A new malware delivered by the Blackhole exploit kit is around the block. It displays a ransom-ware page while claiming to be a legal action page from the U.S. Federal Bureau of Investigation (FBI). The malware locks up the machine and demands payment of $100 to unlock it. It also disables task manager and registry editor. The page states that the machine is violating copyright and related laws such as video, music, software and illegally using or distributing copyright content, viewing or distributing prohibited pornographic content and that the machine is infected with malware and demands a payment of $100 through an untraceable money transfer. This is yet another example of ransom-ware or social engineering tactics to exploit Windows users.
Screenshot from a system infected by fake FBI Ransom-ware:
The ransomware instructs victims to pay their “fine” with a MoneyPak card, which can be purchased from any of the following well-known U.S. retail chain stores such as Rite Aid, Walmart, Walgreens, CVS/Pharmacy, Kmart, and 7-Eleven. MoneyPak is a payment system that allows users to “replenish” the card by paying at an approved partner site and then use it to pay other merchants. The MoneyPak company site has a page dedicated to fraud protection tips and includes an advice about such scams: https://www.moneypak.com/ProtectYourMoney.aspx
The threat is delivered via un-patched browser exploits, or via banner ads, pop-ups, other Trojans, and fake codecs. Upon exploiting a victim machine, a malicious DLL is downloaded and executed. This DLL is loaded by rundll32.exe and an auto start entry is created in the start-up folder. It uses random names for the DLL and auto-start entry item. Below are example screenshots, where “0_0u_l.exe” is the malicious DLL loaded via rundll32.exe with a call to the export function “FQ10”, and “arg.exe” is the start-up item name. It also modifies Internet Explorer zones related registry entries and disables protected mode browsing by setting the following registry value to 1: “Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner”
The malicious DLL then launches the “iexplore.exe” process (Internet Explorer Browser) and injects code into this process so it can now execute in the context of a legitimate process. The injected code allows the monitor of Task manager or Registry editor launch and shut them down. It also allows connection to a remote malicious server in order to download encrypted data and save it in the victim machine’s “Application Data” folder with a random file-name and “.pad” file extension. This .pad file is then decrypted which serves as content for a new desktop. The current desktop is then switched to this new desktop content and is also set to re-load on start-up. This essentially “locks” the desktop so the user cannot perform any operations.
Complete manual removal of this rogue application proves difficult due the desktop being locked and in-ability to launch other tools or applications. You will need another computer with Internet connection to download cleanup programs. You can download Stopzilla AVM and transfer it via USB flash drive to the infected machine. Reboot the infected machine in safe mode (immediately after you press the reboot button, press the F8 key on your keyboard and then among the boot options select “safe mode”) and install Stopzilla AVM and do a complete system scan.
Stopzilla AVM security product detects this threat and its associated components as: Backdoor.Win32.BlackHole, Exploit.Win32.ShellCode, Trojan-Spy.Win32.Banker.fbi