Today my colleague Vitaly Kamluk wrote about a new GpCode-like ransomware which encrypts user’s files with RSA-1024 and AES-256 crypto-algorithms. We’re continuing to investigate this malware and will notify you about our findings.

However, GpCode.ax is not the only piece of ransomware we found today. We’ve just discovered a malware which overwrites the master boot record (MBR) and demands a ransom to retrieve a password and restore the original MBR. This malware is detected as Trojan-Ransom.Win32.Seftad.a and Trojan-Ransom.Boot.Seftad.a.

This ransomware is downloaded by Trojan.Win32.Oficla.cw.

If Seftad.a was downloaded by Oficla.cw and run, the victim’s PC is rebooted and the following message appears on the screen:

We have received several reports from people around the world asking for help with infections very similar to the GpCode trojan that we detected in 2008.

GpCode was initially detected in 2004 and it reappeared almost every year until 2008. Since then, the author has been silent. A few copycats created some imitations of GpCode that were mostly hot air and not real threats because they weren’t using strong cryptographic algorithms.

As we explained before, this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive. Back in 2006 and 2008, we managed to offer a few ways of recovering and even decrypting your data with our decryption tools.

Now, GpCode is back and it is stronger than before. Unlike the previous variants, it doesn't delete files after encryption. Instead it overwrites data in the files, which makes it impossible to use data-recovery software such as PhotoRec, which we suggested during the last attack.

Preliminary analysis showed that RSA-1024 and AES-256 are used as crypto-algorithms. The malware encrypts only part of the file, starting from the first byte.

The malware detection was added today as Trojan-Ransom.Win32.GpCode.ax. Kaspersky Lab experts are working on an in-depth analysis of the recent Trojan and will update you on every discovery that may assist with data recovery.

If you think you are infected, we recommend that you do not change anything on your system as it may prevent potential data recovery if we find a solution. It is safe to shutdown the computer or restart it despite claims by the malware writer that files are deleted after N days - we haven't seen any evidence of time-based file deleting mechanism. But nevertheless, it is better to stay away from any changes that could be made to the file system which, for example, may be caused by computer restart.

People who are not should be aware of the problem and should recognize GpCode from the first second when the warnings appears on your screen. Pushing Reset/Power button on your desktop may save a significant amount of your valuable data! Please remember this and tell your friends that if you see a sudden popup of notepad with text like this:

Don't hesitate and turn off your PC, pull out the power cable if this is fastest!

Another sign of infection is immediate change of the Desktop background to something like this:

We will keep posting more information and screenshots as we continue our investigation.

Apa kabar! AVAR 2010 has just finished. It took place on the beautiful Bali island of Indonesia.

AVAR is the biggest international anti-malware event in the Asia-Pacific region. It is one of the best opportunities for industry experts from around the world to get together in a relaxed environment and discuss the latest hot topics. The papers presented in the last two days cover subjects ranging from PDF exploits, targeted attacks and mobile malware, to AV testing and rogue software.

We are proud to announce that Kaspersky Lab was the most active presenter here, with exactly 4 speakers:

• Roel Schouwenberg - Adobe: The currently most exploited software in the world
• Denis Maslennikov - Getting rich with mobile malware: the how, the where, and the $$$
• Evgeny Smirnov - Image spam filtering by optical pattern matching
• Stefan Tanase - Surviving Targeted Attacks: Beyond Today and Tomorrow

And that’s not all: our own Stefan Tanase managed to win the Best Speaker Award, for the second year in a row. Congratulations!

We're spending our last day here in paradise enjoying the beautiful places this island has to offer. Until next year, selamat tinggal and have a wonderful weekend!

Users of Orkut – the large social network in Brazil are again a target of attacks - this time the problem was malicious Apps, small applications that can be added in the user’s profile and executed directly in the browser. Some apps were able to do a redirection when loaded in the user’s profile, leading to phishing pages. Simply visiting an affected profile was enough to be redirected; no other user interaction was needed. During these attacks we collected and blocked more than 50 phishing domains used in this malicious scheme – it’s believed that approximately 150,000 profiles had their IDs stolen.

Currently more than 16,000 apps are available to be installed in a Orkut profile – and some bad guys were able to publish malicious apps in the Apps Directory, even while Google reports that all of them are checked before publishing. One of the main malicious apps used in these attacks was “ChateTVOnline", an app that promises the ability to watch TV channels:

In the source code of the app it is possible to see the main cause of the problem: when installed in a profile it’s possible to run external code, not hosted on Orkut servers. It allows the developer to make redirections to phishing domains:

After being installed in the user’s profile the malicious app will run every time someone enters the profile and the redirection will occur. All the accounts stolen were used to spread the attack, adding automatic scraps, which are short messages, in some communities asking other users to install the malicious app or to visit the affected profile.

Around 50 phishing domains were used in this malicious scheme. In just one of them, goooble.com.br, a typosquatting of google.com.br we found more than 440 users ID stolen:

In a variant of the first attack we found other malicious scheme asking for money: it redirected the affected user to a page asking him to pay a ransom of R$ 20,00 (around 12 dollars) to deliver his profile:

We reported these malicious apps to Google and they removed them. All domains used in these attacks are blocked by Kaspersky Antivirus and our users are protected.

Brazilian internet users are being attacked this week with an interesting phishing scheme: the message is showing real personal data of the victim, in a clear attempt to trick users into installing a trojan banker on his machine.

The message is sent to the victim using the name of a big Brazilian bank and in the body it shows the complete name of the user and his CPF – the Natural Persons Register, the equivalent of a Social Security Number used by Brazilian government to identify each citizen:

The CPF is one of the most important documents for anyone living in Brazil. The number is unique and is a prerequisite for a series of tasks like opening bank accounts, to get or renew a driver’s license, buying or selling real estate, receiving loans, applying for jobs (especially public ones), getting a passport or credit cards. Using such data it is possible to for a cybercriminal to impersonate the victim and steal his identity in order to access resources or obtain credit and other benefits in that person's name.

This is a case when a data leak incident meets phishers. This kind of accurate information can only be obtained in data leak incidents. Not surprisingly it’s common that the Brazilian media notices criminals selling CDs with the full data of Brazilian IRS system where you can find a lot of sensitive data, including the CPF numbers. In a simple search you can find people in Brazil selling CDs of possible IRS and CPF numbers costing only $ 190.00.

This is not the first time Brazilians have been a target of phishing using real data: last year customers of an important airline company were victims of a phishing attack using their real names and the number of their rewards program.

Kaspersky detects the malware involved in this attack as Trojan-Downloader.Win32.Delf.agkm.

When receiving e-mails, even e-mails showing your personal data, you can't be too careful.