PhoenixDzine

Back in November 2010, we wrote a blog post about a new variant of the Gpcode Ransomware.

Kaspersky lab discovered a new variant today, in the form of an obfuscated executable. Please review the technical details for further information. The threat was detected automatically thanks to the Kaspersky Security Network as UDS:DangerousObject.Multi.Generic.

Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn

The infection occurs when a malicious website is visited. (drive by download)

Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:

The earthquake and tsunami related crisis in Japan is still far from over – so is the appearance of new cyber threats trying to exploit that same crisis. Tens of thousands of people in Japan have lost their homes, and many their loved ones too. On top of that, radiation leaks are still a major concern for the country and its observers , while new tremors remind everyone of nature’s power on an almost daily basis. (At time of writing, a Magnitude 6.2 quake shook the place!). Today we investigated another malicious webpage. This one states in Portuguese: “Novo tsunami atinge a região de Sendai e Japão declara estado de emegência em usina nuclear”, which roughly translated means “New tsunami reaches the area of Sendai, Japan declares state of emergency at nuclear power plant”.

Kaspersky Lab is still monitoring malicious websites involved in the recent Japan spam campaigns.

For those who may have missed the two first blogs, you can read them here and here However, today we discovered than some of the payloads were not the usual Trojan-Downloader.Win32.CodecPack.*.

Instead, the payload is now Ransomware (detected as Trojan-Ransom.Win32.PornoBlocker.jtg), disguising itself as a fake warning message from the German Federal Police. The message pretends that your computer has been blocked because it was found to be hosting child pornography.

Victims are asked to pay a 100 euros fine to unlock the machine.

As if the German police logo wasn’t enough, they also use logo from anti-virus companies such as Kaspersky Lab to look more convincing.

The end of 2010 was a rather bad time to be a spammer. Thanks to an industry-wide effort that included botnet takedowns and legal cases, we saw a dramatic shift in the way spammers used unsolicited e-mail to make money. In this Lab Matters webcast, Kaspersky Lab senior spam analyst Maria Namestnikova looks closely at the pharmaceutical spam operations and discusses how spammers are using affiliate programs and rebuilt botnets to recover from last year’s crackdown.