• Tag Archives encrypted files
  • Using DNS to weaken Locky ransomware threat

    Ransomware and other cyberthreats often go unseen by traditional detection methods like antivirus, deep packet inspection (DPI) or sandboxing. In fact, a report by Lastline Labs indicates that 51% of zero-day malware—threats that strike before developers have time to release a patch—is undetected by anti-virus solutions. So what can security professionals do to stop attacks? The answer lies, in part, in DNS.

    One of the most powerful ransomware threats currently targeting individuals and organizations is Locky, which infects up to 100,000 devices per day, of which 3% submit payments. Cybersecurity experts estimate that Locky possesses 17% of the entire global market share for all ransomware infections.

    First, let’s look at a few statistics that demonstrate the power and expense of Locky:

    Locky is typically delivered through aggressive spam campaigns, often claiming to be an invoice. Despite the known dangers of clicking on links in unknown emails, Locky is so sly it entices even trained IT staff to click on obscure messages and activate downloads.

    Once a download has completed, Locky connects with its Command & Control (C&C) server to get a cryptographic key to use for encryption. There are three known mechanisms for Locky to reach its C&C hosts:

    1. Direct IP communication
    2. A number of fixed domains
    3. A time-based Domain Generation Algorithm (DGA) that creates a set of random-looking domains that are only valid for a few days

    Here is where DNS can play a role. DNS data can be analyzed to identify C&C connection mechanisms. When these communications are blocked, Locky’s ability to obtain encryption keys is limited, giving infected users a better chance of being protected.

    Unfortunately, the DGA used by Locky to generate domains and get encryption keys is marked with the current time period combined with a secret seed, making it harder to block new domains quickly. Locky changes seeds frequently, and reverse engineering current versions of the malware to discover each new seed takes time. Every new seed indicates another wave in the life of the exploit, so until there is an accurate way to identify traffic associated with Locky, it can’t be permanently blocked.

    But examination of a worldwide feed of anonymized DNS queries, along with anomaly detection and correlation technology, makes it possible to identify suspected domains used by Locky to download encryption keys in real time. ForcePoint is one company that has done some work to reverse engineer the DGA used by Locky. By using the existing DGA and conducting some additional processing of suspect domains, it is possible to determine new seeds used by Locky, thereby enumerating all future new domains Locky will use.

    Below is a sampling of more recent domains created by Locky as detected by our DNS algorithms:

    • mrjuvawlwa[.]xyz
    • uydvrqwgg[.]su
    • uwiyklntlxpxj[.]work
    • owvtbqledaraqq[.]su
    • udfaexci[.]ru
    • eabfhwl[.]ru
    • olyedawaki[.]pl
    • uxwfukfqxhydqawmf[.]su
    • ikdcjjcyjtpsc[.]work
    • wrbwtvcv[.]su
    • osxbymbjwuotd[.]click
    • qtuanjdpx[.]info

    As Locky and other types of ransomware become more adept at avoiding detection and remediation, new strategies need to be used to combat them. Many of the new cyberthreat strategies make traditional malware block lists less effective. Facing DGAs with fast-changing seeds, security researchers must constantly identify the new seeds used by each wave of phishing to pre-generate domains. Once new seeds are released the old ones immediately become obsolete.

    By utilizing a broad set of DNS query data, it is possible to detect and track the evolution of generated domains through a variety of algorithmic methods such as clustering, reputation scoring, reverse engineering and additional methods that continuously evolve. Recent innovations include anomaly detection algorithms, new domain clustering and a Domain Reputation System that resulted in almost 100,000 domains and C&Cs provisioned daily for blocking.

    By employing these advanced methods, suspicious domains can be detected with a high level of accuracy very quickly, and false positives can also be weeded out so good traffic can still reach legitimate sites. Currently, this is the best defense against Locky. Service providers and companies can use this technique to protect their online users from having their files encrypted, and identify machines that have been infected.

    Locky provides ample evidence that attackers are continuously innovating. Staying one step ahead requires cybersecurity expertise and real-time processing of massive, worldwide data sets to uncover malicious activity. Blocking traffic to these domains is a good way to avoid the threat of Locky, and expert security teams that take the right steps to understand its behavior and put appropriate measures in place to protect would-be victims will render cyberthreats much less effective.


  • Spoofed FedEx and USPS Kovter and Locky sites Ransomeware Malware Keeps Spreading

    www.ccrepairservices.com
    Locky Ransomeware New CPRS CCRS Computer Repair Miami Fort Lauderdale Website

    Following on from these  [ FEDEX ] [ USPS ]  posts describing the Spoofed FedEx and USPS ( and other delivery services from time to time) I will endeavour to keep up to date with a list of current sites involved in the spreading of this malware. I will also show the command used that day to obtain the malware. I will add each days new sites to the lists, but please remember that old sites are reused daily until taken down by their hosts.  All the sites used in this malware spreading campaign are hacked / compromised sites.

     

    The script tries the first in the list & then moves down until it gets a reply from the server. You never see the first downloaded file ( counter.js by searching on your computer, that is run directly from temp internet files ) Counter.js then downloads  a different variant of counter.js which in turn downloads 01 first, then 02, then 03 until you get to 05. If any site doesn’t have the file, then it moves to the next site in the list for that particular file. Each site on the list has a full set of the files. but it is rare for the site delivering counter.js to actually download from itself, normally that downloads from a different site on the list. All the files ( apart from the original counter.js) pretend to be png ( image files). They are actually all renamed .exe files or a renamed php script listing the files to be encrypted. Counter.js contains the list of sites to download from, which includes many of the sites listed in the original WSF, JS, VBS or other scripting file and normally one or 2 extra ones. to get the second counter.js you need to change the &r=01 at the end of the url to &m=01 ( or 02-05). This second counter.js contains additional sites to download from which frequently includes sites from the previous days lists that are not already included in the WSF or first counter.js.

    I only accidentally  found out about the second /3rd /4th /5th  counter.js when I made a mistake in manually decoding the original wsf file ( and the original counter.js) and mistyped/ miscopied  the &r= and used &m= instead. Obviously it is a belt and braces approach to making sure the actual malware gets downloaded to a victim’s computer when urls or sites are known about and blocked by an antivirus or web filter service.

    25 December 2016:  ( Payload Security report  )

    3spension.com
    minebleue.com
    chaitanyaimpex.org
    break-first.com
    grancaffe.net
    www.meizumalaysia.com
    dreamoutloudcenter.org
    megrelis-avocat.com

    /counter/?a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&m=9488599&i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ

    /counter/?i=e5J5zaa6WhR1MYhBZ8L8Rmw2RWRVmbtna9Y_vLRIrGW2mVxU7SBYLhBH9Gj5Mr942yUp7kFWRWAOGtmJ5aqexWRDrTq_rGixe_a-gmVCMQ&a=1DtntZgmur6occ1CY29PJzvAzLsjCXMuyD&r=01

    27 December2016:  ( Payload Security report  )

    lacasadeicuochi.it
    boardedhallgreen.com
    www.memoodgetactive.det.nsw.edu.au
    rebecook.fr
    peachaid.com
    kidsgalaxy.fr
    baltasmenulis.lt
    artss.org

    /counter/?a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&m=3254807&i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7  

    /counter/?i=Y5rzyqa6RhRlpx-dpPoqiXX2fW4GipPhNOTHtfBNJDBj6eEd6iZ3Yj9wAD7akn77R5LBqqvQvXIlyx_kYmBdyl0Bi12Qqds7&a=1HHDb3PbzDuGitWA7eW5oQFLzRjd1VzqhJ&r=01

    28 December 2016:  ( Payload Security report  )

    thanepoliceschool.com
    chimie.iset-liege.be
    partnersforcleanstreams.org

    /counter/?a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&m=8429816&i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE

    /counter/?i=LXEfbBQo_qDv_k77jrIae7y_BHSSQ_IZeneRTOoRmdDa4RlnJqaUKIl03HhN683DsUx-hkDi_OiCy0bOPjhZTiYm8RSQDBkfCerE&a=1N1rEZQQ9Z3Ju6jggwn7hFU1jXytBTcK7r&r=01

    29 December 2016:  ( payload Security report)

    cobycaresfoundation.org
    dev.zodia-q.com
    shark1.idhost.kz
    italysfinestdesign.it
    salutgaudi.com
    zodia-q.com

    /counter/?a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&m=2365622&i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA

    /counter/?i=a5P5yqa6RhR1p80JYSnJbDP0I9KOXtIPtIhrFT4SHyIIqBAg-BghzAkZFkHS2tXw5C3mJYnrwuc1MpOfvGWZGd_STcfaml86P_kj5gA&a=13h8Y8z3WfiDFYG7jEWgsqZmPL94z22ca1&r=01

    2nd version today ( Payload Security Report )

    /counter/?=&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo&a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&r=01

    /counter/?a=16TqYh72RpopqiWR97WGMNtTGTazWFYBg1&m=4831333&i=a5P71qa6RhRlpLdtPLsJBpD0aKRuq7EtvIQrHyyE-zmVoG37HDoS-OmdfAXYY-Y0RtEcCwavHQyucNU4JL_PpGxvv0l-mxt00fo

    31 December 2016: ( Payload Security Report)

    www.iblasoni.com
    aventurarealestatedirectory.com
    www.apogeoform.net
    oytunidil.com
    ocentsinus.com
    sonja.ostrovanka.cz
    instalaciondeairesplit.com

    /counter/?a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ
    /counter/?i=Y5p7yaa6RhRlPVwtx_0twhfOcSziOus6gsFi-6WQ9cGftnod2TtjVWJvU-_2nroNgi-lT8j6sF6rzL02lqFLiuQ20RDPqOBkTCSmGjp6NQ&a=1J9cj5Z7UvwkR9Tp1qywXBq994MFZ6dCLn&r=01

    31 December 2016: update 2 ( Payload Security)

    spiritdoula.net
    www.yabaojiuhe.com
    windycrestrental.com
    maggieellisbusinessconsulting.com
    pn-group.com
    inflation.us

    /counter/?a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7
    /counter/?i=Y5r71qa6RhRlpLdvFNp4Tyf0O3puCoDDA0TLPwt-ZnjyqdV140NpvPnVGT2KeqxNu7AHi0Gk1WT6yYGkb0YxpcGpOaMzrto7&a=16ehyeR9Nhrtgk4z2BrKZVJcKTFYe9Z1Ap&r=0


  • CTB-Locker ransomware spreading through fake Windows 10 Update emails

    With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.

    win10_blacked_out.png

    Image of fake Windows Update Email courtesy of Cisco

    As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.

    Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.

    It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.

    Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.

    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida
    CTB-Locker Computer Virus removal and data file recovery service. Local and Online service. Fort Lauderdale,Miami, Boca Raton and all South florida

    At this point, the computer’s data will be encrypted and there is not much that can be done about it.

     

    IF INFECTED Visit Our Main Site OR call 754-234-5598

    for latest computer repair and online news.

    Local and Online Virus removal and computer repairs anytime, anywhere