Ponting Posted August 26, 2014 Share Posted August 26, 2014 The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful. The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.Pony stealer moduleReveton uses one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.The stealer includes 17 main modules like OS credentials, FTP clients, browsers, email clients, instant messaging clients, online poker clients, etc and over 140 submodules. OS functions:Deep System Info, ScreenSaver password, LSA local, Windows passwords and certificates, RAS, ASP/.NET credentials, Groups passwords, Proxy, WinSocks, WinInet pipe etc.FTP Clients:32bit, BulletProofFTP, BitKinex, ClassicFTP, CoffeeCup, CoreFTP, CuteFTP, DOpus, ExpanDrive, FAR, FFFTP, FTPCommander, FTPControl, FTPExplorer, FTPRush, FTPUploader, FileZilla, FlashFXP, Fling, FreeFTP, Frigate3, LeapFTP, NetDrive, SecureFX, SmartFTP, SoftX, TurboFTP, UltraFXP, WS_FTP, WebDrive, WebSitePublisher, WinSCP, Windows/Total CommanderRDP/VPN Clients:CiscoVPN, FreeCall, PC Remote Control, Remote Desktop Connection, WinVNCInstant Messaging Clients:AIM, AIMPRO, Astra, CamFrog, Digsby, Excite, Faim, GTalk, Gaim, Gizmo, ICQ2003, ICQ99b, IM2, JAJC, LiveMessenger, MSN, Miranda, MySpace, Odigo, PSI, PalTalk, Pandion, Pidgin, QIP, QIPOnline, R&Q, SIM4, Trillian, VypressAuvis, YahooDialers/RAS:DialerQueen, EDialer, FDialer, MDialer, VDialerDownload tools:Download Master, FlashGet, GetRight, Internet Download AcceleratorOnline Poker Clients:888Poker, AbsoluteCommon, AbsolutePoker, CakePoker, FullTiltPoker, PartyPoker, PokerStars, TitanPoker, UltimateBetPokerBrowser clients:Chrome, Firefox, Flock, IE, Opera, Safari, SeaMonkey, Thunderbird, + Browser_History, Browser_Socks, System_SocksEmail Clients / Accounts:Becky, Eudora, ForteAgent, Gmail, GroupMailFree, IncrediMail, MailCommander, Outlook, POPPeeper, PocoMail, Scribe, TheBat, Windows Mail, mail.ruCrypto currency moduleThe crypto currency module steals passwords of the most widely used wallets. The malware can close QT wallets and imitate the login screen after the next execute.List of wallets and crypto currencies:*-QT wallets, Armory wallet, Electrum wallet, Multibit wallet, Multidodge wallet, Offspring wallet, BitCoin, BlackCoin, DarkCoin, DodgeCoin, LiteCoin, VertCoinBanker moduleThe list of banks is based on geolocation. Our version includes 17 German banks. This module searches browser history and cookie files.List of banks:bank1saar.de, berliner-bank.de, comdirect.de, commerzbanking.de, cortalconsors.de, deutsche-bank.de, dkb.de, bawagpsk.com, fiducia.de, flessabank.de, gecapital.de, haspa.de, hypovereinsbank.de, norisbank.de, psd-bank.de, postbank.de, sparda.deLockscreen moduleThis part of Reveton malware has been upgraded, too. The authors divided the program into multiple threads, changed the encryption, saved the payload to registry, and recreated communication with C&C servers.Reveton has also prepared another password stealer downloaded from the Papras family. This malware is not as effective as the Pony but contains a powerful AV kill/disable function.Mysterious hashesWe found 2 md5 hashes hardcoded deep inside the Reveton payload. The first is used to verify the generated user ID. If it matches, the system does not send information about the infected computer. This probably protects the author while testing or developing malware. Unfortunately, the UserID calculation algo is too complex for hash cracking.UsedID is MD5 hash of ({ComputerName}+{EnumDisplayDevices}+{HDD SerialNumber}) XOR 029AhThe second hash is used for verification of the inserted unlock key (ukash/paysafe code). Reveton can be terminated if the MD5 hash of the inserted key is identical to the hardcoded one. We call it “Hash of master unlock key.”Disinfection:Boot to another OS from USB flash disk or DVD.Find suspicious .lnk file in Startup menu (explorer.lnk, system.lnk etc.)Find path to malware binary at lnk file properities. (probably .cpp file)Delete lnk file and malware binary from link pathBoot to your system and check which service reports an errorRemove that service from the systemFind “ACID” string in the registry and delete keys around (hex=78,01,…)RebootChange passwords for all accounts and online services!!!* You can try to find RUNDLL32.EXE-*-F.txt file where all stolen passwords are stored.Analyzed Samples:209B606203E60B9C3ABDBB27D7F93A2D8A60A87C4AB2E7749A9522C17F4511F24998A47D1ECB8C80E3AC5BAF743E87CC3546322335EDF89CE4A9AB1EF5420F69Protect yourself with regular backupsThe best protection against LockScreen or CryptLocker malware is frequent backups of all your important files, documents, and photos.ConclusionAs we have shown, the high profits from the former Reveton model, unlocking the infected computer after the user pays a ransom, is not enough. Malware authors have decided to enter into a new black business area. Passwords to various systems and crypto currency wallets are a very lucrative commodity today. Some passwords (FTP, emails, IM…) are perfectly suited for spreading their malware and build stronger botnets.Source: http://blog.avast.com/2014/08/19/reveton-ransomware-has-dangerously-evolved/ Link to comment Share on other sites More sharing options...
knowledge-Spammer Posted August 26, 2014 Share Posted August 26, 2014 not nice Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.