Skip to content

Ransomware Debuts New Java Exploit, Sends Victims Running for MoneyPak Cards

2012-07-10

Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine

Green Dot MoneyPak FBI Your PC if Blocked ransomware screenA ransomware campaign running in the US, possibly an update to the Citadel scam publicized by the FBI last week, is infecting computers with a Trojan that does what ransomware does best: It makes a convincing case that the victim must pay the criminals in order to release the locked-down PC from the grip of the malware.

Luckily for victims, the malware itself is incredibly easy to defeat — at least for now (I’ll get to that near the end of the post). But the scam is much more elaborate than the screens-filled-with-text that earlier generation ransomware Trojans typically presented to the victim. And it appears that the exploit kit being used to deliver the malware is, in fact, exploiting a vulnerability in Java patched only last month.

The infection spreads by means of the Blackhole exploit kit, which pushes the ransomware Trojan down to the computer’s browser cache, then executes it. Once the Trojan executes, it immediately kills all running processes — including Explorer — and replaces the desktop with a stern-looking warning. The warning says it originates from the FBI, but this one came from a server located in the local ransomware criminals’ field office in St. Petersburg, Russia.

The warning message claims it originates from an intrusion prevention system based in a data center called GTS Central Europe. GTS is, in fact, a real ISP, but they don’t send warnings like this to people. The program uses an IP address lookup to populate a field that presents the victim with his or her own IP address, as well as the geolocation of that address. Ultimately it’s merely a gimmick, and not a particularly clever one at that.

The other cool — and I use that term very loosely — gimmick that it uses is the little box in the upper right corner of the screen. It says “video recording on” and shows a little animated GIF image that looks like what a webcam would see if someone put their hand or finger in front of the camera and slowly moved it around. The static image doesn’t do it justice. This is one of the lamest tricks I’ve ever seen.

Then it busts out the Bad Cop act: “Your PC is blocked due to at least one of the reasons specified below” reads the message. It continues:

You have been violating Copyright and Related Rights Law (Video, Music, Software) and illegally using or distributing copyrighted content, thus infringing Article I, Section 8, Clause 8, also known as the Copyright of the Criminal Code of United States of America.

What a load of bunk. No law by that name exists in the US Code. However, the name is a close analogue to the name of the copyright laws of Russia and some countries in Europe, and the reference to Article I, Section 8? That’s one sentence in the US constitution, outlining the power of congress to create copyright law. A victim could easily confirm this if he or she actually could go online to check it, but the ransomware locks down the computer. The message goes on to warn users that the law:

…provides for a fine of two to five hundred minimal wages or a deprivation of liberty for two to eight years.

Wait, what? Now it’s really starting to fall apart, geniuses. What the heck are five hundred minimal wages? And isn’t the inability to connect to the Internet a deprivation of liberty?

Note to Russian scammers: We put the dollar sign on the left side of the numbers. These ain’t rubles, Igor. Get with the system.

In any case, it’s a lot of legalese-ish blah blah blah (except for the part where it accuses the victim of distributing “Child Porno/Zoofilia” — that’s just a big gross-out) until you get to the end. That’s when the meat of the scam comes together: The scammers want you to head to your nearest convenience store, drugstore, or big-box and buy $200 worth of credit from a payment service called Green Dot MoneyPak, then enter the code into the form on the scam page.

This is the first ransomware scam I’ve seen that didn’t use Western Union or eGold as its payment mechanism. The scammers were kind enough to put some prominent (though, clearly, undesirable) product placement for Green Dot, in the form of the company logo, right up at the top of the screen (above the fold in journo-speak). I contacted Green Dot, headquartered in the Los Angeles area, to let them know about this. They’re working to spread the word, warning their partners and resellers about the scam.

Some of those resellers are even listed on the bottom of the page, in a little box labeled Where I can buy MoneyPak? — was that a question or a statement, doofuses? Victims are directed to run, not walk, to the nearest 7-Eleven, CVS, Walmart, K-Mart, Rite-Aid, or Walgreens to throw away perfectly good cash for a fraud.

