Self-propagating ransomware written in Windows batch hits Russian-speaking countries

Ransomware steals email addresses and passwords; spreads to contacts.

Recently a lot of users in Russian-speaking countries received emails similar to the message below. It says that some changes in an “agreement’ were made and the victim needs to check them before signing the document.

msg
The message has a zip file in an attachment, which contains a downloader in Javascript. The attachment contains a simple downloader which downloads several files to %TEMP% and executes one of them.
payload
The files have .btc attachment, but they are regular executable files.

coherence.btc is GetMail v1.33
spoolsv.btc is Blat v3.2.1
lsass.btc is Email Extractor v1.21
null.btc is gpg executable
day.btc is iconv.dll, library necessary for running gpg executable
tobi.btc is   Browser Password Dump v2.5
sad.btc is sdelete from Sysinternals
paybtc.bat is a long Windows batch file which starts the malicious process itself and its replication

After downloading all the available tools, it opens a document with the supposed document to review and sign. However, the document contains nonsense characters and a message in English which says, “THIS DOCUMENT WAS CREATED IN NEWER VERSION OF MICROSOFT WORD”.

msg2

While the user is looking at the document displayed above, the paybtc.bat payload is already running in the background and performing the following malicious operations:

  • The payload uses gpg executable to generate a new pair of public and private keys based on genky.btc parameters. This operation creates several files. The most interesting ones are pubring.gpg and secring.gpg.

genky

  • It then imports a public key hardcoded in the paybtc.bat file. This key is called HckTeam. Secring.gpg is encrypted with the hardcoded public key, and then renamed to KEY.PRIVATE. All remains of the original secring.gpg are securely deleted with sdelete. If anyone wants to get the original secring.gpg key, he/she must own the corresponding private key (HckTeam). However, this key is known only to the attackers.

keys2

  • After that, the ransomware scans through all drives and encrypts all files with certain extensions. The encryption key is a previously-generated public key named cryptpay. The desired file extensions are *.xls *.xlsx *.doc *.docx *.xlsm *.cdr *.slddrw *.dwg *.ai *.svg *.mdb *.1cd *.pdf *.accdb *.zip *.rar *.max *.cd *jpg. After encryption, the files are added to extension “[email protected]“. To decrypt these files back to their original state, it is necessary to know the cryptpay private key, however, this key was encrypted with the HckTeam public key. Only the owner of the HckTeam private key can decrypt it.

keys3

  • After the successful encryption, the ransomware creates several copies (in root directories, etc.) of the text file with a ransom message. The attackers ask the victim to pay 140 EUR. They provide a contact email address ([email protected]) and ask the victim to send two files, UNIQUE.PRIVATE and KEY.PRIVATE.

message

A list of the paths of all the encrypted files is stored in UNIQUE.BASE file. From this file, the paths without interesting paths are stripped (these paths include the following: windows temp recycle program appdata roaming Temporary Internet com_ Intel Common Resources).
This file is encrypted with the cryptpay public key and stored in UNIQUE.PRIVATE. To decrypt this file, the attackers need the cryptpay private key, which was previously encrypted with HckTeam public key. It means that only the owner of theHckTeam private key can decrypt UNIQUE.PRIVATE.
keys4

When we display a list of all the available keys (–list-keys parameter) in our test environment, we can see two public keys; one of them is hardcoded in paybtc.bat file (HckTeam), the second one is recently generated and unique for a particular computer (cryptpay).

keys

Then Browser Password Dump (renamed to ttl.exe) is executed. The stolen website passwords are stored in ttl.pwd file.
keys5

The ttl.pwd file is then sent to the attacker with the email address and password hardcoded in the bat file.
keys6

Then the ttl.pwd is processed. The ransomware searches for stored passwords to known Russian email service providers. These sites include auth.mail.ru, mail.ru, e.mail.ru, passport.yandex.ru, yandex.ru, mail.yandex.ru. When a user/password combination is found, it is stored for future usage.
keys7

The GetMail program is used later to read emails from a user account and extract contacts. The ransomware will spread itself to these contacts.

With the stolen passwords, the virus then runs coherence.exe (renamed GetMail utility), which is a utility to retrieve emails via POP3. The virus only knows the username and password, not the domain, so it takes a few tries to bruteforce all major email providers to find the only missing piece of information. If an email is downloaded while bruteforcing, it confirms two things: 1. The domain the victim uses, and 2. the fact that the password works. Then the virus downloads the last 100 emails, extracts “From” email addresses and runs a simple command to filter out specific addresses, like automatic emails.

email_extracting

Next, ten variants of email are created, each with one custom link.
emails

The links all point to different files, but after unzipping we obtain the original JavaScript downloader.

urls

The virus now has a fake email with a malicious link, addresses to send it to, and the email address and password of the sender. In other words, everything it needs to propagate.

Propagation is achieved using program Blat renamed as spoolsv.btc. The last step of the virus is to remove all temporary files – nothing will ever  be needed again.

cleanup

Conclusion:

In the past we regularly got our hands dirty with ransomware which was typically a highly obfuscated executable. This case was quite different. It was interesting mainly because it was written purely in a batch file and relied on many open source and/or freely available third party utilities. Also, self-replication via emails was something we do not usually see.

avast! security products detect this ransomware and protect our users against it. Make sure your friends and family are protected as well. Download avast! Free Antivirus now.

