12345

8/25/2011

[Warning] Ransomwares are prevalent in these days.

1. Introduction

Recently, ransomwares to bother normal using PC are booming all over the world especially in Russia.
Upon infected, correspondence is tricky and needs a lot of effort to revert its own status, therefore, general users need to be careful on surfing internet.
Financial purpose malicious wares with using various techniques are prevalent these days, and can cause various damages.

2. Spreading path and symptoms of infection

This malicious file has been being spread all over the world. Although visible damage hasn't been reported so far in South Korea, this malicious file can infect all over the world and can show same page.

Ransomwares can be spread via downloading from relatively vulnerable web site after being tampered. Besides attachment of e-mail, instant messenger and links in SNS can be the route for being spread.

Downloaded file is disguised as a video file.


General users can be easily seduced by this social engineering technique.


  
* Comparison MBR between before/after infected

In the previous ransomwares, once infected, it had changed modified MBR to original MBR. But lately found ransomware doesn't modify unlike previous versions.




  
"System exit" Window can appear on executing downloaded malicious file.



* System Exit status

This system exit status was occurred by accessing kernel mode on certain function.
Follow figure show the structure.





PC will be rebooted after "3 seconds" of showing system exit Window. All we can do is just seeing.
Then window for inputting certain code will be opened.



User can only input text field and cannot use rest of the window. To use PC normally, it requires certain valid code, which will be given after sending certain amount of money to this Russian cellphone number(9872701688).

3. How to prevent

Ransomware will let user know untruth information like "All data is encrypted. or MBR area was destroyed."
In the company, or some users who are urgent for using his/her PC just follow the guideline and send money.
With its malicious feature, various variants can be emerged. To use PC safely from security threats of these malicious attachments, we recommend following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.
5. Execute downloaded file after scan with anti-virus SW.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function with nProtect Anti-Virus/Spyware for detecting such as malicious file stated above and runs responding system against various security threats.

Diagnosis name

 - Trojan/W32.Timer.78336

1 comment: