What started off as a relaxed saturday morning, turned out to be quite interesting when Marco told me about a new ransomware trojan claiming to be using RSA-4096 to encrypt users data.
This is a new iteration of a rather persistent favourite we see a lot, the filename in question is called "NTOS.EXE" Which we detect generically as Win32.PSWSteal.Gen, entirely preventing the threat of stolen data and infection.
...
At the time of writing there are 6317 records in the stat.txt file below, used to track how many people are infected, with their ip numbers.
While writing this, and looking at the Virustotal stats, one message sits clear with me. If these stats indicate that these companies have been attacked and they are running any of the products by the vendors that didn't detect it, do they even know they are infected? This could put them at significant risk.
And, if they don't know they are infected - how will they protect their customer data once its been leaked?
---------------------------------------------------
The VirusTotal results are very telling..and scary at the same time. It isn't uncommon to see results like this on a newly modified trojan...it gets repacked with some strange new packer and no one can see it....magic. But in this example the big name AV companies didn't detect it - McAfee, Symantec, Kaspersky, eTrust and Sophos. Strangely one of the free AV products did detect the trojan - AVG.
(Side Note - Why isn't Trend Micro on VT??)
The attackers use psychological trickery is pretty interesting as well. Lets tell them that we used RSA-4096, it will scare them into paying.
Isn't this kinda old news?
ReplyDeleteViruses like that exist from the 80s (ok, due to sneakernet etc propagation was not as spreadfast).
There is even a (mediocre IMHO) on the subject, called "Cryptovirology" or something similar.
Kudos to the dudes for their marketing efforts.
Low price plus technobubble (RSA-4096)? These guys should go corporate :-)
You are correct Thanasis, the idea of Ransomware has been around for a long time...and active attacks have been happening for years.
ReplyDeleteBut the above article by Prevx shows an active attack using Ransomware against several large companies. Several of which might not even know they are infected and had data stolen due to the low detection rate by the Big AV vendors.
Big name AV companies. Perhaps they are more concerned with the business part of things than keeping their products up2date.
ReplyDeleteFrom my experience out in the field (not to mention the eternal quest for a quick buck) I have found out that some vendors, especially the ones that get bundled with Joe's shiny new laptop computer, have a very low detection rate, even with common attacks. It is not uncommon a properly updated AV detect nothing and using another one discovering sixteen substantial threads. I will not mention any specific products but I am positive that you know appx what products I am refering to.
Combine this with the fact that most major corporations are more willing to spend their money on a "big name" AV product and your point on the above comment is justified.
I will admit that I missed the point of the article first time around though so pardon me :-)
PS. I am still waiting an e-mail