Archive for category Malware

Should I tell someone about eCrime ??? YES !!!!

I know that I am in Australia and my experience might not reflect other countries, but I say yes. If you have had an eCrime committed against you (not your general virus or malware) then REPORT IT!!!

The more you report, the more the problem is taken notice of, the more investigation happens.

My post today to Facebook

A win for the good guys.

We had a business client scammed out of a large amount of money through an email.
We pursued it. We recommended and assisted in filling in the eCrime report.
We pushed it along. The police told the client, nothing will come of this. The client also felt that they were banging their head against a wall.
Well, today they receive notification that the money is about to be transferred back.
We helped chase the criminal through the Czech republic and into Spain.
Now, the person is cornered and my client has been offered a chance to be there in court and be a part of the process.

Reporting eCrime is the smart choice ! Things can happen !!!

Tags: ,

New Encryption Virus: Ransomware : CryptoWall v 4.0

WARNING: New very dangerous virus that can cripple your business
 Summary of things to do:

 

  • Don’t open attachments in emails you are not expecting (at work and home)
  • Pass this warning on to others, teach them the same practices you follow.
  • Do not visit websites you do not know or trust
  • Do not trust Word (Doc), Adobe (PDF) and other email attachment files
  • Do not forward unusual emails onto other staff members
  • Do not ignore weird popups or things that are running slow or behaving a little “strange”
  • If you start finding files on your system come up as “Corrupt” call your IT!
  • If you start seeing files on your own machine, that are having their names changed or can no longer be opened, unplug your machine from the network immediately and call your IT
  • Make sure you have a backup that is removed from your network daily. It must be powered down and not plugged in. (Dropbox, SkyDrive and the like do not count)
  • Ask your IT to block .JS, .CHM, .EXE and other known attack files from coming in via email (if you have this feature available).

 

A new Ransomware dubbed “CryptoWall 4.0” has been found.
This new virus circumnavigates current antivirus and has new Features such as Encrypted File Names.
CryptoWall continues to use the same e-mail and website distribution methods as previous version.  The samples we analysed were pretending to be a resume inside a zipped e-mail attachments.
These resumes, though, were actually JavaScript (.JS)  files that when executed would download an executable, save it to a temporary folder, and the execute it.

CryptoWall 4.0 continues to utilize the same Decrypt Service site as previous versions.  From this site a victim can make payments, find out the status of a payment, get one free decryption, and create support requests.

We have passed along a sample of this virus to Antivirus companies and they are working towards a solution.

This virus first reported on the Bleeping computer forums
For those that want more technical detail:
When installed CryptoWall 4.0 will inject itself into Explorer.exe and disable System Restore, delete all Shadow Volume Copies, and use bcdedit to turn off Windows Startup Repair.
It will then inject itself into svchost.exe and encrypt the data on all local drives, removable drives, and mapped network drives.
Once it has completed encrypting your files it will launch the ransom notes that explain what happened and how to purchase the decrypter.

 The more people you pass this blog to, the more you can help stamp out these types of threats. Reducing the likelihood of this virus being triggered, reduces the virus writers payday.

 SAVE THE DAY, REDUCE THEIR PAY DAY!

Cryptowall 3.0

I have had a brush with Cryptowall 3.0.

Imagine this, visiting a website in your latest favourite browser (Any browser, Google Chrome, IE, Firefox, anyone of them) with a PC which has the latest version of everything (Adobe Flash, Java etc.) and up to date current antivirus, but you get hacked within 5 seconds.

No popups, no request to “allow this to download”, “allow this to run”. It just downloads and runs. You don’t feel it. The machine runs normal. (Even bypassed Microsoft UAC)

Then …  28 PC’s on your network, your Dropbox, your server, your NAS backup drives, your interstate user that is using VPN from a university interstate … are all encrypted and held for ransom.

The website you visited was a trusted website you trust implicitly and you buy goods from it. You had no reason to doubt the website. Nothing pops up strange …. until the damage is done.

You call the Company whom the website belongs to, they know nothing about it and pass you to their web developers. The web developers know nothing of this issue. They look further. All of their clients websites on their servers have been hacked. They take the servers offline.

Potentially thousands of people from around where you live use this service, surfing local websites for local businesses all now being held to ransom.

It could happen to anyone. It could happen to you or me.

It sounds like the work of fiction. Maybe an episode of CSI or NCIS ? Nope. That is what happened.

So how did this website attack this person?

We found a back door in the WordPress code that ran the webskite, over the internet to Russia. This back door was used to gain access to the website and then the code was modified to plant the malware onto visiting remote machines.

When figuring out how the website initially got hacked, I learnt that there are specific strings you can type into Google search.

This key search word shows you a list of every website where a certain file is accessible. The file likely used to allow this hack.

A hacker can click on this file and download it to their end. They open the file in something like notepad …. There is the username and password to the website in a “Hash”. They crack the “Hash” and log into the website, edit the code to include the nasty back door to Russia.

So, using Google … and notepad … and a website for the back door to point to, you can hack a large number of websites, inject this code, then let people browse the website and get infected without any indication on how they got infected.

The file size of the website changes very little and you can reset the file date back to an older date. The webmaster does not know they are infecting people and it goes on for several days. All their backups are now full of the malware.

Then the hacker sits back and earns millions of dollars a day in ransom money.

It scares me that malicious code can be put on your PC and run, and you have no idea. It scares me that you can perform the original hack of the website using Google.

So, trying the Google trick myself, I found the passwords to a hospital website and their member logon database.

Very scary. (I will let the hospital know).

