04.27.12

Ransomware exploits Microsoft Windows Update Center Service

Our first indicators of ransomware were trojanised emails masquerading as police warnings against end users (Ransomware Exploits the Italian Police) and now  it seems to have evolved into leveraging a Fake Windows Update system.
It is the  result of an aggressive campaign originating in Germany where users receive emails similar to the following:

Roughly Translated into English:

Ladies and Gentlemen,

We are pleased to inform you that you have signed up for Premium Mail.
You may now use up to 650 sms per month and your online storage volume increased by 11 gigabytes.
€ 57.89 will be debited monthly from your account. Take out the contract details on the annex, there you will find the message for your 2 weeks’ notice.

With very best regards
your customer service

The attachment is the actual malware.The end result for the unsuspecting user that launches this application, is ransomware!

It compromises the PC by altering the OS with new malicious registry entries and dropping executable copies.Upon restarting the session and after Windows is loaded, the following scam image is displayed on the desktop screen of the PC:

The machine is locked and the PC does not respond to any commands. It is now totally compromised.

So, what may have happened?

The splash screen is a fake Windows Update message saying that for safety reasons the system has been locked due to visits to pornographic content infected by a computer Trojan, which spread through  the system. It continues to explain that the virus encrypts the hard drive with a 2048 bit RSA key and that decryption is no longer feasible.

To be able to restore the system, the user must run an EXTRA security update, paying 50 euros to receive the extra security update by Microsoft.

Total Defense Internet Security Intelligence Team (internal intelligence unit) found some interesting information from this ransom issue.

First of all, once run, the malware connects to “qoa-a.com” website, starting and completing a three-way handshake process:

After that it starts up an outgoing connection to send/receive information from the malicious site.

We found out that “qoa-a.com” is a website registered by HICHINA ZHICHENG TECHNOLOGY LTD, which is allegedly a scamming group with false registrant names and addresses.

Three different IPs have been found to be currently serving the malicious website: 124.207.179.120; 202.55.5.156; 217.198.180.79.

These IPs belong respectively to “Beijing Zhongbangyatong Telecom Technology Co”, “China Telecom Hong Kong International” and “Alfa Telecom JSC (Russia)”.

Total Defense Security products detect and block this malware, but we highly recommend that any end user avoid running applications received through suspicious emails coming from unknown sources.