Ransom LockEmAll authors getting smarter

Today, I came across with a nastier variant of trojan Ransom LockEmAll while checking at MDL. Since VT was apparently offline I submitted the file to Jotti and Virscan.org and, to my surprise only Avira is detecting this malware. For all the other AV's it says “found nothing”.

I'm not endorsing Avira here since my AV is ESET NOD32 but I want to make a point here, if only one AV is picking-up this nasty piece of malware, this means that its authors [looks that it comes from a Russian Federation IP address] are getting smarter and are concealing it in a way that is nearly undetected by a majority of AVs.

Of course, this means that to get hit by this piece of malware you've got to be searching for p0rn on those shady web-sites. Hence, not too many computers would get infected by it so I wouldn't know if it should be called 0-day threat.


Carlos

 

Another example of how outdated traditional AV detection methods are.

 

Indeed!

Anti-virus alone, are no longer what they used to be back in the Windows 98 days.

Nowadays, Sandbox [virtualization] alongside with behavior block + HIPS + whitelisting/blacklisting is the way to go.

Those AV companies that in year 2011 and ahead still have the approach of fighting malware based on just...virus definitions are doomed to vanish from the AV arena.


Carlos

 

The sample I just found is detected by ESET Heuristics. I should note I had everything set on max. Threatsense should now have signatures though. I reported it to them.

 

Found a new sample and it's not detected. I submitted samples again.

 

Hey,

Trojan Ransom LockEmAll's authors constantly morph their evil creation to avoid detection. If you submit the sample to online multiengine scanners such as VirusTotal or Jotti you will see that the detection rate is very low [1-10%].

When AV vendors catch up with a new variant of this Ransomware another one is already in the wild.

I do download and submit every new variant of this Trojan to ESET but the speed of the malware writers is faster than ESET and mine. Sometimes, the same link from where I downloaded a variant of this ransomware yields a totally different one when a click on the link one or two hours afterwards.

Now, if the behavior of this trojan variants is similar regardless the variant, the best approach to detect it without relying too much on virus signatures would be HIPS/behavior blocking.


Regards,


Carlos

 

Much is being made these days of malware authors "getting smarter," but techniques to evade detection have been around for many years.

The Storm Trojan debuted almost five years ago, and used repacking techniques to avoid detection:

Peerbot: Catch me if you can
http://www.symantec.com/avcenter/reference/peerbot.catch.me.if.you.can.pdf
March 2007

Other variants updated more frequently:

Storm Worm
http://en.wikipedia.org/wiki/Storm_Worm

The techniques used today are more complex and sophisticated, but there has really been no change in the overall scheme of attack used by the cybercriminals to keep one step ahead of detection.

regards,

-rich

 

Thanks Rich for your interesting response.

I came across with a YouTube video about what trojan Ransom LockEmAll does when it infects a computer. It virtually renders the computer useless.
It won't allow to boot Windows onto Safe Mode and some people even claim that it won't allow you to remove it by using a rescue disk since it changes explorer.exe onto something else.

---http://www.youtube.com/watch?v=uYcqFylEcNU ----

Very nasty piece of malware, indeed !


Carlos

 

Thanksgiving weekend I went to my Dad's and he wanted me to wipe their broken laptop's hard drive. Before I did this I installed the trial of DefenseWall onto it to show it to him and my stepmom, in an attempt to get them to buy it.

I tested this malware against DefenseWall to see how it performed, and it was as easy and right-clicking DefenseWall's icon and hitting the "Stop Attack" button!

Needless to say DefenseWall proves itself again, and I conviced my Dad to buy it when their Norton expires. (Yes it can be used with Norton but I'm not going to push him).

P.S. I do want to note that I almost couldn't click the "Stop Attack" thing because the ransom screen kept putting itself above all windows, but I was quick enough to click the stop attack option before it was covered.