Security Weekly 37

Security Weekly 37 Main Photo

Security Weekly 37: A Dating Through Encryptor And Spam Updates

Among the authors of malware, too, are romantics. For example, a certain figure under the nickname iCoreX0812 lovingly named his Trojan cipher Annabelle – in honor of the accursed doll, the star of two horror films of dubious artistic value. Like the film career, the program is designed to lead the victim to horror, but it turns out that it somehow does not really.

Security Weekly 37 Photo 1

The set of functions of the Trojan is very wide. Once on the computer, maliciously closes and blocks the most dangerous programs for it, such as task manager, MSConfig, Process Hacker, popular web browsers. The encryptor prescribes itself to autorun.inf files connected to the computer flash-drives, in order to distribute them to other devices through them. True, the new versions of Windows do not support autorun. Yes, and under Windows XP, Microsoft released a patch in 2011, which disables this feature. So, most likely, Annabelle counts on those who have not been updated for more than 7 years. Apparently, therefore, Block pad, and other text editors, also get locked up – to make it more difficult to fix what the virus has done in the authors.

  • The Trojan then encrypts the files, assigns them a .annabelle extension, and reboots the computer. When the user enters the password from the account, instead of the usual desktop, he sees the screensaver with the image of the damned doll and the request for redemption in the amount of 0.1 BTC. The most curious author also offers “output data” – a window with his copyright. The cipher, after all, is also an intellectual property.

True, with all the thoughtful surroundings, the encryption mechanism in Annabelle was so-so – a typical example of Stupid Ransomware with a static key. So the decryptors have already learned how to decrypt .annabelle files. The author will have to do without Bitcoins – for art in our world, many do not pay. However, the money to him and so did not shine: in the last paragraph of the message about redemption, the author Annabelle admits that this is a demo version of the program, and there are no websites for redemption. How to get the key, he, however, does not explain, instead inviting his victims to chat in the Discord. Lonely to him, apparently.

Update Adware Flash Player

Everyone wants to earn money. Therefore, where free, there sooner or later there is an advertisement. In light of this trend, the new ad-spider for OSX called Player, which is distributed mainly through sites with torrents, does not look like a sensation.
The attack method is old as the world: visitors to compromised pages are offered to update Adobe Flash Player by masking the pop-up window under the victim’s typical notification. The trick is calculated, obviously, for the most inexperienced audience, because the warning pops up even in new versions of Chrome that successfully cope with updates without the help of the user.

  • But in the way of downloading proper advertising programs there is a highlight: for this purpose, the malware uses signed shell scripts. In some versions – several pieces.

As a result, the victim’s computer is upgraded with OSX/MacOffers or OSX/Bundlore malware. Programs successfully pass Gatekeeper thanks to a digital signature and make you happy with select spam. However, avoiding infection is incredibly simple – just do not download updates from anywhere, especially for Chrome. And if you suspect that you really do not have the latest version of Flash Player – download the update from the Adobe site.