lunes, 7 de enero de 2013

Trojan Multi Locker Version 3 - "Trojan police"




In last times it has been detected an increase number of infections caused by the Trojan Ransomware, also called Ransomlock or Multi-Locker or more famously known as "Trojan police" because it simulates the user computer has been intervened and blocked by police until they pay a fee for legal penalty which is nothing more than a fraud or scam by criminals.

This time will be analyzed the Trojan Kit MULTI LOCKER Version 3

The user's computer is compromised by visiting the infection vector:

hxxp://62.76.45.94/exe.php

It downloads the malicious binary:

hXXp://62.76.45.94/colt.exe

Size: 7680
MD5:baa5de00714b02660bfc092b53c449f7

The IP 62.76.45.94 is hosted at the ISP Clodo-Cloud in Russia.

Once the computer is infected, Ransomware Malware modifies the whole system configuration and registry so that each time the user restarts the computer, trojan automatically takes over control blocking full system. Besides virus presents a false screen display of police asking user to pay the fine for allegedly viewed child pornography or illegal contents against intellectual property

This fake police screen is downloaded from the fraudulent server at address:

hXXP://62.76.45.94/lending/tds.php

This script checks the language version at user's browser to display the fake police screen in the local country language of the user with relevant legal notices with warnings from the police of that country.

The code script of "tds.php" is show as follows:




In the case of Spanish users would display the following fraudulent screen hosted at:

hXXP://62.76.45.94/lending/ES.php


In this example, the screen is very poorly designed unlike other kits detected most detailed enough to trick the user making the veracity of it.

Criminals can modify these fake warning pages to achieve the appearance of legality accessing the mini editor that exists in the kit Ramsomware, also called by some antivirus companies as Ransomlock.

The panel is called MULTI LOCKER LENDING  EDITOR and is accessed via the URL:

Hxxp://62.76.45.94/lending/
  

And file structure of the LENDING KIT is:
 

If user pays the fee through the online payment systems UKASH, MoneyPack, etc .his Machine will be free once entered the code returned by these payment systems



Ransomware statistical panel is accessed through the main login page:


Once logged in can see the main menu screen of KIT MULTI LOCKER Version 3



Panel with statistical tracking of infected users



menu of users who have paid for unlocking their computers



The KIT file structure is as follows:

Panel Kit Installation

No hay comentarios:

Publicar un comentario en la entrada

Nota: solo los miembros de este blog pueden publicar comentarios.