« Cimbot - A technical analysis | Main | E-Bandits - Part 1 »

2009.03.19

A new method to monetize scareware

Scareware in the form of Rogue AntiVirus software, such as XpAntiVirus2009, has long been a way to monetize infected computers.  Previously, the Rogue AVs would present you with screens that listed malware you didn't have, and for a nominal fee, you could buy the full version and clean the "infections".

Over the past couple days, Vundo has been pushing a piece of malware that encrypts various personal file types (.pdf, .doc, .jpg, etc) on your system, and "coincidentally", pushes a program called FileFix Pro 2009 which would decrypt them - for a fee.  Although we (Julia) broke the encryption, it's a sobering realization of the state of malware that it is now actively extorting users by holding their data ransom.  Despite this version of FileFix being trivial to crack, it does not bode well for the future of Internet malware.

Vundo has fundamentally altered its criminal business model from "Scareware" tactics to "Ransomware" extortion.  While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing.

Julia wrote a Perl script to decrypt your files that is available here under a your gun, your foot GPL license.  She'll be writing up more of the technical details in the next day or two.  In the meantime, I've wrapped a web interface around the Perl script so you can retrieve your "corrupted" data.  It's available at https://filefix.fireeye.com. In the coming days we'll be releasing a tool you can download that will decrypt all the affected files on your system.

Filefix6

Vundo is a generic Trojan that is well known for pushing scareware popups for things like XpAntiVirus and WinFixer.  In this case it was pushing a popup that ended up being a Trojan which encrypted all the documents (rendering them unreadable) on your system.  We've also heard from Steve Grossman, an analyst at Northeastern University, who mentions that he's seen the malware distributed using a fake .mp3 file on LimeWire.  The variant most have seen creates a .dll file on the system called fpfstb.dll which does all the malicious actions.

Below you can see the webpage for the "fix", FileFixPro.com... which they clearly did not QA on FireFox 3 under Linux.

Filefix1

It looks professional enough, but interestingly is using server-side polymorphism (or perhaps a ton of binaries) to give me a different executable every time I download it.  I assume this is to aggravate AntiVirus detection, which appears to be working as the samples I fetched are currently 0/39 on VirusTotal.  Yikes.

Upon downloading you'll see screenshots like this (credit: filefixpro.com)

Filefix2


Filefix3


A whois on the IP of FileFixPro.com shows that it's hosted at ThePlanet, and you could have knocked me over with a feather when I found out its IP was registered to an organization out of the Ukraine.

network:Organization-Name:bNetworks
network:Organization-City:Kharkiv
network:Organization-State:NA
network:Organization-Zip:NA
network:Organization-Country:UKR

The level of egregiousness of the folks at FileFixerPro has me completely floored.  I didn't think this day would be upon us so soon.

External links discussing the threat:

BleepingComputer

DevShed Forums

NetworkTechs Forums

Also, a very special thanks to the folks at Bleeping Computer, as well as Andrew Kahn and Max Turkewitz from Northeastern, for providing us with infected files to help test our tool.

Alex Lanstein @ FireEye Malware Intelligence Lab
Questions/Comments to research [@] fireeye [.] com

FE Malware Researcher on 2009.03.19 in Malware Research |

Technorati Tags: ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d835018afd53ef0112797df26e28a4

Listed below are links to weblogs that reference A new method to monetize scareware:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

I use the software on Malzilla by Bobby and Julia Wolf.
Bless you guys all, this saved years of research on a hard drive.
My corporate IT people removed the malware but told me my files were lost.
I hacve alsways suggest the Creation of the "Justice League of the Internet", and you guys belong in it!
Thank you very much,
The Good Doctor.

