Monthly Archives: December 2015

Radamant Author is Adamant?

It’s not unusual for malware authors to insert little messages to the security industry into their code. Sometimes there’s an element of almost-friendly banter,  a bit like a naughty child sticking its tongue out, like the sometimes ambivalent relationship between virus writers and antivirus researchers on alt.comp.virus and other newsgroups. I don’t visit those groups any more, but towards the end of the period when I did visit, most of the traffic seemed to be submerged in a flood of abuse and vituperation (not to mention bits of malware), which is one of the reasons I stopped visiting.

Still, those who have the delightful job of disassembling malware still often find little messages from their authors. Usually they seem to be at the abusive end of the spectrum, aimed at companies and researchers who’ve been inconveniently efficient at detecting earlier versions of the malware.

Such seems to be the case with the author of the Radamant ransomware kit, as reported by David Bisson for Tripwire – Ransomware Author Insults Creator of Decryption Tool in Malware’s Embedded Strings – concerning how EmsiSoft’s Fabian Wosar, having published a tool for decrypting files compromised by Radamant, was ‘complimented’ by the inclusion of strings such as .rdata:0040C030 00000021 C ThxForHlpFabianWosarANDbleepYOU!! in a subsequent version. 

Happily, Wosar has managed to survive the trauma. He commented:

I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that.

And came up with a revised decryption tool within two days.

The purveyor of the Radamant ‘Ransomware as a Service’ tool is apparent working on another version.

David Bisson published a more general article on ransomware and how to deal with it back in January 2015. I’ll be adding that to the resources page at the same time as I add a pointer to this article.

David Harley



iYogi tech support – sued by State of Washington

The name iYogi will not be unfamiliar to you, if you’ve been following how the tech support scam has been evolving over the past few years.

In Fake Support, And Now Fake Product Support I described how a legitimate and ethical AV company outsourced its support to the iYogi company  in India. This must have seemed at the time an entirely reasonable way of addressing a difficulty that faces security companies with a product version that is free to consumers: what happens when users of that product need support? Running a tech support operation is a significant cost even for companies that charge for all their products (time-limited trials excepted, of course). The idea was that Avast! customers would get free support for Avast!-related queries, but would then be offered an upgrade to a for-fee iYogi support package. However, the AV company’s understanding was that:

here at AVAST, we never phone our customers (unless they specifically ask us to of course) and none of the partners we work with do either.

Unfortunately, it seemed that iYogi’s understanding of the situation was rather different. According to Brian Krebs, reported incidents of tech support scam coldcalls from “Avast customer service” did indeed turn out to have originated with iYogi.

While someone describing himself as the co-founder and president of marketing at iYogi strongly denied any connection with the usual gang of out-and-out scammers, Avast! found it necessary to suspend its arrangement with the company. Avast!’s later arrangements for customer support are discussed on the company’s blog here.

iYogi’s recent activities seem to have continued to attract controversy.  A recent article from Help Net Security tells us that Washington State has announced a lawsuit against iYogi, alleging that ‘iYogi’s tactics are unfair and deceptive business practices that violate Washington’s Consumer Protection Act.’ The activities in which the company is alleged to have engaged have a familiar ring, involving deceptive online advertisements, misleading ‘diagnostics’, aggressive selling of support plans and the company’s own anti-virus software. In a twist I haven’t encountered before, the Washington suit filed in King County Superior Court claims that:

iYogi tells the consumer that upgrading to Windows 10 from Windows 7 or 8 costs $199.00 if the upgrade is done independently, but that the upgrade is “included” for free as part of iYogi’s five-year service package or for $80 as part of iYogi’s one-year package. In fact, an upgrade to Windows 10 is free for Windows 7 or 8 users who choose to do so independently. In addition, iYogi incorrectly tells consumers that their computers will stop working if they do not upgrade to Windows 10 soon.

Help Net quotes Microsoft as estimating that 71,000 residents of Washington lose $33m each year, a sizeable proportion of the 3.3m Americans who are estimated to lose $1.5b in a year.

 David Harley

Another support scam and ransomware double whammy?

For Malwarebytes, Jérôme Segura reports on another incident where a support scam is combined with other malicious action – Comcast Customers Targeted In Elaborate Malvertising Attack. In this case, malvertising planted on Comcast’s Xfinity search page leads to an attempt to install malware via the Nuclear exploit kit. Malwarebytes weren’t able to collect the malware payload on this occasion, but think it likely to be Cryptowall or another type of ransomware. Subsequently, another site purporting to be the Xfinity portal may serve a fake alert along the lines of:

Comcast’s security plugin has detected some suspicious activity from your IP address.  Some Spyware may have caused a security breach at your network location.  Call Toll Free 1-866-319-7176 for technical assistance

Also reported by Help Net Security.

