Bochum! You are safe here!

02/08/2013
G DATA Blog

There is no doubt that there is sophisticated malware. And then there is malware where the malware writer thinks it's clever. But the analysts at G Data Security Labs track it down!

Whilst researching a recent topic, the Reveton ransomware variant which stores child pornography on the computer of the infected victim, the analysts at G Data Security Labs found an interesting specimen from this Reveton family.

Initial analysis has shown that the analysed sample was the above variant of the blackmail software. G Data security solutions already detected the malware at the time of initial analysis when it was Gen:Variant.Kazy.138823. However, a later analysis of the same file no longer showed the expected lock screen but another version with other dubious accusations.

Why did the lock screen change?

Malware authors are now programming many of their ransomware instances in a more flexible way than in the past. These days the lock screen images are often no longer hard-coded into the malware file. Instead, once the computer has been infected, the malware uses the Internet to connect to a server specified by the attacker and fetches the current material from there.

Why do attackers do that?

When lock screens or other files are subsequently loaded from a server, the attacker can manage and exchange these files in a more flexible manner. There is no need to sneak a new malware program onto the computer to start a new action on the infected machine. All he has to do is replace the file on the server and all malware that has infected computers retrieves the file from there. The attackers also like to switch servers to avoid being tracked down. A list or even a chain of commands for communication with the server is integrated into the malware.

And what does this have to do with Bochum?

Professional malware analysts use various networks to analyse malware code. In this way they simulate network traffic from other cities or even countries to check how the analysed malware responds, as in this case.

And in doing so, they noticed that the author of the malware was quite prepared for computer users from other countries to be infected because the analysts also simulated lock screens for the USA, Finland and Switzerland.
The respective legal authorities and copyright infringement entities as well as the amount of money that needs to be paid as release fee vary from country to country. In our tests, releasing a locked PC was most expensive in the USA: $300.

Here's the trick: the analysts did not get a lock screen on their deliberately infected systems if they registered at a C&C server with a Bochum internet address (IP). During testing, the server also ignored the simulated network traffic from Helsinki, Reykjavík, San Diego and Redmond. All these cities have one thing in common: they are the headquarters of popular IT companies and AV companies!

Map, showing cities that did not receive content from the server in our tests

So the malware author must have thought that he can stay under the radar if he blocks IP addresses from these cities and does not send any block screens there. However, that backfired. Neither sophisticated AV technologies nor analysis experts can be tricked that easily! A malware author taking this approach and thinking he will remain undiscovered really should have made the effort to also block cities with the headquarters of federal agencies. In Wiesbaden, the city of the headquarters of the BKA (German Federal Criminal Police Office), the malware worked just fine. ?