Monthly Archive for May, 2012

Ransomware Gets Professional, Targeting Switzerland, Germany And Austria

In March I blogged about a ransomware which has been targeting various countries, locking down the victims computer due to “Child Porn and Terrorism”.

This week I spotted another ransomware campaign that is targeting Swiss, German, and Austrian internet users. This time the criminals seems to use a different schema to lock down the victims computer: violation of local copyright law.

*** Infection vector ****
The infection vector is a well known drive-by exploit kit called “Blackhole”. It is sold in underground forum and used by various criminal groups to infected computers “on the fly” by (ab)using one or more security vulnerabilities in the victims web browser (or a third party plug-in like Adobe Flash Player, Adobe Reader or Java). In this case a Blackhole exploit kit located at was involved to spread the ransomware:

hXXp:// [landing page]
-> hXXp:// [JavaScript loading exploits]
–> hXXp:// [Java exploit]
—> hXXp:// [Payload]

If the installed Java version on the victims computer is not up to date (unpatched), the downloaded jar file (Edu.jar) will exploit a well known vulnerability in Java which will trigger the download of the payload (Trojan) and finally execute it to infect the computer. The payload had a detection rate of 4/42 on Virustotal:

Filename: info.exe
MD5: 56f4d5837af32b12069576fae8c2b3c5
File size: 312.5 KB
AV-detection rate: 4/42

*** Analysis of the payload (Ransomware) ***
If the exploitation of the victims computer is successful, the Ransomware will install itself into the Application Data directory of the current user:

C:\Documents and Settings\Christoph\Application Data\itunes_service01.exe

Once the computer has been infected, the Ransomware will try to contact its Command&Control server (C&C) located at using HTTP GET:


The landing URL redirector.php will determine the location of the infected computer by using GeoIP and will redirect the request to the matching site by using HTTP 302 Found, for example:


While investigating this C&C I’ve found several other URLs which shows that this Ransomware is targeting not only Switzerland but also several other countries:

hXXp:// (Switzerland)
hXXp:// (Germany)
hXXp:// (Austria)
hXXp:// (England)
hXXp:// (France)
hXXp:// (Netherlands)
Country: Swiztzerland (SUISA)
Country: Germany (GVU)
Country: Austria (AKM)
Country: United Kingdom (PRS)
Country: France (SACEM)
Country: Netherlands (BUMA-STEMRA)

What lights up quickly when taking a look at these URLs is the fact that they are all written in German. So it looks like the cybercriminal behind this ransomware campaign is a German speaking person. While analysing all these different URLs I noticed that the cybercriminal has spent quite some time to prepare them. The language seems to be well written (I couldn’t find as many write errors as I would have expected). In addition it appears that the cybercriminal tried to get intel about where the victim can buy paysafecard (for the record: the victim has to pay a country specific amount of money to the cybercriminal using paysafecard to get his computer unlocked) and which association is tracking copyright infringement in the specific country. For example, he tells Swiss victims that they can obtain paysafecard on the federal railway station (SBB) and the MediaMark (a German based electronic discounter).

Another interesting finding is the fact that the Ransomware comes with an additional Trojan called Aldi Bot. Aldi Bot steals banking information (similar to ZeuS and SpyEye) and has some additional DDoS functionality.

Fortunately, Aldi Bot C&C traffic is very easy to identify due to the fact that this Trojan uses a specific User-Agent called “Aldi Bot FTW! :D”. In this case the Aldi Bot C&C is located at the same server/domain as the Ransomware itself but on a different URI:

GET /unser1/universalpanel/gate.php?hwid=XXX&pc=XXX&localip=XXX&winver=XXX HTTP/1.1
User-Agent: Aldi Bot FTW! 😀

*** Command&Control Infrastructure ***

The domain name used by this Ransomware and Aldi Bot is pointing to a Russian web hosting provider called “Amtel Svyaz”:

$ dig +short

$ whois
inetnum: –
netname: AMTEL-SVYAZ
descr: “Amtel Svyaz” ZAO
country: RU
admin-c: AG12682-RIPE
tech-c: AG12682-RIPE
tech-c: AG8732-RIPE
mnt-domains: AMTELSV-MNT
mnt-routes: ROSNIIROS-MNT
source: RIPE # Filtered

The domain name is registered through a Russian based domain registrar called Regtime Ltd (also known as

Domain name:

Name servers:

Registrar: Regtime Ltd.
Creation date: 2012-04-29
Expiration date: 2013-04-29

Huth Matthias
Organization: Huth Matthias
Address: Bremenstrasse 12
City: Gladbeck
State: NRW
ZIP: 45964
Country: DE
Phone: +49.3051236167
Fax: +49.3051236169

According to whois the holder of this domain is “Huth Matthias” which has registered various other domain names this year:

All these domain names can be considered as malicious and should be blocked on your network edge.
To prevent this kind of infections you should ensure that your operating system as well as all installed applications (especially browser plug-ins) are up to date.

*** Further reading ***