Ransomware Trojans

[Humpty]

There's a new breed of ransomware in town, and it raises the stakes compared to previous viruses of this sort. Both Sinowal.FY and Gpcode.ai have been identified by security companies PandaLabs and Kaspersky Lab as malicious strains of older Trojans that encrypt users' files so that they can no longer be accessed. The Trojan then plants a readme.txt where users will find it, and inside, demands $300 in order to decrypt the files.

Article

[rridgely]

I was just talking about this with Andy. The prevx guys have already put out a decryptor tool:

http://www.prevx.com/blog.asp

[Andavari]

I read about Ransomware earlier this year and thought it was rather nasty, although I'd probably just format if there wasn't any proper removal tool.

[AndyManchesta]

The main problem with this trojan is the information it steals, it shows in HJT as

 

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

 

Its been around for a long time but this 'ransomware' variant has only been showing up since the start of July, the trojan is very nasty as it will record login usernames and passwords for every site used even if its secure and upload it to a drop site and the sites tend to have many GB's worth of stolen information ranging from myspace and email logins to Paypal, Ebay and Banking login information.

 

SecureScience wrote an excellent paper on the trojan at the end of last year

 

http://www.securescience.net/securescience...ecasestudy.html

 

As the paper explains it injects its code into Winlogon then svchost then into all other running processes with the exception of csrss.exe due to access and stability issues but the code injection guarantees its always running on the system and monitoring what is being submitted into online forms.

 

Hopefully the prevx tool helps with decoding the files, Ive not tried it yet but I will later today if I have the time but anyone who is infected with this should know their login information for every site visited since they became infected and anything else submitted into online forms has been stolen so they will need to contact financial institutions for advise plus change all passwords as soon as possible after removing the trojan or from a different pc that is known to be clean.

[DennisD]

This is a pretty obvious question, but how risky is it (and I realize this is a difficult thing to quantify), to buy stuff online these days.

 

It's something I've only ever done once, but my daughter gets stuff quite often.

 

And do all your financial details remain somewhere on your pc, or are they removed after you complete the transaction?

 

Thanks.

[AndyManchesta]

Hi Dennis,

 

I think there's always going to be a small risk involved with shopping or banking online but I doubt the majority of people will ever have a problem unless they do get infected with these types of trojans, sometimes the information may not always be stolen from your own system and a legit site you have done business with at one stage may get compromised but thankfully that isnt common and generally banks would always refund the account if it was used without the owners consent

 

For account and login details it really depends on how you enter the site, IE's autocomplete feature if used saves login details to a protected storage area in the registry and it is quite common for information stealing trojans to read the data from there, in IE7 that has changed abit but you can get more info and tools to view the protected storage data on Nirsoft's site,

 

http://www.nirsoft.net/utils/pspv.html

 

http://www.nirsoft.net/articles/ie7_passwords.html

[DennisD]

Thanks for the info Andy, and for the links.

 

I haven't been to those sites. As well as the good info, I've found some pretty useful utilities.

[AndyManchesta]

Yeah there's some great tools on there, you may find that AV's detect some as risk tools though but that would only apply if they were added without consent by trojans as it would allow them to get personal information or make changes to the system, the tools themselves are clean and can be very useful.

 

Examples after scanning the files at VirusTotal

 

Protected Storage Pass Viewer

 

File pspv.exe received on 07.20.2007 21:36:35 (CET)

 

Antivirus Version Last Update Result

 

Authentium 4.93.8 2007.07.19 W32/PWStealer.CAT

BitDefender 7.2 2007.07.20 Trojan.Icqsmiley.E

CAT-QuickHeal 9.00 2007.07.20 PSWTool.PassView.b (Not a Virus)

eSafe 7.0.15.0 2007.07.19 Win32.IcqSmiley.e

Ewido 4.0 2007.07.20 Not-A-Virus.PSWTool.Win32.PassView.b

FileAdvisor 1 2007.07.20 Low threat detected

Fortinet 2.91.0.0 2007.07.20 HackerTool/PassView

F-Prot 4.3.2.48 2007.07.20 W32/PWStealer.CAT

Ikarus T3.1.1.8 2007.07.20 not-a-virus:PSWTool.Win32.PassView.b

Kaspersky 4.0.2.24 2007.07.20 not-a-virus:PSWTool.Win32.PassView.b

McAfee 5079 2007.07.20 potentially unwanted program PWCrack-PassView

Microsoft 1.2704 2007.07.20 HackTool:Win32/Mailpassview

NOD32v2 2410 2007.07.20 Win32/PassView.163

Panda 9.0.0.4 2007.07.20 Hacktool/Passview.T

Sophos 4.19.0 2007.07.17 NirPassView

Symantec 10 2007.07.20 Hacktool.PassReminder

TheHacker 6.1.7.149 2007.07.18 Trojan/PassView.b

VBA32 3.12.2.1 2007.07.19 Application.PSWTool.PassView

VirusBuster 4.3.26:9 2007.07.20 Trojan.PWS.IcqSmiley.A

Webwasher-Gateway 6.0.1 2007.07.20 Riskware.PSW.PassView.B

 

Additional information

File size: 52736 bytes

MD5: 35861f4ea9a8ecb6c357bdb91b7df804

SHA1: 836cb49c8d08d5e305ab8976f653b97f1edba245

Bit9 info: http://fileadvisor.bit9.com/services/extin...357bdb91b7df804

 