Speaking of fraud: You can also add another tick to the Irony column for the Fraud Alert box right at the bottom of the page. Apparently, you should only use your MoneyPak number “…with businesses listed at MoneyPak and United States Departament of Justice” — I guess criminals are just as useless with spellcheck as anyone else. However, there is a grain of truth buried in there: “If a criminal gets your money, Green Dot is not responsible to pay you back.” Troof, dat. If you see this warning message, don’t be a sucker.

So, how do you get rid of this Trojan? Simple as pie: Reboot the computer in Safe Mode (which means, power-cycle the box and hit the F8 key during reboot, then choose Safe Mode). Log in, then when the Windows desktop appears, navigate to the logged-in user account’s temp directory and look for any file with an .exe suffix, and delete it. On my testbed, the Trojan was named “glom0_og.exe” but it’s likely to be a random name that will be different on any machine where the infection takes hold.

(In Windows XP, that will be in C:\Documents and Settings\(username)\Local Settings\Temp; In Windows Vista or 7, look in C:\Users\(username)\Local Settings\Temp)

Afterwards, when you reboot the computer normally into Windows, you may see a dialog box that looks like the one above. That’s because the Trojan added a shortcut to launch itself at boot time to the Startup folder in the Start Menu. Just delete the entry labeled “ctfmon” in the Startup folder.

As I mentioned, the scam is perpetuated by the Blackhole exploit kit. I did a few test “infections” of systems here in the lab, and it was interesting to note how each subsequent infection retrieved a slightly different obfuscated Javascript infection initiator page; Fortunately, our new 6.5 release of DeepSee (which went into general release today) introduces a feature which performs a fuzzy hash of extracted artifacts. In Plain English: We see what you did there, malware guys. To DeepSee, the two scripts are actually seen as they are: Two ever-so-slightly-modified versions of the same thing. Tough luck, smacky.

It was also interesting to note how two infections, roughly half an hour apart and using different browsers, employed different exploits to accomplish the same task. In the earlier infection, where I used a testbed running Windows XP, with Internet Explorer 6 and Java 1.7.0_03, the sequence of exploits was: malicious SWF, followed by PDF, followed by a Java JAR file exploiting CVE-2012-1723, a relatively recently patched vulnerability in Java, which security journo Brian Krebs reported last week would soon make its way into Blackhole kits. Looks like we’re there now.

In the later infection, running the same testbed but using Firefox instead of Internet Explorer, the sequence of exploits was: malicious PDF, followed by SWF, then more malicious obfuscated Javascript, a second malicious PDF, the same JAR exploit file used in the IE infection, then another malicious SWF. Total time from the page loading until the malware download using IE6: 13 seconds. Total time for the same process using Firefox: 16 seconds. Either way, you’re pwned in well under a minute, with plenty of time for the malware distributor to crack open a soda and kick his feet up.Solera blog stats

DeepSee users: You can import any of the following lists of common Blackhole exploit kit file naming conventions to create Favorites. You can then use those Favorites to write Rules that will generate warning alerts (in DeepSee 6.0 – 6.2.2), or to write Actions that can trigger Data Enrichment using real-time extractor (in DeepSee 6.5+).

To create a Favorite: save one or more files to your desktop, then navigate within DeepSee to Summary -> Favorites. In the Favorites window, click the blue Import button in the upper right corner. Give the Favorite a memorable name (or just use the ones above), choose List from the File Type dropdown menu, then browse to the file. Choose filename from the Field picklist. Click Save and you can immediately begin to use the Favorite.

No warranty: Your mileage may vary. Solera Networks cannot guarantee that the use of these lists to produce Favorites will result in detections of all, or any, Blackhole infection attempts, or will be free of false positives, but we’re confident that they will find the most common names employed during those infections when used as directed.

13 Comments
  1. 2012-07-12 9:59 am

    Just got hit with this one.
    Last thing I remember was a pop-up ad, then BAM.

    I actually read through this and I was like… waaah? last time I checked my public IP it was different. Thanks to this scam, I found out that it was on its rotation change.

