Andreas Venieris, prominent Greek security systems researcher and external partner of our friends from SecNews, is one of the first in Greece to analyze the known to all of us Police Virus or "Police Virus".
The malicious one software became particularly well-known in Greece, especially in the last year, since it was installing on the terminals of unsuspecting users with messages of alleged criminal actions via PC, asking the users to pay a sum to reset their systems. The Prosecution of Electronic Crime has even created a relevant sub-page, which specifies how to recover if you are a victim and detailed instructions about the virus.
The initial analysis by Mr. Venieris you can read in detail [here]. Mr. Venieris has returned in recent days with a new, additional analysis of the malware that is released EXCLUSIVELY today by SecNws.
The research clearly shows that the software continues to spread in Greece and abroad (with much lower overall infection rates, as it is already detected by most common antivirus / antimalware).
How is the scam
The fraud is carried out as follows: After the installation of the malware, a popup appears, where the financial demand is defined. The amount of the alleged fine is €100. The unsuspecting victim user is invited to pay the "alleged fine" with Paysafe or Ukash vouchers. As soon as card εισαχθεί στο popup που αναφέρετε, το πρόγραμμα περιήγησης,όπως αναφέρει το μήνυμα, ξεμπλοκάρει και όλες οι information they will be decrypted within 24 hours.
If the card code to be entered is incorrect, it displays the following message:
The Paysafe card or Ukash card entry form.
The elements of the analysis
The researcher, εντόπισε τα 3 νέα domains που διασπείρουν το σχετικό malware. Τα domains είναι:
- seniorreversemortgagedfw.com
- fiatalfadealer.com
- fiatalfaofwinterhaven.com
Domain Name: SENIORREVERSEMORTGAGEDFW.COM
Registrar URL: http://www.godaddy.com
Registrant Name: Anthony Adams
Registrant Organization:
Name Server: NS69.DOMAINCONTROL.COM
Name Server: NS70.DOMAINCONTROL.COM
DNSSEC: unsigned
X X X X X X X X X X X X X X X X try to visit the website hxxp: //tvv.seniorreversemortgagedfw.com (s.s we have changed the url to xx so that users are not redirected). The program redirects to msn.com (!)
After the first GET request as reported by the researcher, redirects to a different site where the malware (the virus virus) spreads. The URLs that are redirected are as follows:
hxxp://mfdy.fiatalfadealer.com/reasonable-doubt/V6VtXawbKAwnRWpkHuVYGWwqUlcNZehSb3IKjsK8kV4Y4DncCfxpcgE7DjDf3ZjiYB/3WUsmZz9KLU_/Jb8MEIQg~~/NmMyN2RkYzJlZjRiZGRjYjM3MGE5OWQxOTJmOGZ/abuse-of-right.maff
or at
hxxp://htds.fiatalfaofwinterhaven.com/reasonable-doubt/V6VtXawbKAwnRWpkHuVYGWwqUlcNZehSb3IKjsK8kV4Y4DncCfxpcgE7DjDf3ZjiYB/3WUsmZz9KLU_/Jb8MEIQg~~/NmMyN2RkYzJlZjRiZGRjYjM3MGE5OWQxOTJmOGZ/abuse-of-right.maff
Both, as the researcher identifies in his web analytics, are hosted at the same IP address and specifically in the 217.172.185.150. The server is located in Germany at the following ISP
By reversing IP research of the domains corresponding to that IP you find that it serves the following domains:
- mfdy.fiatalfadealer.com
- naistekas.delfi.ee
- www.lebanonfiles.com
- www.tweetprocesor.com
The researcher found that if he uses another country's Proxy server, the program is adjusted accordingly. So if he visits the user's website from Italy, he displays an Italian version of the malware website. If he visits the US user page, he displays an English version of the site. The paradox is that if he visits the user page with an IP address China he displays the Microsoft website (www.msn.com) !!!!.
Making a guess, we can express the assessment that THIS MAY be an indication of the origin of the perpetrators, who probably do not want to distribute the software on IP of their country (s.s. China). Of course, this is a conjecture, since it can not be proven by the data provided by the researcher and made available to us.
Immediate limitation of IP addresses across the country
We suggest the Greek Internet Service Providers (ISP's) to IMMEDIATELY block the IP addresses communicated by the researcher and we write in this article. These are used exclusively for spreading malicious software. We believe that this should be done IMMEDIATELY in order to drastically limit the further spread of the malware that has hit thousands of Greek users in the past. Here and with the relevant ongoing actions of the UN with regard to the phenomenon, the spread has been reduced to a minimum. Malicious creators, however, try to use different servers each time to continue spreading.
SecNews promotes, supports and publishes EXCLUSIVELY, efforts / research / studies of Greek researchers (anonymous or branded) in the field of information systems security. In addition, as you will see in surveys that will be published in the coming weeks, we show particular interest in specialized cases of detection of incidents of cybercrime, complaints but also analyzes / investigations leading to the identification of malicious users with the ultimate goal of protecting the wider community and Greek internet users.
We also hope for other similar efforts of researchers, which we will be happy to publish.
We are very grateful to Mr Andreas Venieris for timely, valid and detailed information.