOnline.com) itself is embedded with an iFrame leading to client-side exploits, to ultimately serve a copy of Backdoor.DMSpammer.
- Go through an assessment of a similar incident from 2007 - Bank of India Serving Malware
- Go through assessments of their previous campaigns: Scareware, Sinowal, Client-Side Exploits Serving Spam Campaign in the Wild; AS50215 Troyak-as Taken Offline, Zeus C&Cs Drop from 249 to 181; Outlook Web Access Themed Spam Campaign Serves Zeus Crimeware; Pushdo Serving Crimeware, Client-Side Exploits and Russian Bride Scams; PhotoArchive Crimeware/Client-Side Exploits Serving Campaign in the Wild; Tax Report Themed Zeus/Client-Side Exploits Serving Campaign in the Wild; IRS/PhotoArchive Themed Zeus/Client-Side Exploits Serving Campaign in the Wild)
The iFrame embedded on the front page of Northwestern Bank's web site, mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru, redirects through the following directories, to ultimately attempt to serve client-side exploits through the copycat Phoenix Exploit Kit web malware exploitation kit:
- mumukafes.net /trf/index.php - 59.53.91.192 - Email: mated@freemailbox.ru
- sobakozgav.net /index.php - 59.53.91.192
- sobakozgav.net /tmp/newplayer.pdf - CVE-2009-4324
- sobakozgav.net /l.php?i=16
- sobakozgav.net /statistics.php
Parked on the same IP (59.53.91.192) are also the following domains, all of which have been seen serving client-side exploits in previous campaigns:
aaa.fozdegen.com - Email: mated@freemailbox.ru
bbb.fozdegen.com - Email: mated@freemailbox.ru
cogs.trfafsegh.com - Email: maple@qx8.ru
countrtds.ru - Email: thru@freenetbox.ru
dogfoog.net - Email: drier@qx8.ru
eee.fozdegen.com - Email: mated@freemailbox.ru
fff.sobakozgav.net - Email: mated@freemailbox.ru
fozdegen.com - Email: mated@freemailbox.ru
lll.sobakozgav.net - Email: mated@freemailbox.ru
mumukafes.net - Email: mated@freemailbox.ru
sobakozgav.net - Email: mated@freemailbox.ru
trfafsegh.com - Email: maple@qx8.ru
Moreover, there are also active ZeuS C&Cs on the same IP - 59.53.91.192, with the following detection rates for the currently active binaries:
- exe1.exe - Trojan/Win32.Zbot.gen; Trojan-Spy.Win32.Zbot - Result: 32/38 (84.22%)
- exe.exe - Backdoor.DMSpammer - Result: 23/39 (58.97%)
- svhost.exe - Trojan.Win32.Swisyn; Trojan.Win32.Swisyn.acfo - Result: 33/38 (86.85%)
- vot.exe - Trojan.Spy.ZBot.EOR; TSPY_ZBOT.SMG - Result: 15/38 (39.48%)
Detection rates for the campaign files obtained through Northwestern Bank's client-side exploit serving campaign:
- js.js - Mal/ObfJS-CT; JS/Crypted.CV.gen - Result: 3/39 (7.7%)
- newplayer.pdf - Exploit.PDF-JS.Gen; Exploit:Win32/Pdfjsc.EP - Result: 22/39 (56.42%)
- update.exe - Backdoor.DMSpammer - Result: 24/39 (61.54%)
The sampled update.exe phones back to the following locations:
usrdomainn.net /n2/checkupdate.txt - 122.70.149.12, AS38356, TimeNet - Email: paulapruyne13@gmail.com
usrdomainn.net /n2/tuktuk.php
usrdomainn.net /n2/getemails.php
usrdomainnertwesar.net /n2/getemails.php
usrdomainnertwesar.net /n2/checkupdate.txt
usrdomainnertwesar.net /n2/tuktuk.php
AS38356, TimeNet is most recently seen in the migration of the money mule recruiters "Keeping Money Mule Recruiters on a Short Leash - Part Four", with tuktuk.php literally translated as herehere.php.
The site is now clean, however, the iFrame domains and ZeuS C&Cs remain active.
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Subscribe to:
Posts (Atom)