Viry a Červi

Sophos waters down 'NHS is totally protected' by us boast

The Register - Anti-Virus - 15 Květen, 2017 - 15:34
Watered down homeopathy for computers is more powerful, m'kay?

Updated  Sophos updated its website over the weekend to water down claims that it was protecting the NHS from cyber-attacks following last week's catastrophic WannaCrypt outbreak.…

Kategorie: Viry a Červi

Who’s targeting you on Facebook? A browser extension wants your data

Sophos Naked Security - 15 Květen, 2017 - 13:46
But hang on - what happens to the data the campaign collects via its Chrome extension to learn more about election ads on Facebook? We asked the founders

Modern security software is not necessarily powerless against threats like WannaCry

Virus Bulletin News - 15 Květen, 2017 - 11:57
The WannaCry ransomware has affected many organisations around the world, making it probably the worst and most damaging of its kind. But modern security is not necessarily powerless against such threats.

Read more
Kategorie: Viry a Červi

Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant

The Register - Anti-Virus - 15 Květen, 2017 - 11:42
Researchers warn over new Uiwix strain

Miscreants have launched a ransomware worm variant that abuses the same vulnerability as ‪the infamous WannaCry‬pt‪ malware.…

Kategorie: Viry a Červi

Monday review – the hot 23 stories of the week

Sophos Naked Security - 15 Květen, 2017 - 11:29
From the Wanna Decrypter attack and the artist forced to unlock his phone to the Google Play apps 'saying' they don't collect your data, and more!

Ztorg: money for infecting your smartphone

Kaspersky Securelist - 15 Květen, 2017 - 10:57

This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of them, called Privacy Lock, was uploaded to Google Play on 15 December 2016. It was one of the most popular Ztorg modifications, with more than 1 million installations.

After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.


These infected apps quickly became very popular, gaining thousands of new users each day!

For example, com.fluent.led.compass had 10,000–50,000 installations the day I found and reported it to Google.

However, it still wasn’t deleted from Google Play the next day and the number of installations increased tenfold to 100,000–500,000. It means there were at least 50,000 new infected users in the space of just one day.


There were lots of comments saying that people downloaded these apps for credits/coins/etc.

In some of these comments the users mentioned other apps – Appcoins, Advertapp, etc.

That’s where this latest research work started.

Advertising Apps that pay users

The app mentioned most in the comments was Appcoins, so I installed it. After that, the app prompted me to install some other apps, including one that was malicious, for $0.05.

To be honest, I was surprised that only one was malicious – all the other apps were clean.

The funny thing is that they check for root rights on the device and don’t pay those that have them. And the first thing that Ztorg did on the device after infection started was to get superuser rights.

I contacted the Appcoins developers to try and find out where this malicious advertising offer came from, but they deleted the offer and answered me by saying there was no malware and that they had done nothing wrong.

Then I analyzed the apps installed by infected users and made a list of the most popular ones that paid users to install software:



And of course they offered malware too:

All these offered users 0.04-0.05 USD for installing an app infected with Ztorg from Google Play.


So I decided to take a closer look at these offers and the dumped traffic for these apps.

A typical session in which an advertising app turned into a malicious one was as follows:

  1. App receives offers, including malicious ones, from its server (for example, moneyrewardfun[.]com). Malicious offers are sent from well-known ad services (usually and

  2. After a few redirections from ad service domains (in one case there were 27 redirections) the app goes to or These URLs are related to the ads too.

  3. Then it redirects to

  4. And the final URL that leads to the Google Play Store was

All the offers that I was able to dump had and is a well-known “business intelligence platform”; the URLs that are used in malicious campaigns look like this:

By analyzing these URLs we can identify infected apps on Google Play.

Malicious server

URLs from look like this:|1002009&install_callback=

This URL structure (offer_id=..&aff_id=..&campaign=..) is related to the OffersLook tracking system. It contains many interesting things, like offer id, affiliate id. But it turns out that cybercriminals use different values for them, making these parameters unusable for us. Except one – install_callback. This parameter contains the name of the ad service.

While searching for I was able to find some APK files that contained this URL. All of those files are detected by Kaspersky Lab products as Ztorg malware. The interesting thing was that used the IP The same IP was used by, which was mentioned in CheckPoint’s gooligan report. A few weeks after that report was made public, (which wasn’t mentioned in the report) was moved to a new IP –

Ad modules

Luckily I was able to find not only in the APK files but also in network traffic from clean apps. All these apps had an advertising module – Batmobi or Mobvista in most cases. Network traffic from these ad modules looked similar to the network traffic from the apps that paid users to install promoted apps.

