The Andromeda botnet is still active in the wild and not yet dead. In fact, it’s about to undergo a major update real soon. This botnet was first reported back in 2011 but has recently risen to prominence due to the latest modifications in the threat.

Initially, this project to update Andromeda was about to die but the botnet’s author found a successor (even though he did not officially retire). Here is the author’s previous post, which basically says that if no buyer is found to take over the software, the service will be discontinued.

Online Post on Underground Forum

Just recently, however, we’ve uncovered that there is an ongoing development in the Andromeda botnet. This latest announcement was posted just recently and basically says that Andromeda code is going to be updated heavily. They suspended the sales of plug-ins to focus more on developing the new version. Here is the rough translation of the post (it’s in Russian) about what this major update:

Attention!
Currently suspended sales of all plug-ins.
The project is undergoing a global modernization. In the near future will happen a few important but not visible changes:
1. Will update the admin principal. Externally, will remain the same, but the principle of storage change that will reduce the load.
2. All plugins will undergo fundamental changes both in format and structure. Those who wrote plugins for andromeda, need to ping waahoo for further informations.
3. why such a change? First of all – it fixes bugs and flaws found, secondly because of the bugs found that have to completely change the approach to plug-ins that have this pain in the ass and should not not pop up in future.
4. I’m not going on vacation for a long time. On the work of Andromeda or its purchases – please contact the author of the project

Rootkit and socks5, which are popular plugins, are also now free of charge. Previously, the rootkit was sold $300 and $1000 for socks5 with BackConnect. BackConnect is a plug-in used to turn an infected machine into a SOCKS5 proxy — it allows the criminal to control the infected machine directly via infected machine IP and a random port.

As of this writing, there is no definite date on when the new version will come out. But once implemented, this latest version of Andromeda is expected to be more stable and powerful than the previous ones and may come with more plug-ins.

After Liberty Reserve’s shutdown, small or big–time cybercriminals had to scurry for an alternative currency. Some cybercriminals exclusively used Liberty Reserve (LR) as an e-currency to fuel their businesses, but its sudden shutdown took the underground scene by surprise. While many of them had a hard time believing this was indeed happening, others thought that LR would be back any time soon.

To respond to this event, some online crooks had to find an immediate alternative (which they did). Based on what we’ve been seeing around underground forums, these guys are now jumping onto the BitCoin bandwagon, as they feel it is a more secure way to buy and sell their products and services.  However, there are still skeptics who doubt BitCoin’s security and think that it can still be taken down by law enforcement agencies.

Sample underground forum post

As mentioned in our previous blog, other e-currencies such as Perfect Money and Web Money are getting more popular in the underground scene, giving bad guys more ways to get paid. If you have an account for each e-currency mentioned above, you can pretty much buy whatever you like from anyone. And in case you don’t have the right e-currency you can still use an exchanger.

Based on our research on several underground forums, here are the most preferred e-currencies used:

• Perfect Money (PM)
• BitCoin (BTC)
• Web Money (WM)

LiteCoin (LTC) is starting to get some interest, but still limited due to the fact that LiteCoin are not as portable as Bitcoin. Russian cybercriminals accept more currencies such as yandex money, liqpay, qiwi.

As it was expected, cyber criminals quickly found other ways to continue their operation, even though some of them lost money due to Liberty Reserve take down. It is hard to determine how much the underground economy suffered, but it never did completely stop their operations.

Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong. Police ransomware in particular informs users that they need to pay their local police a fine.

We have written detailed reports about these attacks in the past, including multiple blog posts as part of our investigations into this ongoing threat.

Trend Micro threat researchers have been studying this scam throughout 2012 and have collaborated very closely with law enforcement authorities  in several European countries, especially in Spain. Today, we are very happy to report that the Spanish Police has put the information to good use, and they have just announced in a press conference the arrest of one of the head members of the cybercriminal gang that produces the Ransomware strain known as REVETON.

Read the rest of this entry »

The Police Ransomware is not a new threat but has been evolving at a tremendous pace. Here we are talking about Trojans which don’t let the victims use their computer until they pay a “fine” for doing naughty things. To do this, they impersonate local police forces by using the infected user’s regional settings – in other words, they use the victim’s local language and the logos of their country’s police.

Last October, I published a new paper on the subject that touched less on the technical part of the attack and more on the financial side. When I talk about this topic, a lot of people often ask me: how are these Eastern European cybercriminal outfits able to keep using the same fancy payment methods? Can’t we follow the money trail? Well, not really.

The use of online vouchers as a method of payment for the scam has allowed these gangs to completely hide any money trail. This is an intriguing topic in itself, so I recommend you to check it out whether you’re a techie or just interested in the evolution of cybercrime. I wrote the paper for Virus Bulletin, which was held in Dallas last September, although my colleague Loucif Kharouni covered for me for the actual presentation. I finally did present it at B-Sides Sao Paulo in October, and you can find a video recording of that talk here. We have previously released paper on this particular series of attacks, which you can read here.

If you think this is something interesting and want to know more about it, why don’t you download the paper and give it a read?

Ransomware continuously evolves and updates its social engineering tactics to trick users into paying money to the cybercriminals.

The samples we’re seeing today not only leverage the Federal Bureau of Investigation (or any police authority for that matter), but on this occasion also use a non-malicious .MP3 file!

This audio file repeatedly informs users that their system is blocked because of a certain violation on the federal law they committed.  In addition, to unlock the system, users need to pay $200 (USD). Trend Micro detects this as TROJ_RANSOM.CXB and TROJ_RANSOM.AAF.

When executed, TROJ_RANSOM.AAF. displays the following message:

It drops the file, 1.mp3 in the current directory of the malware. It also sends and receives information from the following malicious websites:

• {BLOCKED}.{BLOCKED}.156.30
• {BLOCKED}.{BLOCKED}.229.104
• {BLOCKED}.{BLOCKED}.44.239
• {BLOCKED}.{BLOCKED}.165.210

This attack comes hard on the heels of information published by senior threat researcher,  Loucif Kharouni on a Ransomware variant known as Police Trojan. This Trojan shows a notification from the user’s local police about a certain crime they apparently committed and locks the system until they pay up.