Tag Archives: downloader

When tech support scams meet Ransomlock

      No Comments on When tech support scams meet Ransomlock
A technical-support phone scam uses Trojan.Ransomlock.AM to lock the user’s computer and trick them into calling a technical help phone number to resolve the issue.

Ransomlock 1.jpg

What’s true for businesses is also true for scams and malware, to remain successful they must evolve and adapt. Sometimes ideas or methods are borrowed from one business model and used in another to create an amalgamation. After all, some of the best creations have come about this way; out of ice-cream and yogurt was born delicious frogurt, and any reputable hunter of the undead will tell you the endless benefits of owning a sledge saw. Cybercriminals responsible for malware and various scams also want their “businesses” to remain successful and every now and again they too borrow ideas from each other. We recently came across an example of this when we discovered a technical-support phone scam that uses a new ransomware variant (Trojan.Ransomlock.AM) that locks the user’s computer and tricks them into calling a phone number to get technical help to resolve the issue.

A game of two halves:


Ransomware can be divided into two main categories: Ransomware that simply locks the compromised computer’s screen (Trojan.Ransomlock), and ransomware that encrypts files found on the compromised computer (Trojan.Ransomcrypt, Trojan.Cryptowall, Trojan.Cryptolocker etc.).

This year we’ve observed a major role reversal in the ransomware landscape with the cryptomalware variants overtaking the ransomlock variants in prevalence. Ransomlock variants may have lost the lead to cryptomalware variants, but they are by no means out of the game and from time-to-time we do observed newcomers that add a fresh twist to the screen-locking business model.

Ransomlock 2.png

Figure 1. Top ten ransomware detections as of 11-07-14

Technical support scams

Technical support scams are definitely not new and have been around for quite some time now. In these scams, the crooks cold call random people, often claiming to be a well-known software company, and try to convince them that their computers are full of critical errors or malware. The end goal is to get onto the victim’s computer using a remote-access tool in order to convince users of problems, as well as to entice the victim into buying fake repair tools in order to fix the non-existent problems. The Federal Trade Commission states that this type of scam is one of the fastest growing cyberscams and several high-profile arrests have been made in recent times in a crackdown on the cybercriminals responsible. Technical support scams rely on potential victims being cold called and this can mean a lot of work for the scammers; however, some cybercriminals have now overcome this and have figured out a way to get the victims to call them.

When scams merge

We recently came across Trojan.Ransomlock.AM that, like its predecessors, locks the compromised computer’s screen. The locked screen displays a blue screen of death (BSoD) error message, but this is no ordinary BSoD!

In this BSoD, the message claims that the computer’s health is critical and a problem is detected and it asks the user to call a technical support number.

For the sake of research, we made a call to the number to see just what these crooks are up to.

Ransomlock 3 edit.png

Figure 2. Fake BSoD lock screen

According to the support engineer we spoke to, named “Brian,” the technical support company is called “Falcon Technical Support.” Once the number has been called, the scam follows the same modus operandi as most technical support scams; however, the most interesting thing here is the use of ransomware in order to get the user to call the scammers. Once the call has been made, the scammers have everything they need to convince the user their computer is infected with malware…because it is infected with Trojan.Ransomlock.AM.

ransomlock comic edit.png

Figure 3. The scammers get a bright idea


Trojan.Ransomlock.AM has been observed being distributed and bundled with a grayware installer (detected as Downloader). This installer offers to install grayware applications such as SearchProtect and SpeedUPMyPc.

Upon execution, it installs the grayware as advertised but it also drops another file named preconfig.exe, which is the malware installer (detected as Trojan.Dropper). This second installer adds an entry on the infected computer so that when it restarts it will execute the final payload (diagnostics.exe) which is Trojan.Ransomlock.AM.

