Ransomware.

system · June 14, 2012, 9:05pm

hi
How does the wonderful Avast fare against these nasty ransomware expoits.?
The odd trojan getting through i can live with but these ransomware exploits look positively evil.
Regards.

essexboy · June 14, 2012, 9:12pm

Avast is about the same as all other AV’s it will catch about half. Currently there are two doing the rounds that encrypt the files to such a degree that you might just as well nuke the drive. The problem is catching the dropper file, and all the ones I have come across so far self delete as soon as they have dropped the payload. This is where the backups come to their own. Always have one

system · June 14, 2012, 9:51pm

a ? why you what nuke the hard drive that haves ransomware in it when you can use a boot cd to get rid of the ransomware easily and save you time

DavidR · June 14, 2012, 11:23pm

If you read essexboy’s post again instead of just quoting it, you will see why it may require the nuclear option.

Currently there are two doing the rounds that encrypt the files to such a degree that you might just as well nuke the drive.

Essexboy is a qualified malware removal specialist and teacher on geekstogo’s geek Uni (UNITE approved malware removal training school), so is well qualified to make that comment.

system · June 15, 2012, 6:11am

look here [12/42] avast is 1 of them ;):
https://www.virustotal.com/file/a71c0d049d098c6c8eafd7d4dc58184487d40f9501e56174bac855751bb62ea3/analysis/1339529596/

hope that answers your query

system · June 15, 2012, 6:20am

hm avast didn’t find it

system · June 15, 2012, 6:22am

u didnt view the latest result here is the …latest result: https://www.virustotal.com/file/a71c0d049d098c6c8eafd7d4dc58184487d40f9501e56174bac855751bb62ea3/analysis/

Left123 · June 15, 2012, 11:49am

The most common piece of ransomware is known as Win32/Reveton.This type of ransomware pretends to be the “Local police”,it locks your computer until you pay a fine.You can read more here : http://www.f-secure.com/weblog/archives/00002344.html
It is hard for AV’s to detect such threats as they’re coming bundled with BlackHole exploit kit.

essexboy · June 15, 2012, 3:20pm

The early versions of this just replaced the desktop via winlogon. But the later ones

the latest iteration of this malware is stronger than ever using RSA-1024 and AES-256 as crypto-algorithms. GpCode is back and it is stronger than before. Unlike the previous variants, it doesn’t delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

system · June 15, 2012, 4:43pm

These type of infections have always interested me ;D

I want to have one sort of this infection on my desktop once to give it a shot! ;D 8)

thanks and nice info essexboy!

I am gonna go and hunt it up once and give it a shot on my desktop…bye!

polonus · June 15, 2012, 5:25pm

That is why I suggested we should have IDS incorporated. I have found lately that urlQuery with Suricata /w Emerging Threats IDS flags all these blackhole sites that other scanners miss, and a los other issues, see for instance: http://urlquery.net/report.php?id=69339 Good to flag these specific threats,

polonus

polonus · June 15, 2012, 6:02pm

Hi Left123,

Well again IDS can help but this one dodged the IDS rules: http://urlquery.net/report.php?id=69370 but is flagged there.
Avast detects this as Java:Blackcole-A [Trj].
The block of script looks suspicious, which calls a function called iframer…
See: http://labs.sucuri.net/db/malware/malware-entry-mwjs160
redirecting to, see: http://zulu.zscaler.com/seen/f0794ce9a2c7198a0e9d9cd298e9c37d-1339698898

polonus

Pondus · June 16, 2012, 10:08pm

if it walks like a duck…and talks like a duck… me think av1993 is nsm0220

DavidR · June 16, 2012, 10:27pm

Certainly looks that way, too many coincidences involved I guess he can join his alter ego…

Ransomware.

Announcements