Bestehen Bedenken im Hinblick auf VPN-Sicherheitslücken? Erfahren Sie, wie Sie von unserem VPN-Migrationsangebot inklusive 60 Tagen kostenlosem Service profitieren können.

Zscaler Blog

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Abonnieren
Security Research

Ransomware Posing As FBI

image
CHRIS MANNON
September 13, 2013 - 2 Lesezeit: Min
Update:  The Talent over at MalwareDon'tNeedCoffee has a very thorough analysis of this malware.

Scammers and Spammers are always looking to cash in on recent news whether it be twerking or a royal baby.  I know it may seem like we are inundating you with ransomware threats this week.  The international climate has shifted towards privacy concerns due to PRISM leaks and malware writers have taken note.  This week we discussed how Fake NSA alerts tried to shake down users for a $300 to avoid prosecution.  This week a fake FBI posting purports to be after pornographic material that is displayed within the popup message (blacked out).
 
Image
Don't Panic.
This isn't the only intimidation tactic employed by the Trojan.  It also disables access to Task Manager and other Windows tools to limit the user's ability to close the disturbing page which is actually hosted on the victim's PC found at the following location:

   C:\Documents and Settings\user\Local Settings\Application Data\(8 Character string)\index.html

It disables the user's ability escape the message by hooking the process to Winlogon via the userint.exe process and creating an Autostarter value.
Image
Userinit.exe Augmented
 
Image
Autostarter Value Set

The final aspect of this threat is that it is constantly posting content from the victim's PC to contribute to a botnet.
 
Image
This POST is seen every 5 seconds.
I suspect that this trend of giving fake Government alerts to propagate malicious content is only going to trend upwards.  Some download locations for this threat can be seen here:
  • hxxp://www.techmediastream.com/misc/adobe_flash.exe
  • hxxp://originalfutures.com/images/fest/adobe_flash.exe
  • hxxp://somebizarre.com/img/33/adobe_flash.exe
The phone home activity for this threat is based Germany, not the US.
  • 91.109.21.7:1087-1096
form submtited
Danke fürs Lesen

War dieser Beitrag nützlich?

dots pattern

Erhalten Sie die neuesten Zscaler Blog-Updates in Ihrem Posteingang

Mit dem Absenden des Formulars stimmen Sie unserer Datenschutzrichtlinie zu.