Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
If you need to deliver or store confidential documents over the Internet, then placing them inside a password-protected, self-extracting ‘archive’ is one of the best ways to keep out prying eyes. Many users will be familiar with archives in the form of ‘zip’ files and programs like WinZip (there are others like 7-Zip and WinRar which perform a similar function). An archive allows you save multiple documents inside a single file and to compress the overall file size. Importantly, if you password-protect this archive, you will also encrypt its contents. This means it will be unreadable by any 3rd party that intercepts it. The archive can only be opened by the intended recipients – people to whom you have supplied the correct password. Choose a good password and it’ll be years, if ever, before anyone unauthorized can decrypt your files.
It might come as a surprise, but malware authors use this precise security technique for the same reasons. Like you, they don’t want their files to read by any 3rd party apart from the intended recipient. In this case, the 3rd party is a static Antivirus scanner on an email gateway, public hosting or users machine. The intended recipient is the victim of a malware scam.
Although malware inside a password protected archive cannot be detected by the AV scanner, this doesn’t guarantee it will be successful. Encryption only grants the malware safe passage through the Internet and (they hope) onto the victim’s machine. Once the malware starts to run, the real-time virus-detection provided by most popular security software will neutralize the threat. Of course, this relies on the end-user actually having an AV installed – and this is the strategy of the malware author.
There will always be a percentage of home and business users that do not have real-time anti-virus running. They don’t expect every instance of their malware to score a hit, but by distributing it in such massive volumes, they also know that it will be successful in a significant number of cases.
We recently spotted malware using this exact approach:
Looks like the author expressed himself in the file properties:
A simple Google search for “MrFreeCrypt” returns Russian language results for a “New generation of cryptors”:
CryptService!!! Новое поколение крипторов. Online 24/7 fud 0/44. гарантия от 24 часов. ICQ: 6*******7 jabber: mrfreecrypt@j****r.ru ---- CryptService!!! New generation of cryptors. Online 24/7 detection 0/44. guarantee of 24 hours. ICQ: 6*******7 jabber: mrfreecrypt@j****r.ru
We can’t state for sure it’s the same person, but it seems a pretty large coincidence.
The file itself is a ‘7-zip’ self-extracting archive with two files inside:
Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------ 2012-10-21 10:54:14 ....A 107 95 stub.vbs 2012-10-24 16:15:24 ....A 113359 61353 sfx.exe ------------------- ----- ------------ ------------ ------------------ 113466 61448 2 files, 0 folders
“stub.vbs” is a simple Visual Basic Script which runs “sfx.exe” with the following command line parameter:
Set WshShell = WScript.CreateObject("WScript.Shell") WshShell.Run "sfx.exe -pfdhtu578h4j45nh49856856hyg"
“sfx.exe” is another self-extracting archive with only one executable inside – the actual malware component:
Date Time Attr Size Compressed Name ------------------- ----- ------------ ------------ ------------------ 2012-10-25 00:15:16 ....A 20480 11712 input.exe ------------------- ----- ------------ ------------ ------------------ 20480 11712 1 files, 0 folders
Rather than ‘7-zip’, “sfx.exe” is inside a different type of archive known as a ‘RAR’ file. The RAR file is also password protected and encrypted. The interesting part here is that the RAR accepts the decryption password as a command line parameter “-p”. The “stub.vbs” script provides the password in this way. The chain looks so far looks like this:
[7-zip SFX] → stub.vbs → password → [RAR+password SFX] → malware
As mentioned earlier, this does not mean the malware removal process will ultimately be successful. As soon as the file is executed on the local file system, it becomes subject to detection by real-time Antivirus scanners. However, it works fine against static scanners on cloud storage services, user initiated ‘on-demand’ scans or the static scanners on email gateways. This becomes a bit more alarming when you consider this means it will avoid detection by major mail providers like Yahoo, Google, Hotmail and others. Because of this, users must take care to help protect themselves. First and foremost, install an anti-virus program from a reputable vendor. Secondly, don’t just open attachments on a mail you weren’t expecting, on mails from people you don’t know or on mails that look suspicious or spam-like.
The actual malware component is “FBI” ransom-ware.
It installs itself as an auto-run application via the following registry value:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "GoogleChrome"="C:\\DOCUME~1\\User\\LOCALS~1\\Temp\\RarSFX0\\input.exe"
It protects itself from removal by disabling “Safe Mode” and “Safe Mode with Networking” by deleting the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\*
It then blocks user input and displays a fake, ‘lock screen’ which tries to extort money from the victim. The screen informs the victim that their computer has been locked by the FBI for suspected misuse and they must pay a fine within 48 hours to unlock it.
Related Resources:
Free Virus Scan
Antivirus Software
Best Antivirus
Malware Removal Tools
Antivirus for PC
Best Antivirus Software
Website Malware Scanner
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
agreecheck
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP