The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Today we heard a disturbing rumor about a new version of Gpcode. We immediately began talking to victims and trawling the Internet for samples.
After some digging, we found a sample that answers the descriptions victims have given us. The program's currently being spread via a botnet (name withheld for security purposes).
Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author's contact details: an email address, an ICQ number and a URL. The web page page contains the following text in Russian:
Добрый день.
Для вас 3 новости, не очень хорошая и две очень хороших и Начнем мы с неочень хорошей.
Неочень хорошая новость заключается в том, что все ваши файлы зашифрованы современным алгоритмом AES-256. В программе использован метод Открытых-закрытых ключей. Используется 99999 клюей для шифрования, на каждой зараженной машине используется один ключ, повторов нет.
Перебор ключей к алгоритму AES-256 невозможен в ближайщие 1000 лет.
Надежды на Антивирусные компании - Нет.
Алгоритм AES-256 используют американские спец службы для шифрования своих документов.
И вот первая Хорошая новость: Файлы можно дешифровать.
Вторая очень хорошая новость: Для дешифрации необходимо заплатить всего-то - 10 долларов.
Translation: (the translation is pretty much word for word, and includes errors that are in the Russian text):
Good day
3 news items for you, 1 not very good and 2 very good and [we] Will begin with the notvery good.
The notvery good news is that all of your files are encrypted using the modern algorithm AES-256. The program uses the method of Public and private keys. There are 99999 keys used for encryption, and a unique key is used on each infected machine. There are no duplicates.
Brute-forcing the keys for the AES-256 is impossible within the next 1000 years. Relying on the Antivirus companies – No.
The AES-256 algorithm is used by American special services for encrypting their documents.
And the first Good news: Files can be decrypted. Second very good news: To decrypt your files it is necessary to pay only $10.
In addition to encrypting files and leaving the message shown above, Gpcode also changes the desktop wallpaper:
As we've said repeatedly in other posts – don't pay the ransom. It'll only encourage the author to continue producing new variants.
We'd also like to stress that the information in the message shown above about the encryption algorithm, the number of unique keys and the length of the key is unconfirmed at the time of writing.
We're are analyzing the encryption algorithm in search of ways to crack the encryption and restore files. In the meantime, if you've been attacked by this latest Gpcode variant, we suggest that you attempt to restore your files using the methods described here. We already have confirmed reports that this method does partially restore encrypted files.
If you're a victim, contact us on stopgpcode at kaspersky dot com. And of course, watch this space for updates.
We came across some interesting mobile phone software yesterday. It's designed for the J2ME platform for mobiles and it's a midlet with a Kaspersky Anti-Virus icon. The application mimics the behavior of our antivirus software; it deliberately simulates the detection of a virus and then shows an error message.
At first, we thought it was a new fraudware program designed to steal money from mobile users' accounts, but after checking its behavior, we came to the conclusion that it's just a demonstration – looks like somebody was having a bit of fun. The program doesn't modify the system or try to steal any money.
Although the program isn't malicious in itself, we detect it as FraudTool – even though the program's safe to run, we think that users should be notified about it. Because it's not malicious, we've added the prefix not-a-virus. If we see another modification of this application which attempts to trick the user in some way and steal money from his/ her account, we'll remove the prefix and the program will be detected as true malware.
Here's a video clip showing how the program works (in Russian only – but even if you don't speak Russian, you might still find it interesting!):
Detected for this program was added on 7th August. We decided to call it not-a-virus:FraudTool.J2ME.KaspAV.a, because it mimics the behavior of our antivirus product for mobiles.
Let’s start with a few facts. Last week the Dutch police arrested a 19 year old Dutch man for selling a botnet to a Brazilian, who was also arrested. The ‘Shadow’ botnet is made up of around 100 000 infected machines.
However, the arrest isn’t the end of the story. The Dutch police are working to help the victims. One of the steps they’re taking is informing users that Kaspersky Lab websites include removal instructions (created at the request of the Dutch High Tech Crime Team) on how to get rid of the malware which transformed machines into bots.
The case raises a number of security questions which need to be discussed once the botnet has been dismantled. But in the meantime, if you think your computer might be part of the Shadow botnet, check it with an online scanner such as Kaspersky Online Scanner, and read the removal instructions we’ve posted here. The botnet does include machines from around the world, so you’re not automatically safe just because you don’t live in the Netherlands.
Do remember that the removal instructions only apply to the malware which has been used to create the botnet. These programs may have downloaded additonal malware to your machine, so make sure you also scan your computer with an up-to-date antivirus solution.
This week it’s Twitter’s turn to host an attack - one that is targeting both Twitter users and the Internet community at large. In this case it's a malicious Twitter profile twitter.com/[skip]/ with a name that is Portuguese for ‘pretty rabbit’ which has a photo advertising a video with girls posted.
This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.
If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.
In reality, this is a Trojan downloader that proceeds to download 10 banker Trojans onto the infected machine, all of which are disguised as MP3 files. We first detected the downloader proactively as Heur.Downloader and then added a signature to detect it also as Trojan-Downloader.Win32.Banload.sco. Only 1 person is following this profile currently:
We assume this is one of the authors. The person following the malicious profile is doing 1 thing only as well – following yet a third profile.
The footprints of this particular crime are pure Brazilian – ranging from the Portuguese, to the web servers hosting the banking malware to the email embedded in the malware which is used for receiving data from infected machines.
This technique does not require any serious programming skills – buy some Trojans, upload them onto a web server and create a chain of Twitter profiles following each other.
Then you only need to post the link in a social network. Unfortunately, Google indexes un-protected Twitter profiles, so malicious pages built and marketed with good social engineering tactics end up high in the rankings.
It gets even scarier if you combine this attack with something like an auto follow-me vulnerability on Twitter - Ryan wrote about this just last week.
Luckily, we haven’t found any links to this particular profile in forums, blogs or other social networks…yet.
But – this method is being used successfully on Twitter since the end of 2007. This is just one example – something I found over the weekend. We are monitoring this particular profile and keeping a sharp lookout for similar cases.
If you read the IT media, you may have seen reports about the new worm we detected yesterday - Net-Worm.Win32.Koobface, which attacks Facebook and MySpace accounts. We've got four variants so far, and there may well be more to come.
The worm uses a pretty simple approach - a link to a 'video', and then, when the user tries to watch it, s/he gets a message saying they need to update their Flash Player. It's an approach we're seeing a lot at the moment; download the 'Flash Player' file and there's new malware on your machine.
Of course, this isn't the first malware for Facebook or MySpace. We've been checking our collections, and we've found earlier variants of this worm which attack MySpace, but not Facebook. The virus writers behind Koobface are clearly trying to maximize the number of victims - the more there are, the bigger the botnet is going to be.
The guys behind Koobface are also linked to the 'fake antivirus' programs XP Antivirus and Antivirus2009 which are actually spyware. We've detected installers for these spyware programs which also contain the worm code. And Trojan-Downloader.Win32.Fraudload, which was being used to download XP Antivirus etc. is now being used to download the worm files.
The result is a double whammy: in addition to being infected by the worm and herded into a botnet, victim machines are also going to get hit by one of these nasty pieces of spyware.
Anyone who's been reading tech news lately may have noticed items about a Kris Kaspersky. People have been asking us about this, since some media sources think there is a connection between Eugene and Kris. Just to clear things up for our readers - no there isn't. Kris is not and never was affiliated with Kaspersky Lab. Nor is Kris related to Eugene. A picture is often worth a thousand words:
I'm sure most of us are familiar with whitelisting. It's the idea of filtering applications (or emails, depending on the context) and allowing only those that are explicitly listed.
Well, what about 'bluelisting', i.e using a database of digital fingerprints to find pornographic content on a drive?
It's easy to see why such a solution might be attractive. It could help parents to shield their children from pornographic content. It could help businesses avoid the HR and legal fallout from the presence of such content on corporate systems and eliminate the hit on corporate bandwidth associated with pornographic downloads. And it could help law enforcement agencies track down those storing illegal images.
However, it seems to me that while such an approach may tell us 'What?' and 'Where?', it does little to tell us 'Who?' and 'How?'; and these are the key questions in a forensic investigation. There have already been several cases of people accused of downloading pornographic content who have claimed that a Trojan was responsible for the download: man cleared of porn charges, trojan responsible for porn and new trial in porn case.
Trojan.BAT.KillFiles.hx is rather larger than last month's winner in this category but is still only 26 bytes in size. It's capable of wiping the contents of C:.
Largest malicious program
June's winner, Trojan Banker.Win32.Bancos.mk, at 31MB in size, is by no means the largest program we've seen in this category.
Most malicious program
Once again Agobot makes an appearance, with a modification of Backdoor.Win32.Agobot.gen victorious this month. Its payload holds no surprises: it deletes a wide range of security products both from memory and from disk.
Most common malicious program in email traffic
This category doesn't seem to change much from month to month: our old friend, Email-Worm.Win32.Netsky.q again takes the prize, having made up 34.15% of infected mail traffic in June.
Most common Trojan family
3295 different modifications of Trojan-GameThief.Win32.OnlineGames were detected this month.
Most common virus/ worm family
Worm.Win32.Autorun is back after an absence last month, with 152 new modifications: not a huge number for this category.
Quite a long time ago I contacted Microsoft regarding what I thought was a XSS vulnerability in IE.
Microsoft disagreed, preferring to call it a 'feature'.
This feature allows javascript embedded into GIF files to be executed under certain circumstances. The javascript may point to an alternate domain (as is the case with XXS vulnerabilities).
And this is what I saw yesterday - a compromised site containing a modified GIF file which exploits this XSS vulnerability.
The GIF file contains an embedded iframe pointing to a malicious site. (Thankfully, the site is currently presenting a 'file not found' error message.)
Here's the GIF:
This is one step more on from today's common web site compromises where some javascript gets added to the main page.
Clicking "view source" doesn't reveal any malicious code – and this makes a quick analysis of the threat more difficult.
Following this discovery we've contacted Microsoft again – hopefully they'll reconsider their position on this issue.
Another way of restoring files after a Gpcode attack
Our previous blog on Gpcode said we'd managed to find a way to restore files in addition to those files that can be restored using the PhotoRec utility.
It turns out that if a user has files that are encrypted by Gpcode and versions of those same files that are unencrypted, then the pairs of files (the encrypted and corresponding unencrypted file) can be used to restore other files on the victim machine. This is the method that the StopGpcode2 tool uses.
Where can these unencrypted files be found? They may be the result of using PhotoRec. Moreover, these files may be found in a backup storage or on removable media (e.g., the original files of photographs copied to the hard disk of a computer that has been attacked by Gpcode may still be on a camera’s memory card). Unencrypted files may also have been saved somewhere on a network resource (e.g., films or video clips on a public server) that the Gpcode virus has not reached.
We can't guarantee that files will be restored, as the method used relies not only on the user having unencrypted versions of the affected files but also on the characteristics of the infected machine. All the same, the results we achieved during testing (80% of encrypted files were restored) suggest that it's worth doing if you need to recover your files.
The more pairs of files that can be found the more data that can be restored.
