ZeuS ransomware feature: win unlock

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

ZeuS ransomware feature: win unlock
Botnet ZeuS
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / Monday, May 21, 2012
Editor/Conference F-Secure
Link http://www.f-secure.com/weblog/archives/00002367.html (Archive copy)
Author Mikko S., Marko
Type

Abstract

Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it's currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

Looking at the code that corresponds with a received win_unlock command, it's clear the unlock information is stored to the registry.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1011,
   editor = {F-Secure},
   author = {Mikko S., Marko},
   title = {ZeuS ransomware feature: win unlock},
   date = {21},
   month = May,
   year = {2012},
   howpublished = {\url{http://www.f-secure.com/weblog/archives/00002367.html}},
 }