Security Week 7: Dating through a coder and spam updates
News
Among the authors of the malware also come across romance. For example, a certain figure under the nickname iCoreX0812 lovingly named his Trojan encryption Annabelle - in honor of the damned doll, the star of two horror films of dubious artistic value. Like a film character, the program is designed to terrify the victim, only it turns out that she somehow doesn’t have much.
The set of functions of the Trojan is very wide. Once on the computer, the malware first of all closes and blocks such dangerous programs as Task Manager, MSConfig, Process Hacker, and popular web browsers. The cryptographer registers itself in the autorun.inf files of the flash drives connected to the computer in order to be distributed to other devices through them. True, newer versions of Windows do not support autorun. Yes, and under Windows XP, Microsoft back in 2011 released a patch that disables this feature. So, apparently, Annabelle is counting on those who have not been updated for more than 7 years. Apparently, therefore, Notepad, as well as other text editors, gets under the lock so that it would be more difficult to correct the fact that the virus in the avtoans was fooled.
The Trojan then encrypts the files, assigns the .annabelle extension to them, and reboots the computer. When the user enters the account password, instead of the usual desktop, he sees a splash screen with the image of a damned doll and a ransom request in the amount of 0.1 BTC. The most curious author also offers "output" - a window with his copyright. The cipherman, after all, is also intellectual property.
True, with all the ingenuity of the entourage, Annabelle’s encryption mechanism turned out to be so-so - a typical example of a Stupid Ransomware with a static key. So the decryptors have already learned how to decrypt .annabelle files. The author will have to do without Bitcoins - they don’t pay much for art in our world. However, the money didn’t shine for him: in the last paragraph of the message about the buyout, the author Annabelle admits that this is a demo version of the program, and there are no sites for paying the buyback. How to get the key, he, however, does not explain, instead inviting his victims to chat in the Discord. Alone to him, apparently.
')
News
Everyone wants to make money. Therefore, where free, there sooner or later there is advertising. In the light of this trend, the new Trojan-advertiser for OSX, called Shlayer, distributed mainly through sites with torrents, does not look sensational.
The method of attack is as old as the world: visitors of compromised pages are offered to update Adobe Flash Player, masking a pop-up window under the typical browser notification of the victim. The trick is designed, obviously, to the most inexperienced audience, because the warning pops up even in new versions of Chrome, which successfully cope with updates without user assistance.
But there is a zest in the way of loading adware itself: for this purpose, the malware uses signed shell scripts. In some versions - several pieces.
As a result, the victim's computer is equipped with OSX / MacOffers or OSX / Bundlore malware. Programs successfully pass Gatekeeper with a digital signature and delight you with selective spam. However, avoiding infection is incredibly easy - just don’t download updates from anywhere, especially for Chrome. And if you suspect that you really do not have the latest version of Flash Player - download the update from the Adobe site.
Family "Armagedon"
Resident dangerous viruses. They affect .COM files (except COMMAND.COM) when they are launched. Written to the beginning of the file. From 5.00 to 6.00 in the morning they are actively working with the serial port, apparently trying to call via a modem on some phone. They contain the text: "Armagedon the GREEK". Use int 21h and int 8.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Among the authors of the malware also come across romance. For example, a certain figure under the nickname iCoreX0812 lovingly named his Trojan encryption Annabelle - in honor of the damned doll, the star of two horror films of dubious artistic value. Like a film character, the program is designed to terrify the victim, only it turns out that she somehow doesn’t have much.The set of functions of the Trojan is very wide. Once on the computer, the malware first of all closes and blocks such dangerous programs as Task Manager, MSConfig, Process Hacker, and popular web browsers. The cryptographer registers itself in the autorun.inf files of the flash drives connected to the computer in order to be distributed to other devices through them. True, newer versions of Windows do not support autorun. Yes, and under Windows XP, Microsoft back in 2011 released a patch that disables this feature. So, apparently, Annabelle is counting on those who have not been updated for more than 7 years. Apparently, therefore, Notepad, as well as other text editors, gets under the lock so that it would be more difficult to correct the fact that the virus in the avtoans was fooled.
The Trojan then encrypts the files, assigns the .annabelle extension to them, and reboots the computer. When the user enters the account password, instead of the usual desktop, he sees a splash screen with the image of a damned doll and a ransom request in the amount of 0.1 BTC. The most curious author also offers "output" - a window with his copyright. The cipherman, after all, is also intellectual property.
True, with all the ingenuity of the entourage, Annabelle’s encryption mechanism turned out to be so-so - a typical example of a Stupid Ransomware with a static key. So the decryptors have already learned how to decrypt .annabelle files. The author will have to do without Bitcoins - they don’t pay much for art in our world. However, the money didn’t shine for him: in the last paragraph of the message about the buyout, the author Annabelle admits that this is a demo version of the program, and there are no sites for paying the buyback. How to get the key, he, however, does not explain, instead inviting his victims to chat in the Discord. Alone to him, apparently.
')
Update Adware Flash Shlayer ...
News
Everyone wants to make money. Therefore, where free, there sooner or later there is advertising. In the light of this trend, the new Trojan-advertiser for OSX, called Shlayer, distributed mainly through sites with torrents, does not look sensational.
The method of attack is as old as the world: visitors of compromised pages are offered to update Adobe Flash Player, masking a pop-up window under the typical browser notification of the victim. The trick is designed, obviously, to the most inexperienced audience, because the warning pops up even in new versions of Chrome, which successfully cope with updates without user assistance.
But there is a zest in the way of loading adware itself: for this purpose, the malware uses signed shell scripts. In some versions - several pieces.
As a result, the victim's computer is equipped with OSX / MacOffers or OSX / Bundlore malware. Programs successfully pass Gatekeeper with a digital signature and delight you with selective spam. However, avoiding infection is incredibly easy - just don’t download updates from anywhere, especially for Chrome. And if you suspect that you really do not have the latest version of Flash Player - download the update from the Adobe site.
Antiquities
Family "Armagedon"
Resident dangerous viruses. They affect .COM files (except COMMAND.COM) when they are launched. Written to the beginning of the file. From 5.00 to 6.00 in the morning they are actively working with the serial port, apparently trying to call via a modem on some phone. They contain the text: "Armagedon the GREEK". Use int 21h and int 8.
Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.
Source: https://habr.com/ru/post/350632/
All Articles