Here is an example of an app with a Batmobi ad module. The module received a JSON file with offers from their server

The user sees a list of advertised apps:

After the user clicks on the ads, they are redirected to the Google Play Store.

In this case, the redirects look like this: ->> -> -> -> ->

After analyzing ad campaigns containing, I was able to find almost 100 infected apps being promoted on Google Play.

The other interesting aspect of these campaigns was that their URLs contained the install_callback parameter that I mentioned earlier. Turns out the cybercriminals only used four ad networks.

Ad sources callbacks

Yeahmobi ( 41% Mobvista ( 34% Avazu ( 18% Supersonicads ( 7%

However, this doesn’t mean that malware was only being distributed through these four networks. These ad networks are selling their ads to a wide range of advertising companies. In my research, I saw some malicious ads coming from other advertising networks like DuAd or Batmobi, but after a few redirects these ads were always pointing to one of the four advertising networks listed above.

Furthermore, I tracked several malicious ad campaigns that looked like this:

Batmobi -> Yeahmobi-> SupersonicAds

which means that these networks also redistribute ads to each other.

I wasn’t able to find any other ad networks in the install_callback parameter until the end of March 2017.

Other sources

During my research I found some infected apps that were not promoted by these advertising networks. When I looked at their detection paths I found that there were several patterns to them. Most of the paths where these apps were detected (except the installation path /data/app) were as follows:









I analyzed the apps using these paths and discovered that all of them are already detected by Kaspersky Lab products as adware or malware. However, the apps downloaded to these folders are not all malicious – most of them are clean.

Folder’s name Type Detection %* DownloadProvider Malware 81% TF47HV2VFKD9 Malware 56% snowfoxcr AdWare 51% nativedroid Malware 48% .walkfree AdWare 33% ceroa AdWare 20% sysAndroid Malware 16% .googleplay_download Malware 15%

* Malicious apps that were downloaded to a specific folder as a percentage of all apps in that folder.

Infected apps Similar apps

All the infected apps that I analyzed surprised me in that they don’t look like they were patched with malware code. In many other cases, cybercriminals just add malicious code to clean apps, but not in this case. Looks like these apps were created especially for distributing malware.

Publishers from Google Play

Some of the publishers’ emails from Google Play:

com.equalizer.goods.listener com.ele.wall.papers com.voice.equalizer.musicssss com.amusing.notes.done

When I started to search for them, I found that most of the emails are related to Vietnam.

For example:

  1. trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer

  2. liemproduction08 -> liem production [08] – Thuat Liem Production, company from Ho Chi Minh City, Vietnam

  3. nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of Chinese name Wang Yuan

Malicious modules

Almost all of the infected apps from Google Play contain the same functionality – to download and execute the main module. During this research, I found three types of modules with this functionality.


Every infected app from Google Play with this type of malicious module was protected by the packer. I will describe the app with the package name com.equalizer.goods.listener. It was packed using the Qihoo packer. This app has many different classes and only a few of them are related to the malicious module. Malicious code will be triggered by the PACKAGE_ADDED and PACKAGE_REMOVED system events. It means that malicious code only starts executing after the user installs/updates/removes an app.

As a first step, the malicious module will check if it’s running on a virtual machine, emulator or sandbox. To do so, it will check several dozen files that exist on different machines and several dozen values for different system properties. If this check is passed, the Trojan will start a new thread.

In this new thread the Trojan will wait a random amount of time, between an hour and an hour and a half. After waiting it will make a GET HTTP request to the C&C ( and, as a result, the Trojan will receive a JSON file encrypted with DES. This JSON should contain a URL from which a file can be downloaded. The file is an ‘xorred’ JAR that contains the malicious classes.dex – the main module.


Since October 2016 I’ve reported lots of apps with this malicious module to Google, so they were able to improve their detection system and catch almost all of them. This meant the cybercriminals had to bypass this detection. In the beginning they changed some methods in the code and used commercial packers. But in February 2017 they rewrote the entire code, moving all functionality to the ELF (native, .so) library.

Example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)

The malicious code is triggered after app execution starts from the onCreate method.

The malicious code in the infected classes.dex is simple – it starts a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, which will be executed from the library.

In this version, the delays are much smaller than in the previous one – it waits only 82 seconds before execution.

