Malware Week: Ransomware surges, blackhole spreads

Several longstanding malware scams resurfaced recently, and Amazon and Ruby on Rails were targeted by Internet reprobates.

Police ransomware, a new Blackhole campaign, a scam involving Amazon's good name and a Ruby on Rails exploit highlighted this week in malware.

Police ransomware has been a lucrative business line for several online gangs--one was making $1.3 million yearly before police took it down. After infecting a machine, the malware seizes control and displays a splash screen purportedly from a police organization.

The splash screen informs the computer operator that they've been caught engaged in some naughty activity--illegal file-sharing, downloading child porn, or visiting terrorist web sites--and they must pay a fine if they want regain the use of their computer.

In December, the leader of a large ransomware gang was arrested while vacationing in Dubai and in February, the rest of his crew was rounded up by Spanish police.

Those law enforcement efforts, though, have barely put a wrinkle in the pernicious practice, according to a Panda Security report released this week [PDF].

During December--the month when the ransomware kingpin was taken out of circulation--weekly infections continued to climb, shooting up from 554 to 783. A small dip occurred during week one in January, but then infections more than doubled in the second week of the month, to 1654.

"This is clear empirical proof that the Police Virus is still going to be with us for a while, and we have to keep our guard up," the report cautions.

Blackhole malware accelerates

Meanwhile, a new malware campaign designed to spread the Blackhole toolkit was spotted by AppRiver this week.

Blackhole is a popular piece of malware among cyber marauders. Once it infects a machine it performs a number of nefarious tasks, such as setting system backdoors, downloading more malware, and enslaving its host to a command and control server operated by online miscreants.

AppRiver reported that the spam containing malicious links to Blackhole sites was hitting its filters at the rate of 3000 messages a minute from 47 different domains.

The messages are disguised as a thank-you message for making a purchase from Newegg or a bill from ADP for a large amount of money.

"These toolkits have been very prevalent over the past few years," AppRiver noted. "The Redkit has been making itself better known over the past couple of months, and others such as Phoenix remain active as well. However, Blackhole created attacks continue to dominate the threat landscape."

Blackhole also plays a role in a scam involving fake order confirmations from Amazon. Spotted this week by cyber security firm Bitdefender, the confirmations are for 55-inch TVs from a variety of makers.

Links in the bogus confirmations lead to a malicious domain on servers in Kenya, Germany, Brazil, and the United States that will infect a machine with Blackhole.

"Given that Amazon talks about a customer base of 137 million and that TV sets are among the top electronic choices of people all over the world, scammers have a pretty good shot at finding innocent victims to infect with malware," Bitdefender noted.

Ruby on Rails hole still welcomes botnets

More woes for Ruby on Rails were also reported this week. Security researcher Jeff Jamoc eyed web predators exploiting a vulnerability in the web application framework software discovered in January.

"It's pretty suprising that it's taken this long to surface in the wild, but less suprising that people are still running vulnerable installations of Rails," Jamoc wrote in a blog.

Botmeisters are using the vulnerability to create zombie networks from systems that didn't update ROR in January, when the vulnerability was patched.

Join the CSO newsletter!

Error: Please check your email address.

Tags amazonsecuritybotnetscamsmalware

More about Amazon Web ServicesPandaPanda SecurityPhoenix

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts