Ransom LockEmAll authors getting smarter

Discussion in 'malware problems & news' started by Zyrtec, Oct 25, 2011.

Thread Status:
Not open for further replies.
  1. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Today, I came across with a nastier variant of trojan Ransom LockEmAll while checking at MDL. Since VT was apparently offline I submitted the file to Jotti and Virscan.org and, to my surprise only Avira is detecting this malware. For all the other AV's it says “found nothing”.

    I'm not endorsing Avira here since my AV is ESET NOD32 but I want to make a point here, if only one AV is picking-up this nasty piece of malware, this means that its authors [looks that it comes from a Russian Federation IP address] are getting smarter and are concealing it in a way that is nearly undetected by a majority of AVs.

    Of course, this means that to get hit by this piece of malware you've got to be searching for p0rn on those shady web-sites. Hence, not too many computers would get infected by it so I wouldn't know if it should be called 0-day threat.


    Carlos
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Another example of how outdated traditional AV detection methods are.
     
  3. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Indeed!

    Anti-virus alone, are no longer what they used to be back in the Windows 98 days.

    Nowadays, Sandbox [virtualization] alongside with behavior block + HIPS + whitelisting/blacklisting is the way to go.

    Those AV companies that in year 2011 and ahead still have the approach of fighting malware based on just...virus definitions are doomed to vanish from the AV arena.


    Carlos
     
  4. x942

    x942 Guest

    The sample I just found is detected by ESET Heuristics. I should note I had everything set on max. Threatsense should now have signatures though. I reported it to them.
     
  5. x942

    x942 Guest

    Found a new sample and it's not detected. I submitted samples again.
     
  6. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hey,

    Trojan Ransom LockEmAll's authors constantly morph their evil creation to avoid detection. If you submit the sample to online multiengine scanners such as VirusTotal or Jotti you will see that the detection rate is very low [1-10%].

    When AV vendors catch up with a new variant of this Ransomware another one is already in the wild.

    I do download and submit every new variant of this Trojan to ESET but the speed of the malware writers is faster than ESET and mine. Sometimes, the same link from where I downloaded a variant of this ransomware yields a totally different one when a click on the link one or two hours afterwards.

    Now, if the behavior of this trojan variants is similar regardless the variant, the best approach to detect it without relying too much on virus signatures would be HIPS/behavior blocking.


    Regards,


    Carlos
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Much is being made these days of malware authors "getting smarter," but techniques to evade detection have been around for many years.

    The Storm Trojan debuted almost five years ago, and used repacking techniques to avoid detection:

    Peerbot: Catch me if you can
    http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf
    March 2007
    Other variants updated more frequently:

    Storm Worm
    http://en.wikipedia.org/wiki/Storm_Worm
    The techniques used today are more complex and sophisticated, but there has really been no change in the overall scheme of attack used by the cybercriminals to keep one step ahead of detection.

    regards,

    -rich
     
  8. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Thanks Rich for your interesting response.

    I came across with a YouTube video about what trojan Ransom LockEmAll does when it infects a computer. It virtually renders the computer useless.
    It won't allow to boot Windows onto Safe Mode and some people even claim that it won't allow you to remove it by using a rescue disk since it changes explorer.exe onto something else.

    ---http://www.youtube.com/watch?v=uYcqFylEcNU ----

    Very nasty piece of malware, indeed !


    Carlos
     
  9. Brandonn2010

    Brandonn2010 Registered Member

    Joined:
    Jan 10, 2011
    Posts:
    1,849
    Thanksgiving weekend I went to my Dad's and he wanted me to wipe their broken laptop's hard drive. Before I did this I installed the trial of DefenseWall onto it to show it to him and my stepmom, in an attempt to get them to buy it.

    I tested this malware against DefenseWall to see how it performed, and it was as easy and right-clicking DefenseWall's icon and hitting the "Stop Attack" button!

    Needless to say DefenseWall proves itself again, and I conviced my Dad to buy it when their Norton expires. (Yes it can be used with Norton but I'm not going to push him).

    P.S. I do want to note that I almost couldn't click the "Stop Attack" thing because the ransom screen kept putting itself above all windows, but I was quick enough to click the stop attack option before it was covered.
     
Loading...
Thread Status:
Not open for further replies.