Your browser is obsolete!

The page may not load correctly.

Encrypt everything

Закодировать всё

Other issues in this category (24)
  • add to favourites
    Add to Bookmarks

Predator or prey? A parasite on a parasite!

Read: 14493 Comments: 2 Rating: 42

Thursday, March 23, 2017

Competition between virus makers has always been rather intense. Infecting the device of a well-off and careless user is always so tempting for criminals that compassion and cooperation go out the window in the world of cybercrime.

Malicious programs that remove competitors from infected machines and close vulnerabilities that those competitors can exploit aren't as rare as you may think.

When commanded by criminals, BackDoor.Ragebot.45 will look for other Trojans in a system. If it finds some, it will end their processes and delete the corresponding executable files.

Trojan.Tofsee includes a module that seeks and deletes all the Trojans and other malware it can find on a computer. This module can search disks for files that appear on an assigned list, as well as entries in the Windows registry; it can enumerate running processes and delete the malicious files that were detected. Thus, even if you do not have an anti-virus program, Trojan.Tofsee will “take care” of your system’s security.

There is a rational reason behind this concern for users: the longer they fail to notice malicious activities on their computer, the longer the Trojan will operate.

Virus makers haven’t shied away from using other people's code either and have even forced its makers to remove it from public servers.

Utku Sen is a Turkish security researcher who designed two ransomware programs—Hidden Tear and EDA2—and made them publicly available for educational purposes.

Recently hackers blackmailed Sen into removing the program Hidden Tear from GitHub. Shortly beforehand, at his own initiative, the researcher removed all the files related to EDA2 to make them inaccessible to the public. However, those who really needed it had already downloaded the Trojan's source code. And because Sen supplemented the source code with detailed customisation instructions and the administration panel for the malware, more than two dozen malicious samples have since been designed using the code.

By the way, here is an interesting detail. The person who is to blame for everything… Well, you know the fella!

Part of Sen's negotiations with the attackers took place on Bleeping Computer's forums. Email correspondence was utilised for the rest . At first, Sen outright refused to accept the terms of Magic’s developers (who on the forums posted messages under the alias “jeanclaudevandan”).

Some Softpedia journalists managed to get in touch with the researcher and asked him to clarify his position. Sen blamed everything on politics, Putin, and strained relations between Russia and Turkey, and, of course, Russian hackers had their hand in it too.

"When I checked their code I saw lots of statements supporting Putin in Russian. I think that they’re doing this bad stuff just to blame me because I'm a Turkish guy. It seems all about politics, which is exactly what everyone was saying on the Bleeping Computer forum", Sen said. "I talked with them. They said that they created Magic ransomware to show me their power [in the] community. They asked me to take down Hidden Tear. Maybe it’s because the Hidden Tear project has damaged their business that they are selling ransomware." "They didn't tell me any reason, so I refused. Because I know that if I accept this demand, they will demand something more since it's political. I will work as hard as I can to crack down on their implementation [EDA2]—because they still haven’t found my backdoor."

But let's get back to our main topic. What does an amateur hacker do if he or she wants to make some easy money but can’t get hold of suitable source code (with good encryption routines that make decryption unfeasible)? Of course, that hacker can become a pirate and steal their competitors' work!

Under the Dr.Web classification, Trojan.Encoder.10467 is a cracked version of the well-known ransomware Petya. Trojan.Encoder.10467’s authors were able to bypass safeguards in the original Trojan's code and also replaced the encryption keys. The latter step is quite logical because otherwise they would have to contact Petya's developers to decrypt data.

Did it help? Experience shows that Trojan.Encoder.10467 is detected by Dr.Web's heuristic analyser.

#malware #Trojan #encryption_ransomware #ransomware #Trojan.Encoder #Data_Loss_Prevention #Dr.Web_technologies

The Anti-virus Times recommends

An anti-virus's heuristic routines are often enough to protect a system from clone Trojans, but relying solely on them is not a good idea. Use the Data Loss Prevention feature of Dr.Web Security Space to make timely backups of your data, and restrict access to bogus sites with the Parental Control.

Have you enabled Data Loss Prevention in your Dr.Web?


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.