Tag Archives: Darren Pauli

Delilah: Ransomware and Recruitment

When Chuck Berry recorded ‘Beautiful Delilah’ back in the 1950s, he wasn’t thinking of anything like the Trojan described by Diskin, according to Gartner’s Avivah Litan, as gathering ‘enough personal information from the victim so that the individual can later be manipulated or extorted.’ By which the company seems to include recruitment of insiders by forcing them to leak data.

The article concludes:

Insider threats are continuing to increase with active recruitment of insiders from organized criminals operating on the dark web.

Commentary by Darren Pauli for The Register: Extortion trojan watches until crims find you doing something dodgy – And then the extortion starts and you’re asked to steal critical data

David Harley

Petya Ransomware: information sources

I’m in the middle of moving house and not able to comment at length, but here are some sources for commentary on the Petya ransomware, which, as Bleeping Computer puts it, skips the files and encrypts your hard disk instead. Note that repairing the Master Boot Record doesn’t recover your data.

Darren Pauli for the Register: Ransomware now using disk-level encryption – German firms fleeced by ‘Petya’ nastyware that performs fake CHKDSK . Cites discussion on KernelMode.info forums.

David Bisson for Graham Cluley’s blog: Petya ransomware goes for broke and encrypts hard drive Master File Tables – Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up… He cites Jasen Sumalapao, writing for Trend Micro.

David Harley 


CTB Locker ransomware

CTB Locker

[Added to resources page 29th February 2016]

Article by Darren Pauli for The Register: Reinvented ransomware shifts from pwning PC to wrecking websites – ‘CTB Locker’ targets WordPress, offers live chat to help victims pay up.

And an article by David Bisson for Graham Cluley’s blog: Ransomware’s new target? WebsitesExtortionists demand Bitcoin ransom be paid to restore WordPress websites – DDoS (distributed denial of service) extortion and ransomware

David Harley

Biting the Biter

Darren Pauli reports for the Register that Matthew Weeks has released a Metasploit module that exploits a flaw in Ammyy Admin 3.5 to attack a machine being used to ‘take over’ a client machine.

The rationale here is that Ammyy software is frequently used by support scammers to take over a victim’s machine in order to ‘prove’ that the machine is infected by malware, or to install ‘protective’ software, or for other nefarious purposes. Well, if you found this post, the chances are you’re well aware of support scammer operations, and if you’re not, there’s lots of information on this site here.

I don’t, of course, have any interest in defending the activities – far less the systems – of support scammers, but this approach gives more than a little old-school AV queasiness. Weeks explains:

I don’t normally release zero day exploits, but I made an exception in this case because given the reporting and usage of Ammyy Admin I consider it highly unlikely to be used to compromise innocent victims. The primary users at risk of compromise are the scammer groups.

Primary users at risk? Well, he may not be able to see much risk to other groups, but I suspect that others can. In any case, who is going to make use of this? Probably not Weeks, since he acknowledges:

No scammer group has ever called me, and I have never used this except to test it and in demonstrations.

It’s certainly not an approach that’s going to be available to the victims of the scam, by definition: if they don’t have the technical knowledge to recognize the (techno)logical flaws in an attacker’s spiel, metasploit means nothing to them. I can see some of the many people who go out of their way to waste a scammer’s time trying this out, but in doing so they may well (as Pauli suggests) place themselves in legal jeopardy (vide UK Computer Misuse Act, for example), even if they feel ethically secure hacking a hacker. There may be an ethical justification there by analogy with sinkholing a botnet, for example, but botnet countermeasures also have to be done within legal limits.

Will it be a deterrent to scammers? Perhaps, though I suspect that once scammers get to know about this kind of countermeasure, they may be quicker than legitimate users of Ammyy software to patch. Or simply move to one of the many alternative remote access systems used in support scams.

David Harley