SHAs and Avast’s detections:

Javascript downloader (JS:Downloader-COB)

ee928c934d7e5db0f11996b17617851bf80f1e72dbe24cc6ec6058d82191174b

BAT ransomware (BV:Ransom-E [Trj])

fa54ec3c32f3fb3ea9b986e0cfd2c34f8d1992e55a317a2c15a7c4e1e8ca7bc4

Acknowledgement:

This analysis was jointly accomplished by Jaromir Horejsi and Honza Zika.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

U.S. schools give an F to 2014-15 IT budget

AVAST Free For Education saves school IT money

AVAST Free for Education protects schools while significantly decreasing IT costs for security.

The beginning of the 2014/2015 school year is here. Parents and children are ready after a long summer break, but are schools prepared for the start of the new academic year?

AVAST surveyed more than 900 school IT professionals who participate in the AVAST Free for Education program and found that in terms of technology, schools are not as well equipped as parents expect.

  • 8 out of every 10 schools surveyed by AVAST said they do not feel they have adequate funding to keep up-to-date with technologies
  • 1 out of 5 schools still run Windows XP, and 12% of these schools said they do not intend to upgrade the unsupported operating system

Failing to upgrade to the most up-to-date software not only makes machines vulnerable to attacks, but also hinders the amount of programs that can be used by teachers and students. Keeping up with the most current technology is vital, as it has become ubiquitous in daily life, making it a valuable skill for children to have for the future. Despite technology’s important place in education,

  • 4 out of 10 school’s IT budgets are slashed for the upcoming school year
  • More than a quarter of schools have a $0 IT budget for this year

Technology in schools is not limited to instruction. Sensitive information about faculty, staff, and students is stored on administrative computers. This information needs to be protected from cybercriminals, which is difficult for schools with little to no IT budget. Schools without adequate protection put local families, faculty, and expensive hardware at risk.

AVAST Free for Education helps schools by providing them with enterprise-grade antivirus protection for free, saving school districts an average of $14,285 a year. The AVAST Free for Education program saves school IT departments money they can spend on software and hardware upgrades or use for supplies and salaries.

EDU infograph August 2014

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Online fraud – POS malware has now hit 1,000 U.S. firms

More than a thousand U.S. businesses have been affected by point-of-sale malware – malicious software written specifically for online fraud – to steal information such as credit card details from companies and their customers.

The United States Computer Emergency Readiness Team issued a statement saying that the “Backoff” malware was rife in U.S. businesses, taking over administrator accounts and removing customer data from several hundreds of companies.

POS malware was a footnote in computing history until the Target breach, but the hi-tech online fraud now appears to be a growth industry. Ars Technica points out how quickly the software has evolved during the past two years, and emphasizes the direct impact on American consumers.

ESET Malware Researcher Lysa Myers says, “Malware attacks on Point of Sale (PoS) systems are coming thick and fast right now.” Myers offers a detailed guide for businesses concerned that they may be being targeted with POS malware.

Online fraud: Shop terminals under attack

“Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the ‘Backoff’ malware,” the advisory stated. “Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes.”

The figure of 1,000 businesses comes from a Secret Service estimate, based on figures from vendors of POS software.

“Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected,” the advisory says.

Criminals target makers of software for shops

Ars refers to a recent  attack, where the attackers were able to guess the password to the system,and  installed the Backoff program. The malware disguises itself as an innocent Java component but ‘listens’ for credit card transactions, storing them and transmitting them to criminals, according to  US-CERT’s original advisory.

The US-CERT advisory advises companies, “Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.”

 

The post Online fraud – POS malware has now hit 1,000 U.S. firms appeared first on We Live Security.

Google Images hacked? Searches fill with morbid image

An image of a Russian car crash has piled up in Google Images, regardless of what users search for. Time magazine searched for ‘puppy” and instead saw multiple images of the crash – leading to speculation that the service has been hacked. What’s less clear is why, or who might have done it.

One user says that regardless of what he searches for, he sees dozens of images of the same car crash, “Every time I search something in Google images, these creepy images are appearing. It’s apparently a crashed truck or something, but I didn’t look it up. People could say that it had something to do with what I was searching, but if I click on it, a different image appears. I have some screenshots attached.”

Google Images: ‘Creepy images appearing’

The issue is not affecting all users, but Google product forums are full of complaints about the image, which shows a fatal car crash from several years ago.

Time magazine reports that the images vary –  Google’s own support forums tracked back and found the image came from a report on a Ukrainian news site. We’ve not linked to the report as it contains many more grisly images of the crash.

Time also reported that a related Reddit chain say that images of basketball player and occasional actor Kevin Durant have also been reported by some user.

Hours of glitches

Jalopnik says, “In the meantime, Reddit user anvile noticed that the original photos stem from a story about a car crash in Moscow that killed three people. The driver, a 28-year-old woman, was reported to be intoxicated.”

“Weirder still, the crash occurred in November of 2012, according to this Pravda article, so it isn’t recent.”

Google has as yet not offered comment on the images, or their origin.

The post Google Images hacked? Searches fill with morbid image appeared first on We Live Security.

HP Intelligent Management Center BIMS UploadServlet Information Disclosure (CVE-2014-2618)

An information disclosure vulnerability exists in the BIMS add-in module of HP Intelligent Management Center. The vulnerability is due to lack of authentication and insufficient input validation in the UploadServlet servlet when processing HTTP request parameters. By sending crafted HTTP requests to the target system, a remote unauthenticated attacker can leverage this vulnerability to view the contents of arbitrary files on a target system.