Tuesday 22 February 2011

Bluetrash ransomware.. now updated with a bot.

Most of you know this threat as 'bluetrash' or 'porno player'
This malware have appear in April 2010 and currently alway active.
Named 'winAD' because of about box resource which present in both types and using fakes porn site sush as 'SpermTV' or 'EroTube' for distributing the malware.

Unblock codes and tel numbers are stored inside executables.
They do not use cryptor but Winlock code constantly morphing trying to break antivirus signatures, the dropper use the Windows Vista Media Player icon, is packed with UPX and extracts payload Winlock executable to %USERPROFILE%\[Digits]\[Digits].EXE

After few days, some variants appears, like the 'Homoblocker' ransomware, generaly distributed with a fake site coupled with Phoenix Exploit Kit

If we return one month ago, this malware was updated 2 or 3 per day.
Now... according to my malware bot, this ransomware is updated every hours.
And the homoblocker variante seem now not updated anymore.
Concerning the Homoblocker variants, sometime the guys who is under this have made some tests:

These 'tests' have appear on the homoblocker malware server the 03/02/2011 at 21:12:16 P.M (GMT+1) for 3 days with 8 updates in totals.
According to VirusTotal, when i've uploaded a sample, it was only detected by one antivirus.

For Bluetrash, i monitor every change of this ransom like homoblocker, and since one week now.. that become serious with updates and modifications. (some changes have appears like the 'reboot when dropped', Actually he dont do that anymore.)
A rapid calcul: 24*7 = 168 samples per week.
Tiny histogram:

An update error occured sunday 20 at 03:00 A.M (GMT+1)
Malware filesize in the server: 0 bytes, at 04:08 A.M, a new working sample was available.
Bluetrash ransomware is surely updated with a bot now.
Before, updates have occured only the day.. now it's day and night, h24.

Samples from yesterday downloaded every hours, as you can see the MD5 is alway not the same: 

Monitoring center:

Sample are updated every hours but still detected by most of AVs.
Also i want to thanks Crank69, i really appreciate your emails man.

No comments:

Post a Comment