malware

Malware Week: Ransomware surges, blackhole spreads

Police ransomware, a new Blackhole campaign, a scam involving Amazon's good name and a Ruby on Rails exploit highlighted this week in malware.

Police ransomware has been a lucrative business line for several online gangs—one was making $1.3 million yearly before police took it down. After infecting a machine, the malware seizes control and displays a splash screen purportedly from a police organization.

The splash screen informs the computer operator that they've been caught engaged in some naughty activity—illegal file-sharing, downloading child porn, or visiting terrorist web sites—and they must pay a fine if they want regain the use of their computer.

In December, the leader of a large ransomware gang was arrested while vacationing in Dubai and in February, the rest of his crew was rounded up by Spanish police.

Those law enforcement efforts, though, have barely put a wrinkle in the pernicious practice, according to a Panda Security report released this week [PDF].

During December—the month when the ransomware kingpin was taken out of circulation—weekly infections continued to climb, shooting up from 554 to 783. A small dip occurred during week one in January, but then infections more than doubled in the second week of the month, to 1654.

"This is clear empirical proof that the Police Virus is still going to be with us for a while, and we have to keep our guard up," the report cautions.

Blackhole malware accelerates

Meanwhile, a new malware campaign designed to spread the Blackhole toolkit was spotted by AppRiver this week.

Blackhole is a popular piece of malware among cyber marauders. Once it infects a machine it performs a number of nefarious tasks, such as setting system backdoors, downloading more malware, and enslaving its host to a command and control server operated by online miscreants.

AppRiver reported that the spam containing malicious links to Blackhole sites was hitting its filters at the rate of 3000 messages a minute from 47 different domains.

The messages are disguised as a thank-you message for making a purchase from Newegg or a bill from ADP for a large amount of money.

"These toolkits have been very prevalent over the past few years," AppRiver noted. "The Redkit has been making itself better known over the past couple of months, and others such as Phoenix remain active as well. However, Blackhole created attacks continue to dominate the threat landscape."

Blackhole also plays a role in a scam involving fake order confirmations from Amazon. Spotted this week by cyber security firm Bitdefender, the confirmations are for 55-inch TVs from a variety of makers.

Links in the bogus confirmations lead to a malicious domain on servers in Kenya, Germany, Brazil, and the United States that will infect a machine with Blackhole.

"Given that Amazon talks about a customer base of 137 million and that TV sets are among the top electronic choices of people all over the world, scammers have a pretty good shot at finding innocent victims to infect with malware," Bitdefender noted.

Ruby on Rails hole still welcomes botnets

More woes for Ruby on Rails were also reported this week. Security researcher Jeff Jamoc eyed web predators exploiting a vulnerability in the web application framework software discovered in January.

"It’s pretty suprising that it’s taken this long to surface in the wild, but less suprising that people are still running vulnerable installations of Rails," Jamoc wrote in a blog.

Botmeisters are using the vulnerability to create zombie networks from systems that didn't update ROR in January, when the vulnerability was patched.

Subscribe to the Security Watch Newsletter

Comments