    Got rid of it by safe boot, msconfig’d, looked through my startup and disabled cfmon.
    Really? it points to my AppData? what a load of crud. glom0_og.exe = yeah, very subtle.
    I went through msconfig to target the source, if I did ever find it.

    AVG totally ignored it. Man oh man.

    Anyways, good read :) Thumbs up, and hopefully not alot gets scammed with this.

  2. Anonymous permalink
    2012-07-12 5:31 pm

    This JUST happened to me -_- Thanks a lot for this. You saved my laptop.

  3. James Peterson permalink
    2012-07-13 8:17 am

    I’ve got rid of it, but it appeared in two places on my windows 7 machine – my user account temp directory, and user account, appdata, roaming. Also is mentioned in the registry, in the run section.

  4. Matt permalink
    2012-07-13 8:19 am

    “Log in, then when the Windows desktop appears, navigate to the logged-in user account’s temp directory and look for any file with an .exe suffix, and delete it.”

    There wont be anything else with a .exe suffix? I don’t want to accidently delete something and have it mess something up.

  5. Andrew Brandt permalink*
    2012-07-13 9:14 am

    If there are any other executables inside the temp directory, feel free to delete them. Nothing in that directory should be assumed to be critical for the computer’s operation. If you do find, however, that some other executable is running from within that directory, I’d be concerned.

  6. Matt permalink
    2012-07-13 10:16 am

    I think i fixed it…

    When i found glom0_og it didn’t have the .exe suffix on the end.

    It said it was an application, and there were 2 other applications in there too

  7. Matt permalink
    2012-07-13 10:34 am

    also thank you for writing this, you have also saved my laptop

  8. Andrew Brandt permalink*
    2012-07-13 12:13 pm

    Matt: It may be that your Windows PC is set up in the default configuration where file suffixes are not displayed for certain filetypes.

    You can change this behavior by opening an Explorer window (not IE, just the filesystem) and clicking Tools -> Folder Options. On the View tab, uncheck the box labeled “Hide Extensions for known file types” and click OK.

    Glad your computer’s doing better now.

  9. Michael permalink
    2012-07-16 7:51 pm

    Thanks. Thorough and complete explanation was easy to understand. I’m a little concerned over how easy it was for this exploit to do it’s thing. I’m not kind of an expert but I try to keep my computer pretty safe. A good ‘internet security’ suite (Trend Micro in my case) doesn’t seem to do the job. What is a typical user supposed to do?

  10. Bill permalink
    2012-10-01 7:54 am

    Stuck. My Win7 PC will lock out to the FBI crap even in safe mode. Task Manager has been disabled. Do have another PC we can put this drive into (Ran Malwarebytes and Symantec Endpoint Protection – did not clear it).

  11. Bill permalink
    2012-10-01 5:30 pm

    This one had me pissed off for about 48 hours. No, it’s not as simple as booting into safe mode, my Win7 PC had the same FBI screen in safe mode, no Task Manager, nothing. Wound up using a FREE CD from AVG web site, large .iso, booted to a DOS virus scanner that finally wiped it out. This was after Malwarebytes and Symantec scans, with the drive in another PC, found this and that but not the problem. Not sure who these AVG folks are but they are my hero.

  12. Andrew Brandt permalink*
    2012-10-02 8:58 am

    AVG is a well-known antivirus vendor with both a free and paid version of their product, and I’m glad their product was able to fix the damage. That’s good news.

    Since this post first was published in July, the malware distributors have obviously made it more difficult to remove. That’s bad news. The earlier advice to start up in Safe Mode appears no longer to function as a remediation tactic, though it might be worth a try anyway.

    Lacking an effective AV tool, an incident responder might consider pulling the boot drive from the infected machine and mounting it to another, uninfected computer to effect repairs by deleting the malware executables from their install location(s). They can’t hide or thwart your attempts at manual removal when they aren’t running, and they typically run from either the %temp% or %appdata% directories — a location where there should be no running executables, in any case.

Trackbacks

  1. A New Ransomware Apes the Citadel Model | Network Security Network Security

Comments are closed.

%d bloggers like this: