Korean Job Discussion Forums

[Real Reality]

Websense Security Labs has received reports of a new attack that attempts to extort money from users by encoding files on their machines and then requesting payment for a decoder tool.

The original infection occurs when the user visits a malicious website that exploits a previous vulnerability in Microsoft Internet Explorer. This vulnerability allows applications to run without user intervention. The malicious website uses the Windows help subsystem and a CHM file to download and run a Trojan Horse (download-aag). The downloader then connects, via HTTP, to another malicious website. This website hosts the application that encodes files on the user's local hard disk and on any mapped drives on the machine. The malicious code also drops a message onto the system with instructions on how to buy the tool needed to decode the files. This message includes the email address of a third party to contact for instructions, and the user is directed to deposit money into an online E-Gold account.

Analysis Details:
User connects to malicious website that downloads and runs code through Microsoft Internet Explorer vulnerability (http://www.microsoft.com/technet/security/Bulletin/MS04-023.mspx).

Site drops and runs a Trojan Horse (downloader-aag).

The Trojan Horse downloader connects to another website and downloads the encoding application, renames it, and runs it.

The malicious encoding program, which is packed with UPX, performs the following actions upon launch:

Adds items to the Windows startup registry: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Searches for all text files on the computer (including local hard disks and mapped drives).
Replaces all files it finds with unreadable content.
Creates a status file called ��autosav.ini�� with information on the files that have been encoded.
Creates a file called tmp.bat in the directory where it was run to delete itself upon completion.
Creates a file called "Attention!!!" with instructions on how to get your files decoded.
Sends an HTTP status request to the server it was downloaded from.
May 23, 2005
Malicious Website / Malicious Code: Cyber Extortion Attack
http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=194

[mindmetoo]

One of the funnier scams is spyware removal companies that put spyware on your machine or worse. I'm not talking about lavasoft and that other legit one with the really horrible interface.

It goes a bit like this: average idiot user finally hears about the spyware problem. Googles for it. Clicks on the first link or paid search link and installs this software. He runs the software. The software reports, oh my god, dozens of horrible nasty spyware programs running on his computer. He clicks on the "remove 'em" button. Then he gets a pop up: to remove the software you must register the software for $49.95. Worried as hell, he does.

The problem is these bogus spyware detectors don't detect spyware. They just spit out a canned response. They just want to scare you into registering. In the worst case, they install their own nasty spyware and then remove it when you pay. Some guy got the book thrown at him several months back for that tactic.

The best scam ever put over on the computing public was the SoftRAM scam.

SoftRAM was a PC utility sold by Syncronys Software. According to Syncronys' marketing materials it was a "RAM doubling and resource expansion" product. Claiming to use various on-the-fly memory compression routines, the nifty little package could double your PC's RAM. With physical RAM chips going for about $50 a meg in the mid-'90s and a sudden need to add hundreds of dollars more of RAM to run Windows 95, the utility's $30 price tag was a screaming bargain. By 1996, Syncronys had sold some 700,000 copies. The company's stock price didn't just double, it increased a thousand fold (going from 3 cents to $30).

It was all too good to be true. And it was. Many users, after installing the software, noticed their computers slowed down. With more RAM available, things shouldn't slow down. What was the point in having "extra" RAM then?

People began to funnel complaints to the various PC magazines that had given SoftRAM glowing reviews without actually testing the product. Everyone was mightily impressed by SoftRAM's fancy gauges, wizards, and control panels that seemed to indicate the product was really going to town on wasted memory. The magazines gave SoftRAM a second, harder squint. This time they actually tested the package. PC Magazine, for instance, fed it blocks of data containing the same character. Even the dumbest compression utility should have made mincemeat out of that. It passed untouched through SoftRAM.

People did not just complain to the magazines. Some took their complaints to the FTC, which launched an investigation. Facing mounting criticism and a government investigation, Syncronys defended itself by pointing to customer surveys indicating 82% of purchasers were satisfied with the product. This, of course, was not proof of anything other than 82% of purchasers had been satisfactorily duped. The company also threatened to sue Dr. Dobb's Journal if it published an article examining the technical aspects of the software.

Since Syncronys was claiming a need to protect trade secrets and was unwilling to give reviewers and FTC investigators any details regarding how it was actually doubling RAM, a pair of German hackers set on the task of decompiling the product and looking at the code. They discovered the product was really little more than some example code from a Microsoft development kit with some fancy gauge controls slapped on top. SoftRAM may have hired clever marketers but the Germans discovered SoftRAM failed to hire clever developers. SoftRAM compiled the Microsoft sample code with the debugging switch left on. That meant SoftRAM ran slower than Microsoft's original code!

Caught red handed by the German hackers, Syncronys was forced by the FTC to recall their product and issue refunds to purchasers.

Strangely enough, this company proved to be the Peter Popoff of PC utility makers when it returned a year later with a CD Caching utility. Syncronys claimed it could boost CD load times by a staggering 184%. Tests showed this revolutionary product only managed to save mere seconds.

It made a third try with a shareware disk partitioning utility called BigDisk. The utility lost data. Customers and investors eventually lost it with Syncronys. The company went belly up in 1999, with $4.67 million in debts, $200,000 in assets and a large number of customers still waiting for their SoftRAM rebate.

Curiously, days before seeking Chapter 11, Syncronys tried once more to recapture the SoftRAM days and resell a Microsoft tool as its own. The company released a product called UpgradeAID 98 which let users install Windows 98 but return to Windows 95 if they found Windows 98 unstable. Windows 98, of course, came with a utility that let users deinstall Windows 98 and return to Windows 95.