Top Threats

4 Posts authored by: Hayton

“Your PC is blocked”: Background of the Police Ransomware Virus 


Reveton – the universal extortion instrument


Researchers have been investigating not just the intricacies of the malware code that these ransomware programs deploy to infect your computer, but the money trail that is left by those who either don't know where to turn for help, or are intimidated by the threats included in the ransomware's blocking screen.


A French security expert and blogger known by the handle Kafeine and his colleagues from the project have managed to access a BlackHole exploit panel associated with Reveton distribution.


Blackhole and Styx exploit kits are often used to infect systems with this ransomware, and the most effective means of infection is by exploiting weaknesses in Java. The control panel shows this clearly.



Once a system is infected there is always the possibility that the user will look for ways to remove it, either by searching the internet for removal guides or by seeking help online in one or other of the self-help forums. Probably only rarely will a user pay to have the infection removed since the cost of doing so is likely to be nearly as much as the ransom demanded, and the fear and embarassment factor will mitigate against allowing outsiders to have access to the system.


What this means is that the success rate, for the ransomware distributors, is going to be less than they might hope for (which is why some of them are now resorting to encrypting files). The proportion of users who pay the ransom seems to differ from country to country, but the calculations derived from access to the control panel indicate that the controllers can count on receiving about 40,000 Euros per day. And that is from just one operation among many.




The money, of course, has to be laundered to get it back to the controllers, and they will expect to receive only a part of that 40,000 Euros. Laundering money costs money. Assuming that half of that amount goes to intermediaries, they will still get in the region of 7 million Euros a year for their efforts.


Kafeine from has outlined the entire infrastructure of Reveton distribution and monetizing details in the following graphic:





These screenshots were taken from the report (see below), which has a link to an earlier analysis of the FBI Moneypak ransomware containing removal guides. e-virus.html

Blackhole detections 2H2011.JPG


The Blackhole Exploit kit has received a complete makeover. The authors have completely rewritten the code in order to evade detection by the majority of anti-virus programs. This exploit kit is probably the most successful (and, for PC users, most dangerous) piece of malware around at the moment, and it relies for its success on users who haven't updated operating systems, browsers, and widely-used applications such as Flash, Adobe Reader and Java. ivirus-software-202263

The creators of the infamous Blackhole exploit kit have announced version 2.0 of the malware, claiming to have rewritten the code entirely from scratch so as to evade popular antivirus software. The kit includes noteworthy and nasty tricks, such as the use of short-term, random URLs for delivering exploits, but perhaps in recognition of the still-struggling global economy, the kit's creators aren't changing pricing.


According to Sophos, the Blackhole exploit kit is "the most popular drive-by malware we've seen recently.... It offers sophisticated techniques to generate malicious code. And it's very aggressive in its use of server-side polymorphism and heavily obfuscated scripts to evade antivirus detection. The end result is that Blackhole is particularly insidious."


In the past few months alone, malicious hackers have used Blackhole to exploit an unpatched MSXML flaw; to exploit Java vulnerabilities; to infect users with fake AV (antivirus) programs via Twitter spam campaigns; and to distribute the GameOver Trojan via a fake U.S. Airways-themed email campaign.



Blackhole 2.0 also has been trimmed of old exploits that have since been fixed, replacing them with a new batch. Further, the creators have broadened the number of OSes the malware can recognize, adding to the list Windows 8 and unspecified mobile platforms, "giving the attacker the ability to break down the amount of traffic he's getting from machines running each individual OS" .


The exploit kit is customisable, so the list of exploits given in the InfoWorld article above is certainly incomplete.



Top exploits 1H12.bmp

The latest Security Intelligence Report from Microsoft (vol. 13) has this to say about the exploit kit in its Summary Section -

Blacole, a family of exploits used by the so-called “Blackhole” exploit kit to deliver malicious software through infected webpages, was the most commonly detected exploit family in the first half of 2012.


Prospective attackers buy or rent the Blacole kit on hacker forums and through other illegitimate outlets. It consists of a collection of malicious webpages that contain exploits for vulnerabilities in versions of Adobe Flash Player, Adobe Reader, Microsoft Data Access Components (MDAC), the Oracle Java Runtime Environment (JRE), and other popular products and components. When the attacker installs the Blacole kit on a malicious or compromised web server, visitors who don’t have the appropriate security updates installed are at risk of infection through a drive-by download attack.


These attacks frequently use Javascript or IFrames to execute a drive-by attack, one in which simply visiting a compromised website is sufficient to activate the malicious code and download malware to a user's system.


A drive-by download site is a website that hosts one or more exploits that target specific vulnerabilities in web browsers, and browser add-ons. Malware distributors use various techniques to attempt to direct Internet users to Web sites that have been compromised or are intentionally hosting hostile code. Users with vulnerable computers can be secretly infected with malware simply by visiting such a website, even without attempting to download anything themselves.


This technique usually involves posting exploit code to a legitimate website, either by gaining access to the site through intrusion or by posting malicious code to a poorly secured Web form, like a comment field on a blog. In most cases, the exploit code itself is hosted on a different website and is exposed through the compromised webpage using a technique like a URL embedded in malicious script code or an inline frame, called an IFrame for short. An IFrame is an HTML document that is embedded in another HTML document.


During a drive-by download attack, an IFrame is typically used to load a separate HTML page into a window on the current page. Inline frames can be as small as a single pixel making them impossible to detect with the naked eye. Because the IFrame loads another webpage, it can be used by criminals to place malicious HTML content, such as a script that downloads and installs malware, into non-malicious HTML pages hosted by trusted websites.


(Microsoft Security Blog, December 8 2011)



Further information :


"What You Should Know About Drive-By Download Attacks - Part 1" (Microsoft Security Blog, December 8 2011)

"Same Operation, Diversification of Targets Being Spoofed: Current Black Hole Exploit Kit Spam Runs"  (Trend Micro, June 12)

"The Rise of the “Blackhole” Exploit Kit: The Importance of Keeping All Software Up To Date" (Microsoft Security Blog, July 19)

"Voice Mail Notifications and ADP Emails Lead to Blackhole Exploit Kit"  (Websense, September 13)

"Blackhole Exploit Kit updates to 2.0 "  (Websense, September 13)

"Blackhole 2.0 Beta Tests In The Wild?"  (Trend Micro, September 14)

"The various spam campaigns leading to Blackhole"   (Help Net Security)


"McAfee Labs Threat Advisory - Blackhole Exploit Kit"

Microsoft Encyclopedia entry : JS/Blacole

Microsoft Encyclopedia - detailed description of JS/Blacole

"Microsoft Security Intelligence Report Vol. 13"

computer-crime-fake (1).png


This is one member of an entire family of malware known as ransomware.  The aim of those producing and spreading this ransomware is to intimidate and blackmail users whose PCs are infected and persuade or force them to pay for having the malware removed or neutralised. As a form of cybercrime it is crude, but often effective - often enough that the authors have gone to some lengths to customise this particular variety for different countries in Europe (so far, only a few examples from outside Europe have been seen).


The basic mechanism is simple enough. A PC is infected with a Trojan dropper by visiting an infected website. The actual infection can be the result of a "drive-by", where simply going to an infected webpage is enough to download the Trojan. Once on the PC, the code inserts a registry entry to make sure that it will be run every time the PC starts up, then displays a country-specific picture and a message (completely obscuring the desktop) and apparently locks the PC.  The full details are in a paper by Trend Micro, which explains it better than I can.


Newer variants of this ransomware are said to have been modified to encrypt files and overwrite the MBR. If that is true, it confirms that the authors are actively developing it and intend to keep it going as long as  possible.


One of the first articles to draw attention to this ransomware appeared last December in Microsoft's Malware Protection Center, when most of the infections were being reported from Germany (the BundesPolizei variant) : malware-impersonates-the-police.aspx


Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole.


The note above about the Blackhole Exploit Kit is confirmed by a forum post, dated a fortnight before this article appeared, which said that


... Microsoft security essentials showed up 2 severe threats: - severe



Trojan/Win32/Reveton was the subject of another article in Malware Protection Center on April 18th : "Revenge of the Reveton". The malware infection is classed by Microsoft as Severe, and a description and removal guide can be found HERE. It is important to note that this infection is the intermediate variant that purports to be from the Metropolitan Police : later variants may require a different removal process.


Trojan:Win32/Reveton.A arrives as a DLL file with a random name. It creates a shortcut file to itself in the Windows startup folder; the shortcut file name is the same name as the DLL file but with the LNK extension.


When Windows starts, it executes the command associated with the shortcut, as follows:

rundll32.exe <path>\<file name>.dll, <random exported name>


Prevents the user from accessing the desktop

When run, Trojan:Win32/Reveton.A displays a full-screen webpage that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.


Downloads and executes other malware

Trojan:Win32/Reveton.A downloads and executes other malware, detected as PWS:Win32/Reveton.A.


What Microsoft calls PWS:Win32/Reveton.A is a refinement apparently added to this ransomware variant :

This threat is classified as a password-stealing trojan. Typically, a password stealing trojan installs a keystroke logger (commonly referred to as a keylogger) which records keystrokes and sends the recorded information to remote attackers. Some keyloggers monitor only keystrokes involved in specific types of web-based transactions. For example, a keylogger may include a component that monitors browser activity, only recording keystrokes when certain bank or ecommerce sites are accessed. Other types of password-stealing trojans include those that capture screenshots in an attempt to bypass graphic-based security measures.


The advice to anyone who has fallen victim to this version of the ransomware is the usual :


What to do if you think you have been a victim of a scam

If you suspect that you've responded to a phishing scam with personal or financial information, take these steps to minimize any damage.

  • Change the passwords or PINs on all your online accounts that you think might be compromised.
  • Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.
  • Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.
  • If you know of any accounts that were accessed or opened fraudulently, close those accounts.
  • Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.



The whole subject of these "Police Trojans" has been investigated in depth by Trend Micro, who published their findings in a White Paper. The blog entry where the White Paper is discussed asserts that the same people are likely to be behind this as were responsible for a DNSChanger Trojan that had been sponsored by Rove Digital. That particular group was taken down last November when 8 Estonians were arrested, but the Police Trojans continue to be modified, enhanced and released - so there are others involved. There are clues within the source code, apparently, that point to Russian-speakers as being the authors of this malware (although such "clues" could be deliberately planted in order to mislead the investigators).


The Trend Micro blog is at ojan/


The DNSChanger Trojan is the same one that has recently been in the news : the FBI's Operation Ghost Click, which was the subject of a recent post in Security Awareness ("Did the FBI say we should check to see if computer is infected?")


The story of the takedown of Rove Digital and its criminal operations - spam, fake pharmaceuticals and malware - can be found at history


The White Paper

( rs/wp_police_trojan.pdf)

This analyses the operation and external communications of the Police Trojans in some detail. It also provides an explanation for the patchy detection rate by anti-virus programs, and the difficulty in keeping track of changes to the Trojans :

... there must be an affiliate download site where partners can download a ready-made Trojan using their own user names and the C&C server of the day already embedded. This also explains the very low detection rates across the board. Each Trojan is custom compiled with different configurations and applies two layers of packing and obfuscation on top. Given the rate at which the attackers are changing C&C servers, this recompilation must be happening very often that is why security companies are having a difficult time obtaining good detections.


The cybercrime activities of the authors of this ransomware are identified, showing that these are professional (or at least semi-professional) cybercrooks -

The gang spreading the ransomware discussed in this research paper does not seem to be a novice in committing cybercrime. In fact, we can relate the ransomware Trojan to several data-stealing campaigns involving ZeuS and CARBERP Trojans, TDSS rootkits, and FAKEAV malware dating back to 2010 and 2011. We can also relate the Police Trojan gang to a ZeuS Trojan campaign launched in mid-March of this year and a Gamarue worm.


.... The TDSS samples we have seen in Police Trojan attacks were also the DNS changers Rove Digital’s affiliate program used. As such, we believe that one or some of the gang members spreading the Police Trojans may also have been members of Rove Digital’s affiliate program in the past. This shows that the gang is certainly not new to cybercrime.


The probable source(s) of infection are set out at the end of the White Paper. The authors' conclusions about the websites that cause the infection should come as no surprise.


These malware programs tend to exploit known vulnerabilities in programs such as Java and Flash, for which updates are available but may not have been downloaded and applied. Some can exploit security weaknesses in Windows (most often XP); if the fixes for these issues by Microsoft are in the Optional download section (unlikely, but possible) then some users may not be aware of them.


To check whether your PC is missing any Windows or other Microsoft updates you should go to the Microsoft Update website (for which you must be using Internet Explorer; go to the Microsoft Download Center if you are using another browser such as Chrome or Firefox) or run Microsoft's MBSA, which scans for a number of security vulnerabilities in your OS and browser. For Adobe Flash, you can check whether you have the latest version here (different versions must be downloaded for IE and Firefox; Chrome should update its own sandboxed version automatically).


West Yorkshire Police virus.jpg


As a footnote to this piece, I note that there is a recent ransomware variant - purporting to be from West Yorkshire Police here in the UK - which has some extra features missing from earlier variants. Many files are encrypted - including .doc and .pdf - and are given a prefix of 'Locked' and a random 4-character suffix. A Russian AV vendor (Dr.Web) classifies this variant of the ransomware as "Trojan.Matsnu.1" and can decrypt the files, provided that they receive both an encrypted file and its unencrypted (pre-infection) version. This implies that the file has been backed up and so is available for comparison - which reinforces the message that files should be backed up  regularly.

Innovative Marketing, a notorious purveyor of Fake AV programs, has finally been persuaded - under extreme pressure - to reimburse a large number of people who were duped by their "Your PC is infected ..." scareware into buying their worthless programs.


The company had its headquarters in the Ukraine, but with subsidiaries in the United States and elsewhere. The refunds appear to be for victims in the US only, where the FTC took action against the company in 2008.


In the US, at least 320,000 people will receive a refund of about $20. The figure of 320,000 represents only those in the US who are known to have paid Innovative for one of their scareware products : the list of those products is extensive, since the same underlying program code would have numerous user interfaces and product names.


The number of people eligible for a refund is expected to grow, since the FTC is inviting anyone who paid for one of Innovative's "antivirus" programs, and who does not receive a refund, to contact them.


Anyone outside the US has very little chance of ever receiving any compensation.


A list of some of the names of the Fake AV and other programs peddled by Innovative Marketing can be found on the Microsoft website at software-victims.aspx


Some of the names used :


SpyKiller Pro

Spyware Sweeper










VirusRemover 2008







WinSpyware Protect



XP AntiSpyware 2009

XP AntiVirus


A brief news article about this happy event, with some of the historical background, is at ivirus_scams.html


The FTC announcement can be found at

Filter Blog

By date:
By tag: