Thursday, October 24, 2013

Trojan - extortionist learned to infect users through the Google search

ESET announced a new method of distribution of Trojan Nymaim, which can block the user's computer in order to demand money for decrypted files.

Since the end of September 2013 has attracted the attention of experts already known malware Nymaim - Trojan with the functions of the blackmailer. Earlier this software infection carried by a known set of attackers exploit - BlackHole, which are used on the computer are vulnerable application or operating system to deliver malicious code. However, recently it was reported that the author of BlackHole kit was detained in Russia. It seems that in this context, hackers have begun using a new way to infect users .

Since the end of September, it was recorded a large number of detections of this malware downloaded using the file browser. The experts found that referral links that lead to the download of malicious files that belong to Google. This means that before infecting the user has entered in a Google-search query and clicks on one of the links in the search results.

According to the survey web pages that initiated the download of malicious code for large-scale contamination attackers used a so-called "Dark search engine optimization" (Black Hat SEO), which is promoted by a specially crafted malicious page in the top issue on popular keywords.

By clicking on a link in the search results, the user is redirected to a malicious page, and initiates the download file, the name of which - to increase user confidence - corresponds to the entered text in the search box. That is, the same file will be loaded with different names, depending on the search query. Here are a few examples of experts found ESET names a single file:

  • video-studio-x4.exe
  • speakout-pre-intermediate-wb-pdf.exe
  • new-headway-beginner-3rd-edition.exe
  • donkey-kong-country- 3 -rom-portugues.exe
  • barbie- 12 -dancing-princesses-soundtrack.exe

As can be seen, in this case the infected users looking for video editor program , English textbook, the image of the game Donkey Kong, the soundtrack to the animated film " Barbie and the 12 Dancing Princesses ", etc. Anyway, downloaded or named a malicious archive contains an executable file that installs after the launch of the system code Nymaim.

Win32/Nymaim infects in two stages. Once a computer, the first malicious file carries the latent load and run the second file, which in turn can also download more malware or may simply lock the operating system to ransom.

In the study, analysts found more than a dozen options for lock screen, created in different languages ​​and with different decorations. It is not hard to guess what their purpose was , users from different countries in Europe and North America. At the moment, found the lock screen from Austria, Great Britain, Germany, Ireland, Spain, Canada, Mexico, the Netherlands, Norway, Romania, France and the United States. However, this list is not definitive - is likely to exist in other affected countries. A user from any country may be infected.

Interestingly, the purchase cost is different for different countries. Most of the screens found blocking the redemption price is about $150 USD, but the people of the United States are asked to pay for unlocking the highest price - $300 USD, in Romania as the infected user can get rid of "only" 100 €, ie about $135 USD.

All Activity Win32/Nymaim Trojan is in a campaign to spread malicious software, which is in the process of malicious Apache- ins infect legitimate Web server, which leads to redirect users to malicious sites. The campaign, called The Home Campaign, continues with February 2011. According to independent studies, during which time the criminals have infected nearly 3 million computers.

To learn more about  protecting your PC, mobile device, and web site visit

No comments:

Post a Comment