English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Ransomware: Fake Federal German Police (BKA) notice

Nicolas Brulez
Kaspersky Lab Expert
Posted March 24, 14:42  GMT
Tags: Ransomware
0.6
 

Kaspersky Lab is still monitoring malicious websites involved in the recent Japan spam campaigns.

For those who may have missed the two first blogs, you can read them here and here However, today we discovered than some of the payloads were not the usual Trojan-Downloader.Win32.CodecPack.*.

Instead, the payload is now Ransomware (detected as Trojan-Ransom.Win32.PornoBlocker.jtg), disguising itself as a fake warning message from the German Federal Police. The message pretends that your computer has been blocked because it was found to be hosting child pornography.

Victims are asked to pay a 100 euros fine to unlock the machine.

As if the German police logo wasn’t enough, they also use logo from anti-virus companies such as Kaspersky Lab to look more convincing.

On successful exploitation, the malware hijacks the desktop to display the following warning:


The victim can no longer use their computer, unless they pay a 100 euros ransom. Here is a translation of the blackmail test:


Attention!

An operation of illegal activities has been detected.

The operating system has been blocked in connection with violations of the laws of the

Federal Republic of Germany! Following violation was noted: Your IP address is with this IP,

pages containing pornography, child pornography, bestiality and violence against children were visited.

Your computer also has video files with Pornographic content, elements of violence and child pornography!

There were also sent emails in the form of spam, with terrorist backgrounds.

This serves to lock the computer to stop your illegal activities.


[Computer related info]


To unlock the computer, you are obligated to pay a penalty of 100 Euro.

The payment must be made within 24 hours. If the payment is not made in the allotted time,

your hard disk will be irrevocably formatted (erased).

Payment is made by a Ukash coupon code in the amount of 100 Euro.

In order to be carried out the charge, please enter the purchased code into the payment box and

then press 0K (if you have multiple codes, enter this simply a sequence, then press OK)

Should the system report errors, you must send the code by email (removed).

After receipt of payment your computer within 24 hours re-opened.



Technical details:


The fake Federal German Police page is actually an html page embedded inside the malware executable.

Upon execution, the malicious program creates a new window with the TOPMOST attributes in order to stay above every running window. This window is used to display the content of the html file, through the use of OLE and the WebBrowser control.

A new threat is created in order to kill Task Manager and suspend Windows Explorer. Just before it actually does that, the malware takes over the default Windows shell inside the registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon) and replaces explorer.exe.

It then starts an infinite loop and tries to kill the “taskmgr.exe” process if found running, and also suspends “explorer.exe” every 100ms in order to block user interactions:



The result is a suspended Windows Explorer, no way to run the Task Manager, and the topmost window displaying a web page. Inside this html page, there is Javascript - used to send the entered Ukash coupon code to a remote server.

However, at the time of discovery the DNS involved was already disabled, leaving infected users’ computers unusable.

Kaspersky Lab continues to investigate this malware and will update the blog if more important information is discovered.


17 comments

Duststorm

2012 Mar 10, 17:59
0
 

I also had an encounter with this malware

I think it is a new version. It does not hide itself in the shell registry key anymore.
To catch it I used the sysinternals process explorer procexp (http://technet.microsoft.com/en-us/sysinternals/bb896653). It's an advanced task manager that is not closed by the malware. (another solution is to copy your task manager and give it another name)
Using procexp I was able to track down which process was holding the window blocking the desktop.
In my case it was "C:\Windows\SysWOW64\svchost.exe" but it's possible the virus is located in a random file in sysWOW64. What's even more disturbing is that it uses existing windows process filenames, so it's even harder to find and windows doesn't let you remove those files. When examining the file's properties, it still contained Windows metadata, but it's origin could not be verified (it's not signed by microsoft?).
To get around the window blocking your desktop you can trick it using a multiple monitor setup and trying to open some windows before it gets a change to start. Just log out and log in again, press windows-key+R and start a program like "regedit" as quickly as you can before the malware turns up. This worked for me after a few tries.

Looking for the offending executable in the registry I found an entry of it in HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache

EDIT: whoops, of course that is the executable running services. The malware probably started itself as a windows service within it. (I haven't been using windows a lot in a long time)
Let's see if I can find out the real cause.

After some more examining it seams this svchost has become hijacked and shows the malware window. Using the svchost viewer I tried to examine to svchost instance with the right pid, but both process explorer and svchost viewer don't show any children for it. Either this executable is replaced by malware, or it is configured to run a malware service that blocks it from starting any other services.

Guess I'll have to do a scan for ServiceDll entries in the registry and find the abusive dll.

Edited by Duststorm, 2012 Mar 10, 19:52

If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog