Last night, we received a new version of the #Madi malware, which we previously covered in our blog.

Following the shutdown of the Madi command and control domains last week, we thought the operation is now dead. Looks like we were wrong.

The new version appears to have been compiled on July 25th as it can be seen from its header:

It contains many interesting improvements and new features. It now has the ability to monitor VKontakte, together with Jabber conversations. It is also looking for people who visit pages containing ?USA� and ?gov� in their titles. In such cases, the malware makes screenshots and uploads them to the C2.

Here's a full list of monitored keywords:

"gmail", "hotmail", "yahoo! mail" , "google+", "msn messenger", "blogger", "massenger", "profile", "icq" , "paltalk", "yahoo! messenger for the web","skype", "facebook" ,"imo", "meebo", "state" , "usa" , "u.s","contact" ,"chat" ,"gov", "aol","hush","live","oovoo","aim","msn","talk","steam","vkontakte","hyves", "myspace","jabber","share","outlook","lotus","career"

A few days ago I published a blog post regarding the reverse engineering of the Mac OSX Rogue AV registration routine. The goal was to see if the product was acting like a legitimate one once registered. The product behaved normally, and pretended to clean the machine like their windows counterpart. It was also possible to gather intelligence on the technical support once registered.

So today, I had a look at a newer variant to see whether the registration algorithm was similar or not.

The serials are no longer in plain text, but it’s still very easy to break. Here is how.

The registration function is still the same: __RegEngine_CheckKey__.

Let’s have a look into it and see how different it is now.

My colleagues Fabio Assolini and Vicente Diaz wrote two blog posts recently regarding the Rogue AVs for MAC OSX. After executing it on a test machine, and playing with it, I noticed there was some hidden information in the About Window as can be seen below:

I was interested by the “Support” information, but it’s only available to registered customers. I also wanted to confirm a few things such as the “cleaning” of the fake threats once registered, and to see if the “infected” popups would stop.

Back in November 2010, we wrote a blog post about a new variant of the Gpcode Ransomware.

Kaspersky lab discovered a new variant today, in the form of an obfuscated executable. Please review the technical details for further information. The threat was detected automatically thanks to the Kaspersky Security Network as UDS:DangerousObject.Multi.Generic.

Specific detection has been added and the threat is now detected as Trojan-Ransom.Win32.Gpcode.bn

The infection occurs when a malicious website is visited. (drive by download)

Upon execution, the GPCode Ransomware will generate an AES 256 bit key (Using the Windows Crypto API), and use the criminal’s public RSA 1024 key to encrypt it. The encrypted result will then be dropped on the Desktop of the infected computer, inside of the ransom text file:

Kaspersky Lab is still monitoring malicious websites involved in the recent Japan spam campaigns.

For those who may have missed the two first blogs, you can read them here and here However, today we discovered than some of the payloads were not the usual Trojan-Downloader.Win32.CodecPack.*.

Instead, the payload is now Ransomware (detected as Trojan-Ransom.Win32.PornoBlocker.jtg), disguising itself as a fake warning message from the German Federal Police. The message pretends that your computer has been blocked because it was found to be hosting child pornography.

Victims are asked to pay a 100 euros fine to unlock the machine.

As if the German police logo wasn’t enough, they also use logo from anti-virus companies such as Kaspersky Lab to look more convincing.

Last week, we published a blog post regarding the ongoing spam campaign using the recent earthquake in Japan to infect users. This is a follow up blog describing the exploits used.

According to our analysis, it seems that the malicious links from the spam emails lead to websites hosting the Incognito Exploit Kit.

Here is an interesting picture from the servers hosting the exploit kit:

Kaspersky Lab has detected a malicious spam campaign using the recent earthquake in Japan to infect users. These emails contain malicious URLs:

On 14 January, my colleague Vyacheslav Zakorzhevsky published a blog on the dangers of using cracks and keygens.

The malware in question was primarily for stealing registration keys for popular software.

A few days ago, we found a new malicious application that disguises itself as a Kaspersky Trial Resetter (an application that can be used to reset a software evaluation period that has expired).

The new malware is detected as Trojan-PSW.MSIL.Agent.wx and only two vendors, including Kaspersky Lab, currently detect it.

The twist here is that instead of re-setting your trial period, it steals information saved on the computer, be it browser-saved passwords, or passwords saved by an application.

According to the PE header, the malicious software was created on 31 January 2011, although the first infection reports appeared on 6 February. One can only wonder how successful such an application can be? Read below to find out:

In 23 days, a total number of 1109 computers were infected with this password-stealing Trojan, with an average of 48 infections per day.

The top 5 targeted countries were:

What about the type of stolen accounts?

Among the stolen data, hundreds of website credentials were found, such as data for: web hosting, online stores, internet/mobile provider, social networks (LinkedIn, Twitter, Facebook, MySpace etc.), webmail, blogs, banking, instant messaging, online gaming etc.

Here is a list of the browsers targeted by the malicious program, as well as the number of users whose data were stolen:

Kaspersky Lab contacted the hosting provider of the drop zone who closed and deleted the accounts.

I hope these statistics will convince you that downloading pirated software is not a good idea.

1109 users who thought they were downloading a crack for a security solution ended up being infected.

It’s also clear that saving your passwords within your browser isn’t the best idea.

You may want to consider using a Password Management program, such as the Kaspersky Password Manager, which keeps all your passwords encrypted and immune to these sorts of attacks.

We are currently in the process of contacting the victims and informing them about the infection.

A new Twitter worm is spreading fast, using the “goo.gl” URL shortening service to distribute malicious links.

The malicious links go through a number of redirections which are described below. The redirection chain may push Twitter users to a fake anti-virus (scareware) serving the “Security Shield” Rogue AV. The webpage is using exactly the same obfuscation techniques as a previous version (Security Tool), which is an implementation of RSA cryptography in JavaScript to obfuscate the page code.

Our users are protected from this worm and all the URLS are being blacklisted in our products.

Here are some of the technical details:

1. Redirection Chains

   Those “goo.gl” links are redirecting users to different domains with a “m28sx.html” page:

   

   This html page will then redirects users to a static domain with a Ukrainian top level domain:
   

   

   As if that was not enough, this domain redirects the user to another IP address which is related to Fake Anti Virus distribution:

   

   This IP address will then do its final redirection job, which leads to the Fake AV website:

   

We’ve blogged a few times about rogue AV, explaining how search engines have been abused using Black Hat Search Engine Optimization techniques to redirect web surfers to rogue AV websites.

Recently, we’ve noticed that the rogue AVs being spread are all equipped with an “Online Support” button. See the top right corner:

Pressing Support takes you into a live chat with the rogue AV Tech Support. We wondered whether it was a bot answering questions based on keywords or real people – and yes, they turned out to be real!