Threat Research

August 2010 Threat Report: Total Ransom

By Derek Manky | August 31, 2010

FortiGuard Labs’ August 2010 Threat Report has been posted. Below you will find an activity recap.

In March 2010, we saw some elevated activity for Ransomware: malware which locks out applications and data from a users PC demanding ransom before restoring access. TotalSecurity was one such ransomware variant circulating then, and has been quite prevalent again this report. This infection has been in business for at least eight months, and appears to be still going strong. Our #1 malware detection this report was a TotalSecurity loader (W32/FakeAlert.LU) which was most active on August 8. Once executed, this "product" will gain control of the infected machine and lock out applications. When a user tries to launch any application (except for a web browser), a dialog box will pop up informing the user that the particular application they are trying to launch is infected and cannot execute. Of course, this is the whole ploy - the user is allowed to open the product page (through HTTP), where they may purchase a cleaning solution to reverse the TotalSecurity ransomware infection.

The developers of this ransomware are indeed hard at work creating code to keep their business alive. One indicator we observed this report was that the ransomware application had gone server-side polymorphic. This technique is typically seen with botnets (such as Waledac), and has been picked up by the developers of TotalSecurity. Initial infections typically start with an e-mail that have an attachment. As you can see from our highlighted spam e-mails, the templates and social engineering techniques are quite different yet contain the same ransomware loader. Once the loader is executed, it will connect to a server to download the ransomware product. This is where server-side polymorphism kicks in: the loader will connect to the same server and request the same file, yet download different code as it changes on an hourly basis. The ransomware product and function is the same, yet the code changes in an effort to avoid detection. This is an example of how relying purely on antivirus is not a silver-bullet approach to protecting systems from infection - since it's the same website / URI, web content filtering can also assist in identifying the malicious site's intent, while antispam can help flag the infectious e-mails in the first place.

The other notable infection floating around this month was ZBot, a do-it-yourself botnet kit that likely needs no introduction due to its high profile nature. Most of the ZBot variants we detect are different in nature, since they can each be configured to run their own botnets and target any information they desire. As an example this month, ZBot variants were noted to target US Military personnel. For more information on Zeus/ZBot, see our descriptive write-up here. Since it's such a popular underground product, Zeus/ZBot continues to be developed in new versions with new features for future malicious use.

As previously mentioned, two of our highlighted spam campaigns were linked to malware prevalent in our top 10 listings. Two emails seen this report claim to have document attachments. In fact, they are zip archives with executables inside - clicking either one will lead to ransomware infection. A third infectious e-mail dug up a news headline over a year old about the Air France 447 crash that claimed hundreds of lives off the coast of Brazil. The e-mail claimed to have new photos of this crash - again, an attached zip file with an executable inside. These properties should be immediate red-flags to any user when opening such e-mails.

The attacks on the recent Windows Help Center vulnerability continued, propelling this threat to pole position in our top 10 attack list. The attack (CVE-2010-1885) is detected by FortiGuard Labs as 'MS.Windows.Help.Center.Protocol.Malformed.Escape.Sequence'. There was an exceptionally large spike in activity on this vulnerability on August 8th and 9th. As mentioned last report, exploitation of this attack can be rather potent since the vulnerability is not web browser specific.

Join the Discussion