Ransom LockEmAll authors getting smarter

[Zyrtec]

Today, I came across with a nastier variant of trojan Ransom LockEmAll while checking at MDL. Since VT was apparently offline I submitted the file to Jotti and Virscan.org and, to my surprise only Avira is detecting this malware. For all the other AV's it says “found nothing”.

I'm not endorsing Avira here since my AV is ESET NOD32 but I want to make a point here, if only one AV is picking-up this nasty piece of malware, this means that its authors [looks that it comes from a Russian Federation IP address] are getting smarter and are concealing it in a way that is nearly undetected by a majority of AVs.

Of course, this means that to get hit by this piece of malware you've got to be searching for p0rn on those shady web-sites. Hence, not too many computers would get infected by it so I wouldn't know if it should be called 0-day threat.


Carlos

[J_L]

Another example of how outdated traditional AV detection methods are.

[Zyrtec]

Quote:

Originally Posted by J_L

Another example of how outdated traditional AV detection methods are.

Indeed!

Anti-virus alone, are no longer what they used to be back in the Windows 98 days.

Nowadays, Sandbox [virtualization] alongside with behavior block + HIPS + whitelisting/blacklisting is the way to go.

Those AV companies that in year 2011 and ahead still have the approach of fighting malware based on just...virus definitions are doomed to vanish from the AV arena.


Carlos

[x942]

Quote:

Originally Posted by Zyrtec

Today, I came across with a nastier variant of trojan Ransom LockEmAll while checking at MDL. Since VT was apparently offline I submitted the file to Jotti and Virscan.org and, to my surprise only Avira is detecting this malware. For all the other AV's it says “found nothing”.

I'm not endorsing Avira here since my AV is ESET NOD32 but I want to make a point here, if only one AV is picking-up this nasty piece of malware, this means that its authors [looks that it comes from a Russian Federation IP address] are getting smarter and are concealing it in a way that is nearly undetected by a majority of AVs.

Of course, this means that to get hit by this piece of malware you've got to be searching for p0rn on those shady web-sites. Hence, not too many computers would get infected by it so I wouldn't know if it should be called 0-day threat.


Carlos

The sample I just found is detected by ESET Heuristics. I should note I had everything set on max. Threatsense should now have signatures though. I reported it to them.

[x942]

Found a new sample and it's not detected. I submitted samples again.

[Zyrtec]

Quote:

Originally Posted by x942

Found a new sample and it's not detected. I submitted samples again.

Hey,

Trojan Ransom LockEmAll's authors constantly morph their evil creation to avoid detection. If you submit the sample to online multiengine scanners such as VirusTotal or Jotti you will see that the detection rate is very low [1-10%].

When AV vendors catch up with a new variant of this Ransomware another one is already in the wild.

I do download and submit every new variant of this Trojan to ESET but the speed of the malware writers is faster than ESET and mine. Sometimes, the same link from where I downloaded a variant of this ransomware yields a totally different one when a click on the link one or two hours afterwards.

Now, if the behavior of this trojan variants is similar regardless the variant, the best approach to detect it without relying too much on virus signatures would be HIPS/behavior blocking.


Regards,


Carlos

[Rmus]

Quote:

Originally Posted by Zyrtec

...if only one AV is picking-up this nasty piece of malware, this means that its authors [looks that it comes from a Russian Federation IP address] are getting smarter and are concealing it in a way that is nearly undetected by a majority of AVs.

Much is being made these days of malware authors "getting smarter," but techniques to evade detection have been around for many years.

The Storm Trojan debuted almost five years ago, and used repacking techniques to avoid detection:

Peerbot: Catch me if you can
http://www.symantec.com/avcenter/ref...if.you.can.pdf
March 2007

Quote:

New, different executables are spread with the same functionality every once in a while, in the hopes that there won't be a signature-based definition recognizing the newly created files. Even though these executables look different every time, the original packed code and data and their functionality do not change unless there are changes in the source code. By using this technique, the authors ensure a pretty good chance of evading detection that relies on specific signature recognition, while the cost of establishing and maintaining such a system is minimal (i.e. given the packer, a small script could do the job in no time). The files can be refreshed as often as every download, but it has been noted that timed intervals are preferred (for instance, the executables may be repacked every hour).

Other variants updated more frequently:

Storm Worm
http://en.wikipedia.org/wiki/Storm_Worm

Quote:

According to Joe Stewart, director of malware research for SecureWorks, Storm remains amazingly resilient, in part because the Trojan horse it uses to infect systems changes its packing code every 10 minutes, and, once installed, the bot uses fast flux to change the IP addresses for its command and control servers.

The techniques used today are more complex and sophisticated, but there has really been no change in the overall scheme of attack used by the cybercriminals to keep one step ahead of detection.

regards,

-rich

[Zyrtec]

Thanks Rich for your interesting response.

I came across with a YouTube video about what trojan Ransom LockEmAll does when it infects a computer. It virtually renders the computer useless.
It won't allow to boot Windows onto Safe Mode and some people even claim that it won't allow you to remove it by using a rescue disk since it changes explorer.exe onto something else.

---http://www.youtube.com/watch?v=uYcqFylEcNU ----

Very nasty piece of malware, indeed !


Carlos

[Brandonn2010]

Thanksgiving weekend I went to my Dad's and he wanted me to wipe their broken laptop's hard drive. Before I did this I installed the trial of DefenseWall onto it to show it to him and my stepmom, in an attempt to get them to buy it.

I tested this malware against DefenseWall to see how it performed, and it was as easy and right-clicking DefenseWall's icon and hitting the "Stop Attack" button!

Needless to say DefenseWall proves itself again, and I conviced my Dad to buy it when their Norton expires. (Yes it can be used with Norton but I'm not going to push him).

P.S. I do want to note that I almost couldn't click the "Stop Attack" thing because the ransom screen kept putting itself above all windows, but I was quick enough to click the stop attack option before it was covered.