Hello There, Guest!
View New Posts  |  View Today's Posts
Be Careful of Updates! [Important Information]

  • 0 Vote(s) - 0 Average


08-15-2011, 07:31 AM #1
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

Be Careful of Updates! [Important Information]
Even though files are deemed as updates, you should always check them for validity before installing them, or install at your own risk.

Recently there was an update for firefox from a fake firefox site

Code:
http:// firefox.perl .sh

File Info:
MD5: 9a6f87b4be79d0090944c198a68012b6

Originally, there were only 3 detections for it:
https://www.virustotal.com/file-scan/rep...1299783978
(Almost all of the great AV's were unaware of this file's malicious activity it looks like)

But after a while it became more known with AV's and it's detection rate raised up to 40/42 of the online built in scanners:
https://www.virustotal.com/file-scan/rep...1302561162

A friend of mine had this on his computer:


A result of downloading this file.

The file appears to lock all application executions, as well as your entire Operating System from being used, and it prompts you with this message instead.

I took the file off his computer, and did some testing with it on my own unaware that this Ransomware would "release" itself after a while. Since there was an area for a key activation to allow you to access your Operating system again.



Here would be your next screen. However all of those given numbers are invalid.

Testing this with a few debugging tools on my own machine gave me a key: 1351236 Which apparently is the real key to get back into your system. Each digit has to be entered into the textboxes.

However this would be a pretty dangerous file, the Ransomware actually gives you a valid key after quite a few tries I believe, with testing those numbers given of course, which was the only catch. It worked for some people but didn't for me.)

I was actually pretty intrigued at how the newer generation of trojans have become so diverse in human engineered malware. Also at how people came up with the idea to create a system locker like this is pretty frightening.

This exact file was also released as an adobe flash update executable from what i've read. All sites hosting this Ransomware have been removed by the bigger parties though I believe.
This post was last modified: 08-15-2011, 07:34 AM by AceInfinity.


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

08-15-2011, 08:34 AM #2
KoBE
¯\_(ツ)_/¯
******
Global Moderators
Posts: 4,862 Threads:494 Joined: Jun 2011 Reputation: 67

RE: Be Careful of Updates! [Important Information]
I can see how this could trick the average bear computer user into running. Thanks for the info.

08-15-2011, 09:54 AM #3
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: Be Careful of Updates! [Important Information]
The reason for those numbers given is because the trojan author will earn money from every call to those numbers (short stopping). Genius human engineering at it's finest...

The way this trojan actually works, is that it encrypts all the files on your computer, and doesn't give them back until you enter their registration key. It doesn't just block you out of your system, it basically holds your files in a virtual "safe" and holds them "ransom".
This post was last modified: 08-15-2011, 09:58 AM by AceInfinity.


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

08-15-2011, 10:05 AM #4
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: Be Careful of Updates! [Important Information]
You need to watch THIS video to see how incredibly Genius this trojan really is... It's unbelievable how much they've engineered this:




Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

08-15-2011, 10:34 AM #5
Posts: 228 Threads:18 Joined: Jul 2011 Reputation: 9

RE: Be Careful of Updates! [Important Information]

08-15-2011, 11:12 AM #6
KoBE
¯\_(ツ)_/¯
******
Global Moderators
Posts: 4,862 Threads:494 Joined: Jun 2011 Reputation: 67

RE: Be Careful of Updates! [Important Information]
I just watched the vid.. that's wild. Not a bad setup they have going there.

08-15-2011, 11:14 AM #7
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: Be Careful of Updates! [Important Information]
It is pretty well engineered isn't it?


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

08-15-2011, 11:24 AM #8
KoBE
¯\_(ツ)_/¯
******
Global Moderators
Posts: 4,862 Threads:494 Joined: Jun 2011 Reputation: 67

RE: Be Careful of Updates! [Important Information]
It appears to be.. you'd think they would have a unique key per machine though.

08-15-2011, 11:28 AM #9
AceInfinity
Developer
*******
Administrators
Posts: 9,733 Threads:1,026 Joined: Jun 2011 Reputation: 76

RE: Be Careful of Updates! [Important Information]
(08-15-2011, 11:24 AM)KoBE Wrote:  It appears to be.. you'd think they would have a unique key per machine though.

I think the main reason they didn't do that is because the activation on the phone couldn't be changed to be recognized per machine ID, there's no way of generating a specific unique key on the phone for every machine that's infected I don't think. The only connection to the phone system from their trojan is the person, other than that, there's no way for the phone bot to connect to the user's computer and find out where that unique key ID is so that the bot can speak it out.

I'm sure they got lots of income in the short timeframe that it was first released though, and people were unaware of what it really was.
This post was last modified: 08-15-2011, 11:29 AM by AceInfinity.


Microsoft MVP .NET Programming - (2012 - Present)
®Crestron DMC-T Certified Automation Programmer

Development Site: aceinfinity.net

 ▲
 ▲ ▲

08-15-2011, 11:33 AM #10
KoBE
¯\_(ツ)_/¯
******
Global Moderators
Posts: 4,862 Threads:494 Joined: Jun 2011 Reputation: 67

RE: Be Careful of Updates! [Important Information]
They wouldn't need to generate it on the phone, the trojan could generate a unique code to have them input over the phone. Then have a computer decrypt it and give them the correct code back. But I agree, as much money as this prob brought in, in the beginning. I'm sure it wouldn't yield them much more.




Forum Jump:



Users browsing this thread: 1 Guest(s)