We found the original malicious code and set it up on our Malware testing machine.

We setup wireshark to monitor what it does and Sysinternals Process Monitor. We disconnected the internet and ran the virus. Nothing happened. Double clicking made the mouse change cursor but then nothing.

After watching for a while, We connected the internet. Now the virus wakes up. It needed the internet to activate.

We double click the file and it deletes itself. It appears in C:\XXXXX where xxxxxx is the random name of the EXE file. Then it copies itself into the users startup section of their profile start menu. It then looks out over the internet at numerous internet domains, hands over a Cypher (Encryption key) and starts encrypting files.

I had placed some bait in a folder called C:\$fodder. (Some Microsoft Word and Excel files). This virus went alphabetically though my drive letters and folders and encryopted all my useful files leaving behind help_decrypt.html and help_decrypt.txt files in every folder, on the desktop, in my profile startup start menu folder and the deleted the virus executable when done.

I am encrypted and held for ransom 🙂

Technical details are at http://torblogjp5rjeyhx.onion/mickyj/cryptowall-3-0/

(Yes, it is on Tor. Only advanced computer users will know what to do to get to Tor and on the Tor network, I can post more details).

Tags: ,

There is a new virus and I found it ….. TROJ_CRYPWALL.XXRS

I am as proud as can be. I found an unknown virus and my company was instrumental in it being included in new detection routines as of 23rd June 2015. I am proud to be helping keep the IT world safe, a world I work in everyday and have helped create.

The virus is not named after me but it is my claim to 5 seconds of fame. Now …. to put it into extinction. It has to go. It is a Crypto and dangerous.

I saw several of these viruses arrive in my inbox, with different subjects and senders names. The one common thread was a malformed attachment. Example name “check[1].zip size=16877”

(Contains 6d5770fd.exe(221184 bytes))

If you rename the attachment to a zip file, you can see the exe payload.

An example email:

From: bmack
Sent: Wednesday, 23 June 2015 12:28 AM
To: Michael
Subject: Hope this e-mail finds You well.

Good day!
Hope this e-mail finds You well.

Please be informed that we received the documents regarding the agreement No. 6489-245 dated from 3rd day of June.
However there are some forms missing.
We made the list of missing documents for Your ease (the list is attached below).
Please kindly check whether these forms are kept in your records.
In case you have any questions here are our contact details: 495-70-75. Feel free to give a call at any time.

Stacey Grimly,
Project Manager

If you see one of these, update your Antivirus. Delete the email. Don’t play with it.

Now, if you find something odd and your antivirus does not detect it, feel welcome to contact me. I will get it to Trend Micro whom will pull it apart. Once they have worked out how to detect and remove it, they share their info with other Antivirus companies. In the end of the day, everyone of these we knock out, get’s us one step closer to holding back the tide of these things.

Tags: , , ,

New Virus in the wild ? (5 Sept 2014)

Whilst using Facebook, followed a link to an external Top 10 “type” photo page and up came a message full screen.

This was a solid white screen to all extremities of the screen. No task bar was showing. Task manager would not work. It was modal.

There was a single line of words in the middle of the screen:

“Windows Locked! Pay WMZ”.

or

“Windows locked! Your ID is 0xe1c88c76. Send 250 WMZ to ZXXXXXXXXXX and follow instructions.”

windows locked

No amount of Googling this has turned anything up.

Fearing the worst, I had the machines removed from the network immediately.

This has symptoms of a Cryptolocker or Cryptowall type malware but may actually be broken or not fully activated. I have had people look over their files on the network shares and nothing yet appears to be damaged, altered or encrypted.

Looking in the eventlog of the machine and working backwards from when the power was removed I have located a scheduled task that has been injected into the system.

The path to the executable currently contains nothing. The Trend Micro and other security tools have not yet found anything.

I logged all files on the machine that were changed at about the infection time (including prefetch files) and reviewed the internet history and registry entries.

(I note that this file at the same time, looks suspicious \Windows\Installer\{E8863755-AD45-4ABE-87DF-3C4AD785A364}\msiexec.exe)

I have been able to work out that the file came down via Java.

This is a copy of the task that was created :

<?xml version=”1.0″ encoding=”UTF-16″?>
<Task version=”1.2″ xmlns=”http://schemas.microsoft.com/windows/2004/02/mit/task”>
<RegistrationInfo />
<Triggers>
<LogonTrigger id=”Trigger1″>
<Enabled>true</Enabled>
<UserId>User</UserId>
</LogonTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>true</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context=”Author”>
<Exec>
<Command>C:\Users\User\AppData\Roaming\bOMPZQrb\tONjafFL\qnuFfTtR\rdNgawxcA.exe</Command>
</Exec>
</Actions>
<Principals>
<Principal id=”Author”>
<UserId>User</UserId>
<LogonType>InteractiveToken</LogonType>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
</Task>

I have uploaded the .tmp files from he users Temporary folders into VirusTotal and nothing yet found.

I am also running an undelete tool over   C:\Users\User\AppData\Roaming\bOMPZQrb\tONjafFL\qnuFfTtR\

 

I will keep digging and report back. This does seem to be something new.

Tags: , ,

Has Cryptolocker Crypted it’s last lock ?

The news is that some smart people have managed to obtain a copy of the database that contains all the Victim’s details. Now, instead of paying for decryption, you can get the decryption for free, self service.

Head on over to this article to read more: http://www.crn.com.au/News/390855,can-this-exploit-beat-cryptolocker.aspx

I don’t think we have seen the end of these types of Malware but at least this proves that the Malware writers are not invincible.

Tags: