Scareware Locks Down Computer Due To Child Porn and Terrorism

Recently, my sandbox came across a scareware that locks down the victim’s computer due to “terrorism and child pornography”. The malware is being detected by some AV vendors as “Win32/LockScreen”.

The schema is pretty simple: The criminals try to infect computers with scareware (eg. through Drive-By exploits). As soon as the computer is infected, the malware locks down the machine so that the user won’t be able to log in any more. The malware then displays a message to the user that the law enforcement agency XY found child pornography on the victims computer and that the his computer was used to send out “spam mails with terrorist motives”:

Attention!!!

This operating system is locked due to the violation of the laws of the United Kingdom! Following violations were detected:
Your IP address was used to visit websites containing pornography, child pornography, zoopillia and child abuse. Your computer also contains video files with Pornographic content, elements of violence and child pornograhpy! Spam-messages with terrorist motives were also sent from your computer

This computer lock is aimed to stop your illegal activity.

The message which is being displayed to the victim looks like this (click to enlarge):

What is interesting with this scareware is the dependency of the geo location of the victim’s computer. Before the scareware displays the message shown above, it contacts a central botnet command and control server (C&C) located in Ukraine (188.190.99.174 – AS197145 Infium LTD) using HTTP:

X-188.190.099.174.00080: GET /loc/gate.php?getpic=getpic HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

188.190.099.174.00080-X: HTTP/1.1 200 OK
Date: Wed, XX Feb 2012 XX:XX:XX
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

http://188.190.99.174/pic/DE.bmp

In the first request the malware contacts the C&C using a parameter called “getpic”. The C&C will response with an URL containing the location of the image the malware should display to on the victim. The malware will follow the URL and download the BMP-file:

GET /pic/DE.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Cache-Control: no-cache

Then the malware will determine the IP address of the victim’s computer by using the parameter “getip”:

X-188.190.099.174.00080: GET /loc/gate.php?getip=getip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

Afterwards the malware displays a “lock screen” to the user using the response (=ip address) from the C&C and the image file downloaded before.

The interesting part is that you can identify the countries which are being hit by this attack by guessing the files on the botnet controller (country codes). So far, I’ve identified the following countries/URLs:

Location: http://188.190.99.174/pic/AT.bmp
Country: Austria (AT)
Agency: BUNDESPOLIZEI
Domain name: landes-kriminalt.net
Location: http://188.190.99.174/pic/DE.bmp
Country: Germany (DE)
Agency: BUNDESPOLIZEI
Domain name: landes-kriminalt.net
   
Location: http://188.190.99.174/pic/GB.bmp
Country: United Kingdom (GB)
Agency: METRPOPOLITIAN POLICE
Domain name: policemetropolitan.org
Location: http://188.190.99.174/pic/FR.bmp
Country: France (FR)
Agency: Gendarmerie nationale
Domain name: n-p-f.org
   
Location: http://188.190.99.174/pic/IT.bmp
Country: Itanly (IT)
Agency: Guardia di Finanza
Domain name: it-polizia.org
Location: http://188.190.99.174/pic/ES.bmp
Country: Spain (ES)
Agency: La policia ESPANOLA
Domain name: lapoliciaespanola.org

Most domain names mentioned above are misspelled, for example, the domain name landes-kriminalt.net is a misspelling of “Kriminalamt” which is equivalent to the Federal Police. All mentioned domain names are registered through registrar BIZCN (a registrar located in China):

Domain Name: LANDES-KRIMINALT.NET
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 02-may-2011
Creation Date: 02-may-2011
Expiration Date: 02-may-2012

Last update of whois database: Thu, 01 Mar 2012 10:26:21 UTC
[...]

Domain name: landes-kriminalt.net

Registrant Contact:
Lilo
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Administrative Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Technical Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Billing Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2011-05-02
Expires: 2012-05-02

What nearly all domain names have in common is the fact that they have already been up since more than 8 months (Created: 2011-05-02). The same registrant has also registered other domain names:

landes-kriminalt.net
landes-kriminalt.org
bundeskriminalamtes.org
n-p-f.org
policemetropolitan.org
lapoliciaespanola.org
it-polizia.org
myxxxhot.org
nanosearchpro.net
porno-pir.org
privatetechnology.biz
sexysheep.org
tourboportal.com
tubechube.org

I’m asking myself how the criminals have managed not to get their domain names suspended for such a long time period. Please note that these domain names can be considered as malicious and should therefore be blocked at your network’s edge (web gateway / proxy / DNS) along with the botnet controller (188.190.99.174).

The described Scareware schema isn’t really new, Switzerland along with several other European countries were hit by a similar attack back in 2011:

3 Responses to “Scareware Locks Down Computer Due To Child Porn and Terrorism”


  • just been hit by this 1, you can quickly close down the process if you have a 3rd party process kill software (ie process explorer – procexp), but u gota do it quick before it kicks in. on occation i was able to keep the start > run > [browse] window over the top of the infected desktop. i could they right click and run/open anything from here but i had to keep this [browse] window open in order to maintain my windows on top.

    also to note, my http settings r a bit fked. certain websites including common and somewhat uncommon anti-spyware sites have been blocked namely combofix, microsoft. having ran combofix first, it didnt clean it, i then had to rename the anti-malware bytes exe to something other then mbam.exe in order to get it to run. this cleared the problem, so far at least. im still picking up traces on my 2nd full scan.

    just a word of warning for anyone reading this, get your self a copy of “process explorer” and stick it in your root dir, it can save ur ass in situations like this when u only have a few seconds to kill the process.

    ps. sorry i cant remember the exact process name and i dont know if it variers at all but it began with a “w” something like “wyu…….”. just kill anything which looks uncommon.

  • btw, fyi, it corrupts safe mode, so no safe mode boot. i always have system restore disabled to save resources.

  • I’m in Portugal and also had this problem
    the way I went round to the virus was to force the start button several times until it is possible to click the off button
    forcing it to shut down
    when I started off I had access to the computer
    then began to run programs to cancel the shutdown
    this way I had access to the computer to search for the virus
    I just need to get it removed
    thats the image of the block
    http://www.freeimagehosting.net/5q4nl

Leave a Reply




economics-recluse
Scene
Urgent!