NirCmd

 

File nircmd.exe received on 07.20.2007 21:36:24 (CET)

 

Antivirus Version Last Update Result

 

eSafe 7.0.15.0 2007.07.19 suspicious Trojan/Worm

Panda 9.0.0.4 2007.07.20 Application/NirCmd.A

Sophos 4.19.0 2007.07.17 NirCmd

Webwasher-Gateway 6.0.1 2007.07.20 Win32.ModifiedUPX.gen!90 (suspicious)

 

Additional information

File size: 27136 bytes

MD5: 2c2c06dedc3a3b089d6e8813b2d49b04

SHA1: 0bab5e4027fb0a2aeea12246b0164bc46712d61f

packers: UPX

packers: UPX

packers: UPX

[DennisD]

Andy, you're a mine of information, thanks again.

 

And I hope you haven't got your feet wet today. We're OK up here in Co. Durham, but you guys in the midlands and a bit further south are being pasted, again.

[AndyManchesta]

No its fine here in sunny Manchester

 

Its really abit wet as usual but like you say it looks like its further south thats got most of the problems again

[JDPower]

So, just so I've got this clear, is this ransomware stuff blocked by AV software (as much as any malware is)? And the info it steals is from autocomplete, cookies etc?

[Andavari]

you may find that AV's detect some as risk tools Pass Viewer

Trend Micro's HouseCall detects something from NirSoft from my installation of ShellExView, don't know exactly what it detects because the website/scan bugged out and didn't show anything. It was a false positive anyway so I didn't think too much about it.

[AndyManchesta]

So, just so I've got this clear, is this ransomware stuff blocked by AV software (as much as any malware is)? And the info it steals is from autocomplete, cookies etc?

 

Hi JD,

 

Yes the current ransomware variant is very well detected by AV companies now, there's quite afew malware bundles around that include this trojan though except its the infostealer by itself and not the ransomware variant but they are changing the files often to try avoid being detected by AV's, they tend to spread using exploits on malicious websites but this ransomware variant appears to have mainly spread by being spammed which is explained more on the Prevx blog RRidgely linked to earlier

 

Here's the current detections for the ransomware variant from VT

 

File ntos.exe received on 07.21.2007 04:10:52 (CET)

 

Antivirus Version Last Update Result

AhnLab-V3 2007.7.21.0 2007.07.20 no virus found

AntiVir 7.4.0.44 2007.07.20 TR/Spy.Gpcode.AI

Authentium 4.93.8 2007.07.20 no virus found

Avast 4.7.997.0 2007.07.20 Win32:GpCode-C

AVG 7.5.0.476 2007.07.20 Pakes.BT

BitDefender 7.2 2007.07.21 Backdoor.Kollah.C

CAT-QuickHeal 9.00 2007.07.20 Trojan.GPcoder.h

ClamAV devel-20070416 2007.07.21 Trojan.Kollah

DrWeb 4.33 2007.07.20 Trojan.Encoder.11

eSafe 7.0.15.0 2007.07.19 Virus.Win32.Gpcode.a

eTrust-Vet 30.8.3797 2007.07.20 Win32/Kollah.AB

Ewido 4.0 2007.07.20 no virus found

FileAdvisor 1 2007.07.21 no virus found

Fortinet 2.91.0.0 2007.07.20 W32/Gpcode.AI

F-Prot 4.3.2.48 2007.07.20 W32/new-malware!Maximus

F-Secure 6.70.13030.0 2007.07.20 Virus.Win32.Gpcode.ai

Ikarus T3.1.1.8 2007.07.20 Trojan-Downloader.Win32.Delf.aww

Kaspersky 4.0.2.24 2007.07.21 Virus.Win32.Gpcode.ai

McAfee 5079 2007.07.20 GPcoder.h

Microsoft 1.2704 2007.07.20 Backdoor:Win32/Kollah.D

NOD32v2 2410 2007.07.20 Win32/Spy.Agent.PZ

Norman 5.80.02 2007.07.20 no virus found

Panda 9.0.0.4 2007.07.20 Trj/Sinowal.FY

Sophos 4.19.0 2007.07.17 no virus found

Sunbelt 2.2.907.0 2007.07.21 Backdoor.Win32.Kollah.D

Symantec 10 2007.07.21 Trojan.Gpcoder.E

TheHacker 6.1.7.149 2007.07.18 no virus found

VBA32 3.12.2.1 2007.07.19 Trojan.Win32.Spy.Agent.PZ

VirusBuster 4.3.26:9 2007.07.20 Trojan.GPCode.E

Webwasher-Gateway 6.0.1 2007.07.21 Trojan.Spy.Gpcode.AI

Additional information

File size: 58368 bytes

MD5: 20f7c21df0f5d724c5d28e62155fe22d

SHA1: 09ceedb1edf556331d7cf5039cb83b469bf0dffb

 

I did just run the Prevx Ransomware decoder afew minutes ago and it did an excellent job in decoding all the encrypted files and removing the info stealer,

 

Regarding what it steals this trojan doesnt steal info from the protected storage area although that method is used by alot of other password stealers like ldpinch, this one though will steal the information from any forms online before it even gets encrypted if its a secure site, the paper from SecureScience I linked to earlier explains it alot better than I ever could from chapter 8 'Internal Structures For API Hooks'

 

Andy