Thursday, 12 January 2012

FakePoliceAlert updated

FakePoliceAlert winlocks was recently updated.
I see more and always more blackhole exploit kit spreading theses winlocks in DLL version.

Some pictures of winlocks found in the wild:

So what's new ?
They can download file, now that become necessary to also monitor these package.
They also create a new desktop for the winlock and load a iexplore fullscreen inside.
Most of them are on the IP range 92.241.*

Version 1.2.2:

Check if the winlock is run by rundll32

Check if there is AVP.EXE in running process


Load notepad/explorer/iexplore

Disable taskmgr

Download payload

The payload (a password stealer always in dll format who target alot of things)

Avast identify some of these dll winlocks as 'SmokeLoader' according to VirusTotal

If you look's for samples:

Parallèlement, merci à Malekal et Secubox Labs, encore du bon travail d'équipe.