Posts Categorized: Smart Malware Tricks


Managed ‘Russian ransomware’ as a service spotted in the wild

by

By Dancho Danchev In 2013, you no longer need to posses sophisticated programming skills to manage a ransomware botnet, potentially tricking tens of thousands of gullible users, per day, into initiating a micro-payment to pay the ransom for having their PC locked down. You’ve got managed ransomware services doing it for you. In this post I’ll profile a recently spotted underground market proposition detailing the success story of a ransomware botnet master that’s been in business for over 4 years, claiming to be earning over five hundred thousands rubles per month. More details:

Continue Reading »

Malicious DIY Java applet distribution platforms going mainstream

by

Despite the fact that on the majority of occasions cybercriminals tend to rely on efficient and automated exploitation techniques like the ones utilized by the market leading Black Hole Exploit Kit, they are no strangers to good old fashioned ‘visual social engineering’ tricks. Throughout 2012, we emphasized on the emerging trend of using malicious DIY Java applet distribution tools for use in targeted attacks, or widespread campaigns. Is this still an emerging trend? Let’s find out. In this post, I’ll profile one of the most recently released DIY Java applet distribution platforms, both version 1.0 and version 2.0. More details:

Continue Reading »

Webroot’s Threat Blog Most Popular Posts for 2012

by

It’s that time of the year! The moment when we look back, and reflect on Webroot’s Threat Blog most popular content for 2012. Which are this year’s most popular posts? What distinguished them from the rest of the analyses published on a daily basis, throughout the entire year? Let’s find out.

Continue Reading »

Cybercriminals release stealthy DIY mass iFrame injecting Apache 2 modules

by

What would an attacker do if they were attempting to inject malicious iFrames on as many Web sites as possible? Would they rely on search engines’ reconnaissance as a foundation fo their efficient exploitation process, data mine a botnet’s infected population for accounting data related to CPanel, FTP and SSH accounts, purchase access to botnet logs, unethically pen-test a Web property’s infrastructure, or hit the jackpot with an ingenious idea that’s been trending as of recently within the cybercrime ecosystem? No, they wouldn’t rely on any of these. They would just seek access to servers hosting as many domains as possible and efficiently […]

Continue Reading »

Managed Ransomware-as-a-Service spotted in the wild

by

Over the past several quarters, we’ve witnessed the rise of the so called Police Ransomware also known as Reveton. From fully working host lock down tactics, to localization in multiple languages and impersonation of multiple international law enforcement agencies, its authors proved that they have the means and the motivation to continue developing the practice, while earning tens of thousands of fraudulently obtained funds. What’s driving the growth of Police Ransomware? What’s the current state of this market segment? Just how easy is it to start distributing Police Ransomware and earn fraudulently obtained funds in between? In this post, I’ll […]

Continue Reading »

Trojan Downloaders actively utilizing Dropbox for malware distribution

by

By Curtis Fechner It’s never surprising to see the multitude of tactics a cybercriminal will use to deliver malware. In this case, I came across a collection of files masquerading as RealNetworks updater executables. These files were all located in a user’s %AppData%realupdate_ob directory, and the sizes were all quite consistent. At first glance there was nothing too special about this finding – malware appearing to be legitimate software is nothing new. When I looked into the specific behaviors of the file, it became clearer that the software is in fact malicious, and that it is actually downloading malicious files […]

Continue Reading »

Researchers intercept malvertising campaign using Yahoo’s ad network

by

Security researchers from StopMalvertising.com have intercepted a malvertising campaign using Yahoo’s ad network, that ultimately leads to a malicious payload in the form of fake security software known as scareware. More details:

Continue Reading »

TDL3 and ZeroAccess: More of the Same?

by

By Marco Giuliani In our previous technical analysis of the ZeroAccess rootkit, we highlighted how it acts as a framework by infecting the machine — setting up its own private space in the disk, first through a dedicated file system on the disk, and more recently by using a hidden and locked directory. This is where the rootkit stores the modules it downloads from the command and control servers. Until now, the plugins we’ve monitored have been ad-clickers and search engine hijackers. We have also noted how the ZeroAccess rootkit acts very similar to the TDL3 rootkit, either by infecting […]

Continue Reading »

ZeroAccess Gets Another Update

by

By Marco Giuliani Among the most infamous kernel mode rootkits in the wild, most of them have had a slowdown in their development cycle – TDL rootkit, MBR rootkit, Rustock are just some examples. The same doesn’t apply for the ZeroAccess rootkit. The team behind it is working quite hard, which we know for a fact because I’ve seen it. We already talked about this rootkit and its evolutions in several blog posts, along with a white paper that documents more in depth all the technical features of the malware. The last major update released by the team behind ZeroAccess […]

Continue Reading »