There’s currently a large and determined effort to infect computers with Ransomware, courtesy of the Stamp EK exploit kit (if you want to know about the other name the kit has, visit the Sophos blog via the bottom Tweet. The language deployed by the kit authors is possibly not safe for work, so if you’d rather roll with Stamp EK that’s fine by me).
The bait for most of these redirects to Ransomware appears to be a slice of US news reporters in various “fake” (ie nonexistent) nude pictures, along with a smattering of film actresses / singers – in other words, the usual shenanigans. Curiously, we’ve observed a lot of wrestlers / people involved in the wrestling industry listed on many of the spam pages too (including Vickie Guerrero, who is named on the fake Youtube page hosted on Github below).
Click to Enlarge
There are pages and pages of ripped content sitting on various websites such as one located on a .ua domain.
Click to Enlarge
Taking the .ua URL as an example, the typical behaviour observed would be as follows after visiting the site (and of course, it goes without saying that you should not visit the below sites unless you know what you’re doing):
kingomov(dot)byethost32(dot)com
–>
mediaclick3m(dot)ru/get/iframe.php
–>
(rapidly changing urls)
afyy(dot)promo(dot)equalizingmlhackingius(dot)org/probingmeasles(dot)htm
afyy(dot)promo(dot)equalizingmlhackingius(dot)org/[removed]/untold(dot)js
afyy(dot)promo(dot)equalizingmlhackingius(dot)org/[removed]/summertime(dot)pdf
afyy(dot)promo(dot)equalizingmlhackingius(dot)org/[removed]/111527203
So far we have observed Weelsof and Reveton Ransomware being dropped. The below piece of Ransomware is demanding $300 to “Unlock your computer and avoid other legal consequences”. As with other similar forms of Ransomware, it accuses the user of accessing illegal pornography and makes no bones about the fact that they should be paying up “or else”.
Unfortunately much of the same content can currently be found on both Github and Sourceforge, typically in the form of a Youtube page or a collection of sex pictures lifted from a real porn site. We’ve also seen air rifle stores, a rip of a Windows for Dummies site, Twitter pages and a whole lot more besides. A lot of these pages seem to be in the process of being taken down, but there’s still enough floating around out there to be a problem.
Here’s some of the content currently sitting on Github:
Click to Enlarge
Here’s how Sourceforge is shaping up:
Click to Enlarge
We’ve seen bad things on Sourceforge back in 2011, and it’s no wonder that Ransomware is the current darling of Malware circles. Users of VIPRE Antivirus will find we detect the most recently spammed files as Trojan.Win32.Agent.akmt (v). Be careful out there.
Update 8/2/2013: SourceForge is working to remove the spam pages, as per the note added to this article. Please note that as both the note and the blog above mentions, the spam pages are on SourceForge / Github, the Malware is hosted elsewhere which is served up from third party websites (“The bait for most of these redirects to Ransomware”).
Christopher Boyd (Thanks to Matthew for finding this)
Leave a reply
