It seems that this ransomware attack has hit many computers via a drive-by vulnerability on compromised websites. Many users reported that they have received the attack via a malicious PDF which downloads and installs the rensomware.

The attack changes the Windows desktop wallpaper to show the first part of the ransom message.

The “HOW TO DECRYPT” txt-file on the desktop contains the message:

Attention!!!

All your personal files (photo, documents, texts, databases, certificates, kwm-files, video) have been encrypted by a very strong cypher RSA-1024. The original files are deleted. You can check this by yourself - just look for files in all folders.

There is no possibility to decrypt these files without a special decrypt program! Nobody can help you - even don't try to find another method or tell anybody. Also after n days all encrypted files will be completely deleted and you will have no chance to get it back.

We can help to solve this task for 120$ via wire transfer (bank transfer SWIFT/IBAN). And remember: any harmful or bad words to our side will be a reason for ingoring your message and nothing will be done.

For details you have to send your request on this e-mail (attach to message a full serial key shown below in this 'how to..' file on desktop): [email address]

The above message contains an email address to contact if the victim wants to recover the encrypted data. Moreover it contains a fingerprint hex-string which changes between runs. It is used as a unique victim id and it must be quoted when victim contacts the hackers.

File types which can be affected: .jpg, .jpeg, .psd, .cdr, .dwg, .max, .mov, .m2v, .3gp, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .rar, .zip, .mdb, .mp3, .cer, .p12, .pfx, .kwm, .pwm, .txt, .pdf, .avi, .flv, .lnk, .bmp, .1cd, .md, .mdf, .dbf, .mdb, .odt, .vob, .ifo, .mpeg, .mpg, .doc, .docx, .xls, and .xlsx.

A zero-day exploit in Microsoft Windows enables non-administrator accounts to execute code as if they were an administrator. The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems.

A bug in win32k.sys, which is part of the Windows kernel, seems to be responsible for this exploit. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.

This exploit does not allow remote code execution (RCE). Thus, malicious code that uses the exploit needs to be introduced. So your anti-virus system should be able to block those payloads and keep you safe.

source

Just by opening a directory containing the infected shortcut will get user infected. Once the infected shortcut icon is displayed in Windows Explorer, malicious code is launched without any further user interaction. Hackers have already developed malware that spreads via USB sticks, using this vulnerabilities.  Independent security researcher Frank Boldewin had found the attack is currently targeted toward the WinCC SCADA system by Siemens. “Looks like this malware was made for espionage,” Boldewin writes.

On Sunday, a researcher known as “Ivanlef0u” published aproof-of-concept code to several locations on the Internet. There is already a Metasploit module that implements the exploit with the WebDAV method.

To protect yourself from the attack, Microsoft suggests disabling the displaying of icon for shortcut and turning off WebClient service as workarounds against possible attacks. Please reference Microsoft advisory for details of how to “Disable the displaying of icons for shortcuts“. Another way to protect yourself is to use Didier Stevens’ tool Ariad .

Additional information on the flaw can be found in a blog post by the SANS Institute’s Internet Storm Centre here.

source:

Experts Warn of New Windows Shortcut Flaw

MS confirms Windows shortcut zero-day flaw

Preempting a Major Issue Due to the LNK Vulnerability – Raising Infocon to Yellow

In the end of 2008 Tobias Engel demonstrated how to find the whereabouts of mobile phones by tapping into mobile network databases. An independent researcher Nick DePetrillo from the Source Conference in Boston Wednesday, and Don Bailey of iSec Partners proved how with related techniques it is possible to find a person’s spot even when his number is unknown and to gather other details which most users assume are undetectable.

The information disclosure hack works by tricking the GSM caller ID system into assembling what amounts to a white pages directory of nearly every mobile phone number. In order to do that, the researchers DePetrillo and Bailey established a voice over IP account that included caller ID. Moreover, they called the account over and over by using enormous blocks of spoofed numbers and logged the caller ID production of each one by using an Asterisk server.

The cataloged lookup information let them to find individuals related to the numbers and vice versa. Furthermore, it disclosed huge pools of numbers that were part of private corporations and government agencies.

Nevertheless, DePetrillo and Bailey blocked the numbers they wanted to trace into the so-called HLR, or home location register. The database, and the larger SS7 protocol to which it belongs, in many respects is to mobile networks what TCP/IP is to the internet, allowing cellular carriers to place the position of a receiver so it can accept voice or text traffic.

The techniques develop functionality built into GSM networks to ensure the fact that calls can be routed dependably to an earpiece wherever in the world it’s situated. As such, it will be difficult to fix the revelation threat without breaking the networks.

For more information read the following article:

http://www.theregister.co.uk/2010/04/22/gsm_info_disclosure_hack/

Therefore the danger of this exploit has grown because also Script-Kiddies are able to use this exploit. The BSI recommended using another browser to not get victim of this exploit. Microsoft recommends to set the security options to “high” or to disable JavaScript on which the exploit is based.

A video explaining the attack “Aurora” can be found here.

It seems the attackers had been able to change the DNS entries at Twitter’s provider. On the provider’s site no evidence was found that unauthenticated users had logged into the system. Therefore it is assumed that the attackers had the proper credentials to log into Twitter’s account at the provider.

In the last year, social networking services have often been attacked in various ways because of their popularity.

The whole article can be found here.

As the Register informs, the success rate of this attack is very significant considering number and size of active botnets of the Internet. To be more specific, in the same article is mentioned what Jonathan Wilkins of iSEC Partners had said: “The method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day.”

The whole article can be found here.

The E-mail security company AppRiver detected a large amount of  fake CDC e-mails which were sent at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone, according to the company’s blog post.

The e-mails claim users to register for a new state vaccination programm by creating a personal H1N1 vaccination profile at a fraudulent web page of CDC. However, anyone who clicks on the link, his computer is infected with malware, an executable copy of ZBot trojan horse. This trojan, also known as Zeus, powers one of the most active botnets which steal data of compromised machines.

According to the security company Sunbelt Software’s report,  ZBot is listed as the second most prevalent malware threat.

Malware propagation can be succesful in a situation where social engineering is dominatinated by technology due to the public awareness and fear.

The attack was rested on the fact that Reddit was not filtering out JavaScript in specific instances while a user was moving the mouse over the text field of the comments. Furthermore, a user named “Empirical” made a piece of JavaScript code that its effect was to automatically reply to all comments of a Reddit page, if it was pasted into the browser address bar, as a Reddit thread reports. As a result, another user named “xssfinder” combined these two facts in order to create an XSS attack by exploiting this vulnerability.

Particularly, xssfinder posted a comment that was a link to malicious code on a popular thread called “Guy on a bike in New York ‘high fives’ people hailing cabs”. After that, things happened quickly. When a user tried to read this comment, or to post a reply to it, he or she was resulted in sending a vast number of spam comments onto other Reddit threads.

According to F-Secure, Reddit administrators claim that all the holes that could lead to this type of attack have already been closed. Moreover, all the comments that were produced from this malicious code have been removed.

Besides, it is very common the fact that when a new XSS attack is created, a new wave of different variations follows in a short period of time. So, a solution to prevent such kind of attacks maybe is to turn off JavaScript, when someone try to access Reddit, using for example the NoScript extension of Firefox.

References: The Register, F-Secure, The H Security