After starting, the MyGame library will check if it’s running in a sandbox by executing the two methods from classes.dex. One will try to register the receiver for the BATTERY_CHANGED action and check if it’s correct. Another method will try to get application info about the package (Google Play Store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of these methods return “false”, the malicious library will execute a GET request to the command server.


The library will decode this answer and xor it with a 0x66 key.



g_class_name = b.a.b.a

g_method_name = b

g_url =

g_key = 80

The .apk file available at g_url will be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it using a ClassLoad method from the DexClassLoader class.

As we can see, the cybercriminals changed a lot in the malicious code, and replaced the Java code with C code. But the functionality remains the same – connect to the C&C, download and execute the main module.

Detection bypassing

Once I was able to receive the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, I found that the cybercriminals only return a malicious payload to users that install apps via ads. However, some of the other infected apps started to infect my test phone when installed directly from Google Play – without clicking on any ads.


In April 2017 the cybercriminals changed their Ztorg code again. In this third type of malicious module, the cybercriminals moved all the functionality back to classes.dex. The main difference with the previous version is that it’s no longer a Trojan-Downloader. It doesn’t download the main module from a malicious server; instead it contains an encrypted module in the Assets folder of the installation package. The file called is xored with 0x12 and then loaded using the ClassLoad method.

Payload (main module)

In all the attacks that I analyzed the main module had the same functionality. I’ll describe one of the most recent – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app using the malicious MyGame library.

This module is downloaded by the infection module and loaded using the ClassLoad method. The main purpose of the module is to gain root rights and install other modules. It does this by downloading or dropping some files.

Some files can only be dropped from this module; there are no URLs for them.

Some of the URLs with the domain didn’t work at the time of this research. All files that have these URLs can be dropped. All files that have URLs only and cannot be dropped have URLs with the domains and, which were accessible at the time of this research.

In one of the previous versions of the main module, dated September 2016, all the URLs had the domain and were available at that time.

Some of the dropped/downloaded malicious files will be added to the /system/etc/ file. It means that these files will remain on the device even after a reset to factory settings.

All files that are dropped and downloaded by this module can be divided into a few groups:

Clean files, tools File name Tool name MD5 data/files/.zog/.a chattr 9CAE8D66BE1103D737676DBE713B4E52 data/files/.zog/.a chattr 1E42373FA7B9339C6C0A2472665BF9D4 data/files/.zog/supolicy supolicy cdceafedf1b3c1d106567d9ff969327a data/files/.zog/busybox busybox 3bc5b9386c192d77658d08fe7b8e704f data/files/.zog/.j Patched su 8fb60d98bef73726d4794c2fc28cd900 Exploits, exploit packs, exploit droppers File Name Name MD5 Detection name data/files/.Ag/Agcr Agcr32 D484A52CFB0416CE5294BF1AC9346B96 data/files/.Ag/Agcr Agcr64 B111DD21FD4FCEFDC8268327801E55CE data/files/.zog/.ag/bx Bx 70EBFA94C958E6E6A7C6B8CD61B71054 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/cx cx 892E033DA182C06794F2B295377B8A65 Exploit.AndroidOS.Lotoor.bu data/files/.zog/exp exp 6E17234C57308012911C077A376538DC data/files/.zog/.ag/ maink.apk/boy ab9202ccfdd31e685475ba895d1af351 script data/files/.zog/.ag/ maink.apk/bx 70ebfa94c958e6e6a7c6b8cd61b71054 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/ym ym32 F973BAA67B170AB52C4DF54623ECF8B3 Exploit.AndroidOS.Lotoor.bu data/files/.zog/.ag/ym ym64 807A6CF3857012E41858A5EA8FBA1BEF Exploit.AndroidOS.Lotoor.bu data/files/.zog/.aa mainp.apk/r1 c27e59f0f943cf7cc2020bda7efb442a data/files/.zog/.aa mainp.apk/r2 368df668d4b62bdbb73218dd1f470828 data/files/.zog/.aa mainp.apk/r3 fb8449d1142a796ab1c8c1b85c7f6569 data/files/.zog/.aa mainp.apk/r4 04dd488783dffcfd0fa9bbac00dbf0f9 Exploit.Linux.Enoket.a data/files/.zog/.ad mainmtk.apk b4b805dc90fa06c9c7e7cce3ab6cd252 data/files/.zog/.ag/np np 1740ae0dc078ff44d9f229dccbd9bf61 Exploit.Linux.Enoket.a

Most of these files will be downloaded by the Trojan, but some of them can only be dropped from the Trojan body. However, most of the downloaded files are the same as they were seven months ago in September 2016.

Native (ELF) malicious modules File Name MD5 Path after infection Detection name data/files/.zog/.am b30c193f98e83b7e6f086bba1e17a9ea /system/xbin/.gasys Backdoor.AndroidOS.Ztorg.j data/files/.zog/.an 41ab20131f53cbb6a0fb69a143f8bc66 /system/lib/ Backdoor.AndroidOS.Ztorg.j data/files/.zog/.b ae822aed22666318c4e01c8bd88ca686 /system/xbin/.gap.a Backdoor.AndroidOS.Ztorg.c data/files/.zog/.k 5289027ca9d4a4ed4663db445d8fc450 /system/bin/debuggerd Backdoor.AndroidOS.Ztorg.c data/files/.zog/.m 5af47875666c9207110c17bc8627ce30 /system/bin/ddexe script data/files/.zog/.c d335ac148f6414f0ce9c30ac63c20482 /system/xbin/.gap Backdoor.AndroidOS.Ztorg.c

All of these files can only be dropped from the Trojan’s body. They are not downloaded.

Malicious apps File Name Name MD5 Path after infection Detection name data/files/.zog/.l mains.apk 87030ae799e72994287c5b37f6675667 /system/priv-app/dpl.apk data/files/.zog/.o mains2.apk 93016a4a82205910df6d5f629a4466e9 /system/priv-app/.gmq.apk Trojan.AndroidOS.Boogr.gsh data/files/.zog/.n mainm.apk 6aad1baf679b42adb55962cdb55fb28c /system/priv-app/.gma.apk Backdoor.AndroidOS.Ztorg.a data/files/.zog/.al .al 7d7247b4a2a0e73aaf8cc1b5c6c08221 /system/priv-app/.gmtgp.apk Trojan.AndroidOS.Hiddad.c .gmtgp.apk (7d7247b4a2a0e73aaf8cc1b5c6c08221)

This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C an additional encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).

Its C&C is; additional domains are and

The Trojan uses accessibility services to install (or even buy) apps from the Google Play Store.

It also downloads apps into the .googleplay_download directory on the SD card and installs them using accessibility services to click buttons. The folder .googleplay_download is one of the sources used to spread the Ztorg Trojan. It can click buttons that use one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.

dpl.apk (87030AE799E72994287C5B37F6675667)

This module contains the same methods to detect emulators, sandbox and virtual machines as in the original infected module.

It downloads an encrypted file from the C&C into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan loads this file.

The main purpose of dpl.apk is to download and install apps. It receives commands from the following C&Cs:


The module downloads them into the DownloadProvider directory on the SD card. This folder is one of the sources used to distribute the Ztorg Trojan.

In my case, it downloaded five malicious APKs; four of them were installed and listed in the Installed apps section.

.gma.apk (6AAD1BAF679B42ADB55962CDB55FB28C)

This Trojan tries to download the additional isgqm.jar module with the main functionality in the same way as the other modules. Unfortunately, its C&Cs (,,, didn’t return any commands, so I don’t know the main purpose of this app.

This app can modify /system/etc/, and download files to the /.androidgp/ folder on the SD card. These files will be installed in the system folders (/system/app/ or /system/priv-app/).

I assume this Trojan is needed to update other modules.

.gmq.apk (93016a4a82205910df6d5f629a4466e9)

This Trojan wasn’t able to download its additional module isgq.jar from the C&Cs (,,

Installed apps

The following apps were silently downloaded and installed on the device after infection. All of them have some well-known ad services.

Package Name Detection Md5 Ad modules co.uhi.tadsafa Trojan-Downloader.AndroidOS.Rootnik.g d1ffea3d2157ede4dcc029fb2e1c3607 mobvista, batmobi com.friend.booster 5c99758c8622339bffddb83af39b8685 mobvista, batmobi sq.bnq.gkq Trojan-Downloader.AndroidOS.Rootnik.g 10272af66ab81ec359125628839986ae mobvista, batmobi 8572aec28df317cd840d837e73b2554a mobvista

They also have malicious modules that start downloading ads and apps when commanded by their C&C.

But using clean advertising networks like Mobvista and Batmobi creates an ad recursion, because these ads were used to distribute the original infected app.

A few new folders appear on the SD card after a successful infection. Among them:

  • .googleplay_download
  • .nativedroid
  • .sysAndroid
  • DownloadProvider

All of these folders were used by some of the malware to spread the initial Ztorg infection and were used after infection to distribute other apps – some of them malicious.

Other Trojans

Despite the fact that almost every Trojan from Google Play found during this research had one of the three malicious modules described in this research, there were also a few other Trojans.

One of them, called Money Converter (com.countrys.converter.currency, 55366B684CE62AB7954C74269868CD91), had been installed more than 10,000 times from Google Play. Its purpose is similar to that of the .gmtgp.apk module – it uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

It used the same command and control servers as .gmtgp.apk.


During the research period I found that Trojan.AndroidOS.Ztorg was uploaded to Google Play Store almost 100 times as different apps. The first of them was called Privacy Lock, had more than 1 million installations and was uploaded in mid-December 2015. Every month after I started tracking this Trojan in September 2016 I was able to find and report at least three new infected apps on Google Play. The most recent apps that I found were uploaded in April 2017, but I’m sure there will be more soon.

All of these apps were popular. Furthermore, their popularity grew very fast, with tens of thousands of new users sometimes being infected each day.

I found out that these Trojans were actively distributed through advertising networks. All these malicious campaigns contained the same URL, which allows me to easily track down any new infected apps.

I was surprised that these Trojans were distributed through apps that were paying users for installing promoted apps. It turned out that some users got paid a few US cents for infecting their device, though they didn’t know it was being infected.

Another interesting thing about the distribution of this Trojan is that after infection it used some of the advertising networks to show infected users ads about installing promoted apps. It creates a kind of ad recursion on infected devices – they become infected because of a malicious ad from an advertising network and after infection they see ads from the same advertising network because of the Trojan and its modules.

Cybercriminals were able to publish infected apps on Google Play because of the numerous techniques they used to bypass detection. They continued to develop and use new features in their Trojans all the time. This Trojan has modular architecture and it uses several modules with different functionality and each of them can be updated via the Internet. During infection Ztorg uses several local root exploit packs to gain root rights on a device. Using these rights allows the Trojan to achieve persistence on the device and deliver ads more aggressively.

More UPNP woes: Crashable library bites routers and software

The Register - Anti-Virus - 15 Květen, 2017 - 03:04
You know the drill: patch fast or cry slowly

It's a patch for vendors and developers, but it could be nasty: there's a bug in a Universal Plug'N'Play (UPNP), used in a wide range of black-box devices.…

Kategorie: Viry a Červi

Microsoft to spooks: WannaCrypt was inevitable, quit hoarding

The Register - Anti-Virus - 15 Květen, 2017 - 01:41
Monday wrap: “kill switch” holding for now; new versions emerging; patch what you can

In the midst of the ongoing WannaCrypt attacks, Microsoft has issued an unusually strongly-worded warning to governments around the world to quit hoarding vulnerabilities.…

Kategorie: Viry a Červi

WannaCry benefits from unlearned lessons of Slammer, Conficker

Sophos Naked Security - 14 Květen, 2017 - 23:12
We've been here before with malware - so why was WannaCry able to cause such havoc around the world?

Masivní ofenzíva ransomwaru WanaCrypt0r

VIRY.CZ - 14 Květen, 2017 - 01:15

Několik desítek zemí bylo zasaženo masivní vlnou ransomwaru WanaCrypt0r. Ten zašifroval dokumenty a obrázky na obrovském množství počítačů a třeba ve Velké Británii zasáhl i řadu nemocnic. Útok se nevyhnul ani jiným oblastem. Kupříkladu společnost Renault díky útoku pozastavila výrobu.

O útocích informuje celá řada médií, tudíž by bylo divné, pokud by to server minulo

Kategorie: Viry a Červi

BSides Denver 2017

Kaspersky Securelist - 13 Květen, 2017 - 23:38

Everyone loves a decent security conference, and BSides Denver provides one with space to breathe. Folks in sunny Colorado looking for a fine local gathering found talks on advanced social engineering, APT herding, securing smart cities and more.

Even though BSides got its start as an “open source” event taking its contributors from rejected Black Hat talks, this isn’t the island of misfit toys. Quality content is delivered at all of them. Here is Mandiant’s Hunter Hardman talking advanced social engineering techniques he tends to shun, opting for email available and helpful soft Marketing and HR targets. Discussion afterwards broke out about the value of breakout news stories during red team projects, like the current political environment’s effect on employee healthcare plans in the US.

Kyle Chambers from municpal energy provider Austin Energy presented ideas and thoughts on smart city implementations, audits, smart meters and data collection, and real world integration experiences.

Considering the issues with IoT implementations and the immaturity of development cycles in the IoT space, along with the true nature of the risk involved, it’s a particularly alarming topic. And it’s great to see it being carefully discussed by organizations like Austin Energy.

Hope to see you at BSides Denver 2018!

Microsoft Releases XP Patch for WannaCry Ransomware - 13 Květen, 2017 - 17:30
Microsoft has taken the extraordinary step of providing an emergency update for unsupported Windows XP and Windows 8 machines in the wake of Friday’s WannaCry ransomware outbreak.
Kategorie: Viry a Červi

Comey was loathed by the left, reviled by the right – must have been doing something right

The Register - Anti-Virus - 13 Květen, 2017 - 17:03
Three years of the US's top cop in action

Analysis  The firing of FBI Director James Comey came as a shock to almost everyone, not least to the man himself.…

Kategorie: Viry a Červi

74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+

The Register - Anti-Virus - 13 Květen, 2017 - 02:16
All you need to know – from ports to samples

Special report  The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.…

Kategorie: Viry a Červi

Wanna Decrypter 2.0 ransomware attack: what you need to know

Sophos Naked Security - 12 Květen, 2017 - 23:15
Security experts are firefighting the global outbreak of ransomware that is apparently exploiting a recently patched flaw in Windows

New Jaff Ransomware Part Of Active Necurs Spam Blitz - 12 Květen, 2017 - 19:54
A new malware family called Jaff has been identified by researchers who say they are currently tracking multiple and massive spam campaigns distributing the malware via the Necurs botnet.
Kategorie: Viry a Červi

Leaked NSA Exploit Spreading Ransomware Worldwide - 12 Květen, 2017 - 19:32
Attackers behind today’s WannaCry ransomware outbreak in Europe are spreading the malware using the EternalBlue exploit leaked by the ShadowBrokers.
Kategorie: Viry a Červi

WannaCry ransomware used in widespread attacks all over the world

Kaspersky Securelist - 12 Květen, 2017 - 19:30

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.

Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.

Unfortunately, it appears that many organizations have not yet installed the patch.


A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.

It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.

CCN-CERT alert (in Spanish)

Analysis of the attack

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Geographical target distribution according to our telemetry for the first few hours of the attack

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.

The tool was designed to address users of multiple countries, with translated messages in different languages.

Language list that the malware supports

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

An image used to replace user’s wallpaper

Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:

Properties of malware files used by WannaCry

For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:

One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

One of the attacker wallets received 0.88 BTC during the last hours

Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC

For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:

A list of dropped files related to Tor service

In terms of targeted files, the ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

The file extensions that the malware is targeting contain certain clusters of formats including:

  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).

The WannaCry dropper drops multiple “user manuals” on different languages:

Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese

The example of a “user manual” in English:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!

It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).

Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

  • attrib +h .
  • icacls . /grant Everyone:F /T /C /Q
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • @WanaDecryptor@.exe fi
  • 300921484251324.bat
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe

The malware checks the mutexes “Global\MsWinZonesCacheCounterMutexA” and “Global\MsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the extra mutex name!) to determine if a system is already infected. It also runs the command:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

This results in an UAC popup that user may notice.

UAC popup to disable Volume Shadow Service (System Restore)

The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion
Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk.

System Watcher blocking the WannaCry attacks

Mitigation recommendations:

  1. Make sure that all hosts are running and have enabled endpoint security solutions.
  2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
  3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
  4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.

Samples observed in attacks so far:


Kaspersky Lab detection names:


Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.


Batch file

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs

echo om.TargetPath = “C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe”>> m.vbs

echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0


SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"

Soldiers sent hate-SMS messages from rogue base stations

Sophos Naked Security - 12 Květen, 2017 - 19:00
The culprit exploits a design feature of older 2G networks in a type of man-in-the-middle attack

Threatpost News Wrap, May 12, 2017 - 12 Květen, 2017 - 18:00
The news of the week is discussed, including this week's Microsoft Malware Protection Engine bug, Handbrake OS X malware, the HP keylogger, Trump's Cybersecurity EO, and more.
Kategorie: Viry a Červi
Syndikovat obsah