Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.
When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.
The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.
Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry.
Unlocking can therefore be performed quite easily with a registry editor:
1. boot the system in safe mode 2. add a new key named syscheck under HKEY_CURRENT_USER 3. create a new DWORD value under the syscheck key 4. set the name of the new DWORD value to Checked 5. set the data for the Checked value to 1 6. reboot
On Monday, we released our Mobile Threat Report for Q1, and in that report we mention there's a growing number of mobile trojans that "deliver on their promises". What do we mean by that?
Well, in the past, mobile malware often offered something such as "free" mobile web services as bait, but then, during installation, the trojan would display some kind of decoy error message.
At that point the folks installing the trojan would typically search for answers, either because they were suspicious or because they were troubleshooting. That would then lead to actual answers on forums that what they had in fact installed was a trojan. These days, when even non-nerds have smartphones, the bait is quite a bit different.
No decoy messages. The "bait" actually works.
Here's a video of trojan installing a working copy of Rovio's Angry Birds Space as it compromises the phone.
So, nothing to troubleshoot… and how many non-nerds do you think will find getting what they were promised to be suspicious? It's quite possible that somebody could compromise their phone and they'll never come to realize it.
Android malware is definitely evolving.
Here's a short preview of something which developed during Q2: drive-by Android malware.
Jarno Niemela, a Senior Researcher here at F-Secure Labs, will be taking part in a Black Hat Webcast on Thursday, May 17, 2012.
The subject is "Making Life Difficult for Malware" and will focus on system modifications that can be used to prevent malware from functioning properly in the event that your system is compromised.
The Documentary, a BBC World Service program (or programme) recently aired a 3-part series called Danger In The Download.
It's definitely worth a listen. All of the episodes are now available online.
Episode 1 — The growing threats in cyberspace from hackers and cyber weapons. Episode 2 — Is the net's architecture and governance is still fit for purpose? Episode 3 — What governments can do to protect the Internet.
If you prefer your audio in the form of a podcast, we also recommend PRI's The World: Technology Podcast which is also offering Episode 1 for download.
Yesterday, I suggested that nonymous speech is vastly superior to anonymous DDoS attacks and other forms of censorship.
Today, I offer this "anti-piracy" PSA (circa 1988) as evidence to support my thesis:
Click to embiggen.
It's stuff like this that made me happy to buy Infocom's games. They asked nicely, and made their points with tongue-in-cheek humor. I still remember this joke 24 years later. DDoS attacks? They fade from memory quickly.
Internet activists (as well as today's media industry) would do well to learn from the past.
UK Courts recently ordered Internet Service Providers to block access to The Pirate Bay. Yesterday, Virgin Media was attacked by some that claim associations to the Anonymous collective.
Well, The Pirate Bay had something to say about the attack on its Facebook page.
TPB: We believe in the open and free internets, where anyone can express their views. Even if we strongly disagree with them and even if they hate us.
My take: Love thy enemy.
TPB: So don't fight them using their ugly methods. DDOS and blocks are both forms of censorship.
My take: Two wrongs don't make a right.
TPB: If you want to help; start a tracker, arrange a manifestation, join or start a pirate party, teach your friends the art of bittorrent, set up a proxy, write your political representatives, develop a new p2p protocol…
My take: Don't be destructive. Better to be "subversive".
TPB: …print some pro piracy posters and decorate your town with, support our promo bay artists or just be a nice person and give your mom a call to tell her you love her.
My take: Call your mother. She worries about you.
Now some Anons out there may push back at The Pirate Bay's claim that DDoS equals censorship. There are numerous Anons that have claimed DDoS attacks are a form of digital protest similar to a sit-in. But consider this: a sit-in is a form of trespass, and trespass and preventing access to others is a crime.
A crime for which the world's greatest human rights leaders have been arrested. But that's the whole point. Civil disobedience is about non-violent resistance — breaking the rules and yet showing respect to the framework in order to change the rules. DDoS is not a non-violent protest. And the attempted lack of accountability is not respecting your fellow members of society.