Trojan.Ransomlock.AM needs an internet connection to perform its dirty deeds. The malware first needs to send information from the compromised computer to the command-and-control (C&C) server, such as the hostname, IP address, screen resolution, and a random number. In exchange, the C&C server sends back the correct size image file to fit the whole screen. The information collected will also give the crooks a useful jump start when trying to convince the user their computer is in trouble, which other technical support scammers do not have. The malware, stolen information, and BSoD lock screen all help to strengthen the scammers’ social-engineering capabilities.

Fortunately, Trojan.Ransomlock.AM was first seen in September and does not have a high prevalence; however, as with any threat, this can quickly change. According to our telemetry, the threat is currently limited to the United States.

Symantec protection

Trojan.Ransomlock.AM is far from the most complex or resilient ransomware we’ve seen and is in fact very simple. The compromised computer may look locked but users can simply follow these steps to unlock the screen:

  1. Simultaneously press the Ctrl+Alt+Delete keys on the keyboard
  2. Open Task Manager
  3. Search for the malware name (it should be diagnostics.exe) and end the process
  4. When the screen is unlocked, go to the registry editor by clicking on the Start button, then Run, and typing REGEDIT
  5. Delete the registry entry HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”Diagnostics” = “[PATH TO MALWARE]”
  6. You should also delete the file folder from the directory

Users of Symantec products can simply perform a full scan to safely remove Trojan.Ransomlock.AM.

Symantec has the following detections in place to protect against this threat:

Antivirus detections

Symantec advises users to be extra careful when calling or receiving a call from a technical call center. Users should be cautious and always check the company’s identity. If you need assistance with a computer-related issue, contact a reputable bricks-and-mortar computer repair shop or your IT support team if it’s your work computer that is affected. 

????????? Gameover Zeus ????????????????

国際的な法執行機関により、金銭詐取を目的としたボットネットや Cryptolocker ランサムウェアネットワークの背後にいる攻撃グループが所有している大規模なインフラが押収されました。

International Takedown Wounds Gameover Zeus Cybercrime Network

Large swathes of infrastructure owned by the attackers behind the financial fraud botnet and Cryptolocker ransomware network seized by authorities.
Read more…

?? ?? ???? ??? ?? Gameover Zeus ??? ?? ??

Large swathes of infrastructure owned by the attackers behind the financial fraud botnet and Cryptolocker ransomware network seized by authorities.
Read more…

Email with subject “FW:Bank docs” leads to information theft

In this blogpost we will look deep into a spam campaign, where unlike other possible scenarios, the victim is infected by opening and running an email attachment. In the beginning of this year, we blogged about a spam campaign with a different spam message – a fake email from the popular WhatsApp messenger. This time […]

Adobe Flash ????????????????????????????

      No Comments on Adobe Flash ????????????????????????????

ゼロデイ脆弱性を悪用する水飲み場型攻撃が、さらに広がりつつあります。シマンテックは先週、Internet Explorer 10 のゼロデイ脆弱性が水飲み場型攻撃に悪用されていることをお伝えしましたが、それからちょうど 1 週間後、今度は Adobe Flash Player と Adobe AIR に存在するリモートコード実行の脆弱性(CVE-2014-0502)が、やはり水飲み場型攻撃で悪用されていることが確認されました。この新しい攻撃は、さまざまなメディアで「Operation GreedyWonk」と呼ばれており、3 つの NPO 団体の Web サイトを標的にしていると報じられています。シマンテックの遠隔測定によると、新しいゼロデイ脆弱性を悪用するこの水飲み場型攻撃では、ほかにも多くのサイトが標的になっていることが判明しました。


図 1. Adobe Flash のゼロデイ脆弱性を悪用する水飲み場型攻撃


今回の攻撃に使われているのも、水飲み場型攻撃として知られる手法です。被害者がアクセスした Web サイトは、標的を別の Web サイト(giftserv.hopto.org)にリダイレクトするために攻撃者によって侵害され、iframe が仕込まれています。リダイレクト先のサイトでは悪質な index.php ファイル(Trojan.Malscript)が読み込まれ、このファイルによって標的のシステムが 32 ビットか 64 ビットかが判定されます。この判定結果に応じて、攻撃者のサーバーにホストされている 32 ビットまたは 64 ビットのいずれかのフォルダから、悪質な index.html ファイル(これも Trojan.Malscript として検出されます)と追加コンポーネントがダウンロードされます。悪質な index.html は次に cc.swf という Adobe Flash ファイル(Trojan.Swifi)を読み込み、これにゼロデイ脆弱性が存在します。悪用に成功すると、暗号化されたシェルコードを含む logo.gif という画像ファイルがダウンロードされ、このシェルコードによって悪質なペイロード server.exe(Backdoor.Jolob)がダウンロードされ実行されます。


インストールされている Adobe 製品を最新バージョンに更新して、この脆弱性に緊急に対処することをお勧めします。ソフトウェアのアップグレード方法について詳しくは、Adobe Security Bulletin を参照してください。






水飲み場型攻撃が、特定の個人を標的にした攻撃者の間で多用され続けていることは、今回の事例からも明らかです。ゼロデイ脆弱性が次々と悪用されていることを考えると、攻撃者が使える武器は無尽蔵とも言えます。複数の Web サイトで Adobe Flash のこの脆弱性が確認されていますが、送信されているペイロードはそのすべてで異なります。今回のゼロデイ悪用コードが多くの攻撃者に販売されている可能性や、あるいは単独の攻撃者が複数の攻撃キャンペーンを仕掛けている可能性があります。シマンテックは、最善の保護対策を提供できるように、この攻撃の調査を続ける予定です。


図 2. 水飲み場型攻撃の手口


* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

New Flash Zero-Day Linked to Yet More Watering Hole Attacks

Watering hole attacks using zero-day vulnerabilities are becoming more common. Last week we announced an Internet Explorer 10 zero-day being used in a watering hole attack and today, just one week later we have an Adobe Flash zero-day, Adobe Flash Player and AIR CVE-2014-0502 Remote Code Execution Vulnerability (CVE-2014-0502), also being used in a watering hole attack. This new attack has been dubbed “Operation GreedyWonk” in various media and is reported to be targeting the websites of three non-profit institutions. Symantec telemetry shows even more sites being targeted in this watering hole attack using this new zero-day.


Figure 1. Watering hole attack using Adobe Flash 0-day

Anatomy of the attack

This attack technique is known as a watering hole attack. In this case the target visits a compromised website that contains an IFrame inserted by the attackers in order to redirect the target to another website (giftserv.hopto.org). This new site loads a malicious index.php file (Trojan.Malscript) which checks whether the victim is running a 32-bit or 64-bit system. Depending on the results, a malicious index.html file (also Trojan.Malscript) and additional components are also downloaded from either the 32-bit or 64-bit folders hosted on the attacker’s server. The malicious index.html file then loads the cc.swf Adobe Flash file (Trojan.Swifi) containing the zero-day. Once exploited, a logo.gif image file is downloaded containing encrypted shellcode which downloads and executes the malicious server.exe (Backdoor.Jolob) payload.

How can I prevent and mitigate against this attack?

Symantec recommends users update their Adobe product installations to the latest versions to address this critical vulnerability. Details of how to upgrade software are available in an Adobe Security Bulletin.

Symantec customers are protected from this zero-day attack with the following detections:


Intrusion Prevention Signatures

  • Web Attack: Malicious SWF Download 22

As always, we also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of any kind.

Watering hole attacks remain popular

This latest watering hole attack demonstrates that it remains a popular technique for attackers to target individuals of interest. The use of yet another zero-day indicates the arsenal available to attackers shows no signs of depletion. Multiple websites have been identified using this Adobe Flash zero-day, all with different payloads being delivered. This may be the result of this particular zero-day being sold to a number of different attackers, or possibly that it was used by a single attacker in multiple campaigns. Symantec continues to investigate this attack to ensure that the best possible protection is in place.


Figure 2. Anatomy of a watering hole attack

Cryptolocker に関する Q&A: 今年最大の脅威


このようにユーザー意識が高まった結果、2013 年最後の四半期にはサイバー犯罪の世界に新たな脅迫の手口が生まれました。それが Cryptolocker です。Cryptolocker は、貴重なデータを失うかもしれないという、ユーザーにとって最大の不安を突くことで広がっています。以前のランサムウェアはオペレーティングシステムをロックしてデータファイルを人質に取るものの、たいていは回復が可能でした。ところが、Cryptolocker は脅迫がもっと効果的になっており、攻撃者が持つ秘密鍵を使わない限り、ロックされたファイルを取り戻すことはできません。

以下の Q&A では、Cryptolocker と、それに対するシマンテックの保護対策についての概略をお伝えします。

Q: Ransomlock と Cryptolocker(別名 Ransomcrypt)の違いは何ですか?

Ransomlock と Cryptolocker の違いは、一般的に Ransomlock がコンピュータ画面をロックするのに対して、Cryptolocker は個々のファイルを暗号化してロックするという点です。被害者を脅迫して金銭を奪い取ろうとする点は共通しています。

Q: この脅威が発見されたのはいつですか?

Cryptolocker の被害が初めて確認されたのは、2013 年 9 月です。

Q: Cryptolocker は新しい脅威グループに属するものですか?

いいえ。侵入先のシステムでファイルを暗号化して身代金を要求する類似のマルウェアグループとして、シマンテックはこれまでにも Trojan.Gpcoder(2005 年 5 月)や Trojan.Ransomcrypt(2009 年 6 月)などを検出しています。

Q: Cryptolocker の重大度はどのくらいですか?

重大度は「高」です。万一 Cryptolocker によってファイルを暗号化され、そのファイルをバックアップしていなかった場合には、まず復元することはできません。

Q: Cryptolocker に感染しているかどうかを確認するにはどうすればよいですか?



図 1. Cryptolocker の身代金要求画面

Q: この脅威にはどのように感染しますか?

ソーシャルエンジニアリングの手口を使ったスパムメールを被害者に送りつけ、添付されている zip ファイルを開かせようと試みます。


図 2. Cryptolocker スパムメールの例

電子メールに添付されている zip ファイルを開くと、実行可能ファイルが含まれていますが、これは電子メールの内容に合わせて請求書に見せかけたり、別のソーシャルエンジニアリング手法で偽装されたりしています。この実行可能ファイルは Downloader.Upatre で、Trojan.Zbot をダウンロードします。Trojan.Zbot に感染すると、Downloader.Upatre は感染したシステムにさらに Trojan.Cryptolocker もダウンロードします。次に Trojan.Cryptolocker は、組み込みのドメイン生成アルゴリズム(DGA)を利用してコマンド & コントロール(C&C)サーバーに接続しようとします。アクティブな C&C サーバーが見つかると、感染したシステムでファイルを暗号化する際に使われる公開鍵がダウンロードされますが、それに対応する秘密鍵(ファイルの復号に必要です)はサイバー犯罪者のサーバーに残されたままです。秘密鍵はサイバー犯罪者の手の内に残り、定期的に変更される C&C サーバーにアクセスしない限り使用することはできません。


図 3. Cryptolocker の攻撃手順

Q: シマンテックは Cryptolocker や関連するマルウェアに対する保護対策を提供していますか?


検出名 検出タイプ
Downloader ウイルス対策シグネチャ
Downloader.Upatre ウイルス対策シグネチャ
Trojan.Zbot ウイルス対策シグネチャ
Trojan.Cryptolocker ウイルス対策シグネチャ
Trojan.Cryptolocker!g1 ヒューリスティック検出
Trojan.Cryptolocker!g2 ヒューリスティック検出
Trojan.Cryptolocker!g3 ヒューリスティック検出
System Infected: Trojan.Cryptolocker 侵入防止シグネチャ

Symantec.Cloud サービスをお使いのお客様は、このマルウェアの拡散に使われているスパムメッセージからも保護されています。


  • 2013 年 11 月 13 日以前のウイルス定義では、このマルウェアは Trojan.Ransomcrypt.F として検出されていました。
  • 2013 年 11 月 14 日以前の侵入防止シグネチャ(IPS)では、「System Infected: Trojan.Ransomcrypt.F」として検出されていました。

Q: C&C サーバーはどのような形式ですか?

DGA で生成される最近のコマンド & コントロール(C&C)サーバーの例を以下に示します。

  • kstattdnfujtl.info/home/
  • yuwspfhfnjmkxts.biz/home/
  • nqktirfigqfyow.org/home/

Cryptolocker はアクティブな C&C サーバーを検索するときに、見かけの類似したドメイン名を 1 日当たり 1,000 件まで生成できます。

Q: Cryptolocker はどのくらい高度ですか?

Cryptolocker 攻撃は、スパムメールとソーシャルエンジニアリングでお馴染みの手法を用いて感染を試みますが、Cryptolocker 自体も以下のように高度な技術を駆使しています。

  • Cryptolocker は、強力な RSA 2048 を使った公開鍵暗号を採用しています。攻撃者のサーバーに置かれている秘密鍵がないと、被害者は暗号化されたファイルを復号することはできません。
  • Cryptolocker は、メルセンヌツイスタ擬似乱数生成機能に基づいた DGA を採用し、アクティブな C&C サーバーを探します。

Q: この脅威の感染状況はどうですか?



図 4. 検出が報告された上位 5 カ国

Q: これまでにシマンテックはこれらの攻撃に関する情報を公開していますか?


Q: 身代金の支払いに応じるべきですか?


Q: Cryptolocker 攻撃の背後にいるのは誰ですか?

Cryptolocker 攻撃の背後にいるサイバー犯罪者については、調査が進められているところです。

Q: この攻撃の影響を受けたファイルの復元方法についてアドバイスはありますか?


Q: 被害を受けないようにするにはどうすればいいですか?


Q: シマンテックはバックアップおよびディザスタリカバリソフトウェアを提供していますか?

はい。シマンテックは、Backup Exec ファミリー製品を提供しています。


* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。

Cryptolocker Q&A: Menace of the Year

      No Comments on Cryptolocker Q&A: Menace of the Year

Cybercriminals are constantly looking for ways to evolve their malware. Evolution is the key for survival because antivirus research, analysis, countermeasures, and public awareness thwart the efficacy of malware and its spread. During the past year, Ransomware has received a lot of news coverage which has decreased the number of uninformed victims and lowered the impact and effectiveness of the malware along with the percentage of return to the criminal.

Due to this increased public awareness, in the last quarter of 2014 we have seen cybercriminals reorganize around a new type of extortion: Cryptolocker. This threat is pervasive and preys on a victim’s biggest fear: losing their valuable data. Unlike previous Ransomware that locked operating systems and left data files alone and usually recoverable, Cryptolocker makes extortion of victims more effective because there is no way to retrieve locked files without the attacker’s private key.

The following Q&A outlines Cryptolocker and Symantec’s protection against this malware:

Q: What is the difference between Ransomware and Cryptolocker (also known as Ransomcrypt)?

The difference between Ransomlock and Cryptolocker Trojans is that Ransomlock Trojans generally lock computer screens while Cryptolocker Trojans encrypt and lock individual files. Both threats are motivated by monetary gains that cybercriminals can make from extorting money from victims.

Q: When was this threat discovered?

In September 2013 the Cryptolocker threat began to be seen the wild.

Q: Is the Cryptolocker threat family something new?

No. Symantec detects other similar malware families such as Trojan.Gpcoder (May 2005) and Trojan.Ransomcrypt (June 2009) that encrypt and hold files ransom on compromised systems.

Q: What is the severity of this Cryptolocker threat?

The severity is high. If files are encrypted by Cryptolocker and you do not have a backup of the file, it is likely that the file is lost.

Q: How do I know I have been infected by Cryptolocker?

Once infected, you will be presented on screen with a ransom demand.


Figure 1. Cryptolocker ransom demand

Q: How does a victim get infected?

Victims receive spam email that use social engineering tactics to try and entice opening of the attached zip file.


Figure 2. Cryptolocker spam email example

If victims open the zip file attached to the email, they will find an executable file disguised to look like an invoice report or some other similar social engineering ploy, depending on the email theme. This executable file is Downloader.Upatre that will download Trojan.Zbot. Once infected with Trojan.Zbot, the Downloader.Upatre also downloads Trojan.Cryptolocker onto the compromised system. Trojan.Cryptolocker then reaches out to a command-and-control server (C&C) generated through a built-in domain generation algorithm (DGA). Once an active C&C is found, the threat will download the public key that is used to encrypt the files on the compromised system while the linked private key—required for decrypting the files— remains on the cybercriminal’s server. The private key remains in the cybercriminal control and cannot be used without access to the C&C server which changes regularly.


Figure 3. Cryptolocker attack steps

Q: Does Symantec have protection in place for Cryptolocker and the other associated malware?

Yes. Symantec has the following protection in place for this threat:

Detection name

Detection type


Antivirus signature


Antivirus signature


Antivirus signature


Antivirus signature


Heuristic detection


Heuristic detection


Heuristic detection

System Infected: Trojan.Cryptolocker

Intrusion Prevention Signature

Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware.

Some earlier Symantec detections that detect this threat have been renamed:

  • Virus definitions dated November 13, 2013, or earlier detected this threat as Trojan.Ransomcrypt.F
  • Intrusion Prevention Signature (IPS) alerts dated November 14, 2013, or earlier were listed as “System Infected: Trojan.Ransomcrypt.F”

Q: What do the C&Cs look like?

The following are recent examples of command-and-control (C&C) servers from the DGA:

  • kstattdnfujtl.info/home/
  • yuwspfhfnjmkxts.biz/home/
  • nqktirfigqfyow.org/home/

Cryptolocker can generate up to one thousand similar looking domain names per day in its search for an active C&C.

Q: How sophisticated is this threat?

While the Cryptolocker campaign uses a common technique of spam email and social engineering in order to infect victims, the threat itself also uses more sophisticated techniques like the following:

  • Cryptolocker employs public-key cryptography using strong RSA 2048 encryption. Once files are encrypted without the private key held on the attacker’s server, the victim will not be able to decrypt the files.
  • Cryptolocker employs a DGA that is based on the Mersenne twister pseudo-random number generator to find active C&Cs.

Q: How prevalent is the threat?

Symantec telemetry for this threat shows that the threat is not very prevalent in the wild at present. While the numbers being reported are low, the severity of the attack is still considerable for victims.


Figure 4. Top 5 countries reporting detections

Q: Has Symantec previously released any publications around these attacks?

Yes, Symantec has released the following blogs:

Q: Should I pay the ransom?

No. You should never pay a ransom. Payment to cybercriminals only encourages more malware campaigns. There is no guarantee that payment will lead to the decryption of your files.

Q: Who is behind the Cryptolocker malware?

Investigations into the cybercriminals behind the Cryptolocker malware are ongoing.

Q: Is there any advice on how to recover files affected by this attack?

Yes, Symantec Technical Support has released the following article:

Q: Any advice on how to not become a victim?

Yes. First, follow information security best practices and always backup your files. Keep your systems up to date with the latest virus definitions and software patches. Refrain from opening any suspicious unsolicited emails. We also advise customers to use the latest Symantec technologies and incorporate the latest Symantec consumer and enterprise solutions to best protect against attacks of this kind.

Q: Does Symantec offer backup and disaster recovery software?

Yes. Symantec has the Backup Exec Family of products.