Security Week 7: Encryptor Dating and Spam Updates
Romance is also among malware authors. For example, a certain figure under the name iCoreX0812 lovingly named his encryption Trojan Annabelle - in honor of the damned doll, the star of two horror films of dubious artistic value. Like the movie character, the program is designed to terrify the victim, but it does not work out very well for her.The set of functions of the Trojan is very wide. Once on the computer, the malware first closes and blocks such dangerous programs as the task manager, MSConfig, Process Hacker, and popular web browsers. The ransomware registers itself in the autorun.inf files of the flash drives connected to the computer in order to spread to other devices through them. True, new versions of Windows do not support autorun. Yes, and under Windows XP Microsoft back in 2011 released a patch that disables this feature. So, apparently, Annabel is counting on those who have not been updated for more than 7 years. Apparently, therefore, Notepad, as well as other text editors, also fall under the lock - to make it harder to fix what the virus has done in autoruns.
Then the trojan encrypts the files, assigns them the extension .annabelle and reboots the computer. When the user enters the password for the account, instead of the usual desktop, he sees a splash screen with the image of a cursed doll and a ransom demand of 0.1 BTC. To the most curious, the author also offers "output" - a window with his copyright. The cryptographer, after all, is also intellectual property.
True, with all the reasonableness of the surroundings, Annabelle's encryption mechanism turned out to be so-so - a typical example of Stupid Ransomware with a static key. So the decryptors have already learned to decrypt .annabelle files. The author will have to do without bitcoins - they don’t pay much for art in our world. However, the money didn’t shine for him anyway: in the last paragraph of the ransom report, the author Annabelle admits that this is a demo version of the program, and there are no sites for paying ransom. However, he does not explain how to get the key, instead inviting his victims to chat in Discord. Lonely to him, apparently.
Update Adware Flash Shlayer ...
News
Everyone wants to earn. Therefore, where free, there sooner or later an advertisement appears. In light of this trend, a new OSX adware Trojan called Shlayer, distributed mainly through torrented websites, does not look like a sensation.
The attack method is as old as the world: visitors to compromised pages are offered to update the Adobe Flash Player, masking the pop-up window with a notification typical of the victim’s browser. The trick is designed, obviously, for the most inexperienced audience, because a warning pops up even in new versions of Chrome, which successfully cope with updates without user assistance.
But there is a highlight in the way of downloading the actual advertising programs: for this purpose, the malware uses signed shell scripts. In some versions - several pieces.
As a result, the victim's computer is understaffed by the OSX / MacOffers or OSX / Bundlore malware. Programs successfully bypass Gatekeeper thanks to a digital signature and delight you with selective spam. However, to avoid infection is incredibly simple - just do not download updates from anywhere, especially for Chrome. And if you suspect that you really do not have the latest version of Flash Player - download the update from the Adobe website.
Antiquities
Family "Armagedon"

Resident dangerous viruses. Affect .COM files (except COMMAND.COM) when they run. They are written to the beginning of the file. From 5.00 to 6.00 in the morning they are actively working with the serial port, apparently trying to make a phone call through a modem. Contain the text: “Armagedon the GREEK”. Use int 21h and int 8.
Disclaimer: This column reflects only the private opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. That's how lucky.