Posted by: F | 2009.04.06 at 10:54 AM

Here is copy of "Ransom" Note left behind entitled "crypt":


All your files are encrypted.
If you wish to decode files, buy the decoder.
Cost of the decoder of 300 dollars.
How to buy?
You can only send money via: Western Union or Bank Transfer.
Select the method you pay and write to us. We will send you payment details.
After payment please send to rc4help@yahoo.com details of your payment and file crypted.txt.
On the day of receipt of your payment, we will send you a decoder.
Do not try to threaten or offend us, we do not take your money, stop responding to your letter
and you will forever lose your files and important documents.
Other contact
www.cryptoraes512.ueuo.com
ICQ: 428789213
E-mail:
help01@timor.cc
help01@amman.cc
ruhelp01@mail.ru
ruhelp01@yandex.ru
enghelp01@googlemail.com
allenghelp01@yahoo.co.uk

Mail to rc4help@yahoo.com only after payment.

Do not delete or change this file!!!
S/N: L  f ¤ ™Ö>Äzž²ùQŸ…™’‘ôêÕ@÷yq– ž0¦¬Šk™ô‹3(Šúðñ
Yà™–1Mo¸”ùÑI„œ°—Ú;¥ôE ¸Û¡†.’ 43ò_é~¯$|¼ 6â!õíg5¡Žá%sˆ¾aý.*•äÏ8m|Ö žú°O<ø@1?{ÜŒ½ít÷B


Cannot get rid of the WinCodecPRO pop-up's yet, have run MacAfee, SuperAntiSpyware, Malwarbyte's AntiMalware, SDFix, SMITFix, even Microsoft's OnLine Safety Scan, etc. most several times. Tried Julia's, Bobby's and Al's(?) decrypter programs and none worked on these files. They have an added extension: ".encrypt". Can send samples of files if needed. Also appears to have disabled or removed Task Manager as it no longer comes up using run command, CTRL, ALT, DEL, etc.

Posted by: Jim Nixon | 2009.03.30 at 03:55 PM

Hey Greg, if it's just Vundo you are talking about malwarebytes (http://malwarebytes.org/) can remove it. As for repairing files which have been taken by the 'ransomware' the article provides .exe's for stripping off the encryption. Best of luck!

Posted by: Kyle | 2009.03.28 at 06:35 PM

My daughter caught the virus and appears to be of Russian origin and has encrypted all the files jpeg, doc, etc. Comes up with a WinCodecPro screen. They want $300 to send the decoder - mail to rc4help@yahoo.com. Left a Notepad ransom note/threat. Printed but deleted it. Do you have the tool yet to decrypt the files?? Any help would be tremendously appreciated. Thanks.

Posted by: Jim Nixon | 2009.03.28 at 08:10 AM

GRACIAS...OJO DE FUEGO...ME SALVARON LA VIDA...MUCHAS GRACIAS

Posted by: RENE CASAL | 2009.03.27 at 03:16 PM

How do I actually remove the virus. I haven't tried to open any data files, since I noticed I got hit. It looks like the virus you are talking about (popups to buy antivirus2009 or something similar) I have run mcafee and hijackthis, but no luck. I have removed and deleted files manually, but they come back to haunt me.

Posted by: Gregory Coats | 2009.03.26 at 01:51 PM

This is not really a new method,i read about this method long time ago,even before when fake spyware programs was out.

Posted by: Luka | 2009.03.25 at 03:54 PM

Bobby (Malzilla's author) was kind enough,
to provide a standalone exe as well,
for fixing/decrypting filefix:
http://malzilla.org/anti_filefix/anti_filefix.exe
Or:
http://www.malzilla.org/anti_filefix/anti_filefix.exe

Posted by: sowhat-x | 2009.03.21 at 08:50 PM

Hello,
I just wanted to say thanks for taking the time to create a fix for the corrupted files created by FileFix. Really appreciate your efforts.
Doug

Posted by: Doug R | 2009.03.20 at 01:28 PM

The comments to this entry are closed.

Enter your email address:

Delivered by FeedBurner

Add to Google addtomyyahoo4

Twitter icon Twitter  |  facebook Facebook
Bookmark and Share

Twitter Updates

    follow me on Twitter

    In The News

    Archives

    More...

    Categories

    Blogroll

    About