Adding to both the Tech Support Scam and Ransomware resource pages

David Harley

Added to the Ransomware Resources page

A technically not-very-sound article from the BBC on The computer virus that blackmails you. It would be nice if a ‘technology reporter’ knew better than to describe all malware as ‘a virus’. Still, I suppose anything that raises awareness of the problem is at least partially helpful. And while it’s not always the case that files can only be recovered from a backup version, it’s good to reinforce the idea that backups are a Good Thing.

Added to the Ransomware resources page.

David Harley

Update to Ransomware Resource page

In the Breaking News section of the Ransomware Resource Page.

From an article for IT Security UK on 15th December 2015: ‘Perhaps Information Security (the magazine and the industry) is on safer ground when it refers to more specific trends (as flagged by McAfee). Perhaps the most interesting (if disquieting) from my point of view is the assertion that ransomware ‘…grew 155% year-on-year thanks to the ready availability of low-cost ‘ransomware-as-a-service’ tools on the darknet.’

Refers to this article in Infosecurity Magazine.

David Harley

Securing Infrastructure

A few months ago, I was invited to contribute a short essay to an eBook published by Mighty Guides on ‘What are the greatest challenges you face in securing your network and applications infrastructure?’

Well, it’s been a while since I was directly involved in securing a major organization’s infrastructure, but I figured the principles haven’t changed much in the last ten years or so… I was a bit taken aback to find that the publication was sponsored by one of ESET’s competitors and that it would only be available at first by registering with that competitor’s web site. Not that I have a problem with the company concerned getting some return on its investment, but Mighty Guides should really have made clear to all the contributors that there might be a problem for people who work for other companies. (Fortunately I’m a freelancer, so there’s no conflict of interest as such, but some people who do what I do are employees.)

However, the section to which I contributed is now available without registration on Slideshare – as is at least one other section – and will eventually be available in full on the Mighty Guides site. If you can’t wait and don’t mind registering in order to get a full copy, you can find it here.

David Harley
ESET Senior Research Fellow

Pony, Angler, Cryptowall ransomware

Another article from Zeljka Zorz for Help Net SecurityA deadly campaign delivers Pony info-stealer followed by Cryptowall ransomware, based on an article from Heimdal Security’s Andra Zaharia. The data stealer Pony is installed on the victim’s PC and forwards credentials to the attackers’ C&C (Command & Control) servers: these username/password combinations are used to compromise legitimate servers by injecting a malicious script, used to send victims to other sites serving the Angler exploit kit (EK). Cryptowall 4.0 is installed on vulnerable systems.

Another article at Heimdal – The Evolution of Ransomware: Is Cryptowall 5.0 Around the Corner? – looks at the ransomware business model and speculates a little on how future versions of Cryptowall might be ‘improved’.

David Harley


Tech Support Scams meet Ransomware

Department of bizarre coincidences: yesterday I published a ransomware information page on this site, on approximately the same lines as the tech support information page. Today an article by Zeljka Zorz for Help Net Security – A double whammy of tech support scam and ransomware hits US, UK users – directed me to this Symantec article by Deepak Singh: Tech support scams redirect to Nuclear EK to spread ransomware – Tech support scammers may have bolstered their arsenal by using the Nuclear exploit kit to drop ransomware onto victims’ computers. Which seems to belong on both pages.

This isn’t the first time I’ve heard of scammers who try to lure potential victims to a site from which the Nuclear exploit kit is being served as well as the support scam.  Martijn Grooten wrote in some detail about such a case – Compromised site serves Nuclear exploit kit together with fake BSOD – for Virus Bulletin, back in July 2015. In this instance, though, if the exploit kit is successful in finding an exploitable vulnerability on the victim’s system, it will drop either the ugly Cryptowall ransomware or a data-stealing Trojan.

Perhaps this is not an instance of support scammers deliberately making use of an exploit kit with the intention of maximizing profit through ransomware or information stealing. But as Singh observes ‘…if this proves to be an effective combination, we are likely to see more of this in the future.’ And we’ve already seen a similarity in the way that non-encrypting ransomware and some support scams both make use of fake alerts and BSODs as a lure. While there may still be some inept but well-meaning support scam operators out there, there are many more who – inept or otherwise – are perfectly happy to trash a victim’s system. If they can use encrypting ransomware to monetize that ruthlessness, it would be naive to believe they won’t take that route instead.

David Harley