tumblr hit counter

PandaLabs Blog Everything you need to know about Internet threats


PowerLocker, also called PrisonLocker, is a new family of ransomware which in addition to encrypting files on the victim’s computer (as with other such malware) threatens to block users’ computers until they pay a ransom (like the ‘Police virus’).

Although the idea of ​​combining the two techniques may have caused more than a few sleepless nights, in this case the malware is just a prototype. During its development, the malware creator has been posting on blogs and forums describing the progress and explaining the different techniques included in the code.

The malware creator’s message in pastebin

In this post for example, the creator describes how PowerLocker is a ransomware written in c/c++ which encrypts files on infected computers and locks the screen, asking for a ransom.

The malware encrypts the files, which is typical of this type of malware, using Blowfish as an encryption algorithm with a unique key for each encrypted file. It stores each unique key generated with an RSA-2048 public/private key algorithm, so only the holder of the private key can decrypt all the files.

Also, according to the creator, PowerLocker uses anti-debugging, anti-sandbox and anti-VM features as well as disabling tools like the task manager, registry editor or the command line window.

However, all the publicity surrounding PowerLocker that the creator has been generating across forums and blogs before releasing it, has led to his arrest in Florida, USA. Consequently, today there is no definitive version of this malware and there is no evidence that it is in-the-wild.

Nevertheless, we still feel it’s worth analyzing the current version of PowerLocker, as someone else could be in possession of the source code or even a later version.


PowerLocker analysis

The first thing PowerLocker does is to check whether two files with RSA keys are already created, and if not, it generates the public and private key in two files on the disk (pubkey.bin and privkey.bin).

Unlike other ransomware specimens, which use the Windows CrytoAPI service, PowerLocker uses the openssl library for generating keys and encrypting files.

Once it has the keys, PowerLocker runs a recursive search of directories looking for files to encrypt, excluding, not very effectively, files with any of the file names used by the malware: privkey.bin, pubkey.bin, countdown.txt, cryptedcount.txt. It also avoids $recycle.bin, .rans, .exe, .dll, .ini, .vxd or .drv files to prevent causing irreparable damage to the computer. The creator has however forgotten to exclude certain extensions corresponding to files which are delicate enough to affect the functionality of the system, such as .sys files. This means that any computer infected with PowerLocker would be unable to reboot.

Moreover, in this version it is possible to use a parameter to control whether the ransomware encrypts or decrypts files using the pubkey.bin and privkey.bin keys generated when it was first run.

This version does not include the screen lock feature described by the creator, although it displays a console with debug messages, names of the files to encrypt/decrypt, etc. and asks you to press a key before each encryption or decryption.



At present, there is only a half-finished version of PowerLocker which could practically be labelled harmless, and which lacks many of the most important features that the creator has described on the forums and blogs, such as anti-debugging, screen locking, etc.

Despite it not being fully functional we would recommend having a system for backing up critical files, not just to offer assurance in the event of hardware problems, but also to mitigate the damage of these types of malware infections.

Also bear in mind that if you don’t have a backup system and your system is infected, we certainly do not recommend paying the ransom, as this only serves to encourage the perpetrators of such crimes.

PowerLocker analysis performed by Javier Vicente

Post to Twitter

  • (1) Comment

Password stores… Candy for cyber-crooks?

I am sure than more than once you have used the same password for different websites. Imagine that one of those websites stores your password on their internal servers. You won’t have to squeeze your imagination for that as, unfortunately, that’s common practice. Now, imagine that those servers are attacked by a group of hackers who manage to get your password. The next thing those hackers will do is use your password to try to access your email account or any other websites you may have registered to and, in many cases, they will succeed.

You can stop imagining now, as that’s exactly what happened to Yahoo in reality a few weeks ago. In this case the stolen data was not obtained directly from Yahoo’s systems. Apparently, Yahoo realized that a number of their user IDs and passwords had been compromised, and after further research, it was discovered that the information had been obtained from a third-party database not linked to Yahoo.

Immediately, Yahoo reset the affected users’ passwords and used two-factor authentication for victims to re-secure their accounts.

In this case we are not talking about a company failing to secure its data but quite the opposite, and we should congratulate Yahoo for having been able to detect the attack and act swiftly to protect its users.

Unlike the Yahoo incident, an attack recently launched on Orange did affect one of the company’s websites. More specifically, the breached site was affected by a vulnerability that allowed the attackers to gain access to personal data from hundreds of thousands of customers, including names, mailing addresses and phone numbers.

Fortunately, it seems that Orange’s systems were configured in a way that prevented the customers’ passwords from being compromised, which limited the damage done to the more than 800,000 users affected by the attack. According to reports, the customers’ passwords and banking details were stored on a separate server which was not impacted by the breach

In any event, when it comes to protecting passwords from the eventuality of theft, the best policy is simply not to store them. If passwords are not stored, they can’t be stolen, can they? It sounds quite obvious, but not many people seem to apply this simple concept.

Now, the question is, if organizations don’t store users’ passwords, how can they validate users? Very simple. It would be enough to ‘salt’ the original password set by the user when signing up for the Web service, and apply a hash function to that ‘salted’ password. By salting the original password, what you actually do is generate a new, different password using a previously defined pattern (turn letters into numbers, change their order, etc). Next, the system applies the hash function to the alternate password and converts it into a complex string of symbols by means of an encryption algorithm. It is this ‘hashed’ form of the password which is stored in order to validate the user. From that moment on, every time the user types in a password, the system will apply the aforementioned pattern to it, calculate a hash value, and compare it to the hash stored in the password database. If they match, it means that the user has entered the correct password and access is permitted. As you can see, the entire process takes place without the need to store sensitive data such as passwords.

Another measure that should be implemented on a massive scale is the use of two-factor authentication. Even though it can be a pain at times, when applied, it makes compromising user accounts a lot more difficult. This is a system that financial institutions have been using for a long time, but which should also extend to other Web services as well.

Post to Twitter

  • (0) Comments

Android users under attack through malicious ads in Facebook

Cyber-criminals are always trying to attract people’s attention in order to carry out their crimes. So it should be no surprise that they have now found a combined way of using Facebook (the world’s largest social network), WhatsApp (the leading text messaging program for smartphones, recently bought by Facebook) and Android (the most popular operating system for mobile devices) to defraud users.

The group behind this attack uses advertising on Facebook to entice victims and trick them into installing their apps. When you access Facebook from your Android mobile device, you will see a ‘suggested post’ (Facebook’s subtle euphemism for an advertisement) advertising tools for WhatsApp:



As you can see, not only do they use the most popular platforms to attract users, they also appeal to the curiosity of users by offering the chance to spy on their contacts’ conversations. You can see how successful this is by looking at the number of ‘Likes’ and comments it has. Yet this is not the only lure they’ve used. Below you can see another suggested post promising an app that lets you hide your WhatsApp status:



Facebook offers targeted advertising for advertisers, i.e. you can specify which type of users you want to see your ads, where they appear (e.g. in the right-hand column), as suggested posts, etc. In this case it seems that the ad is only shown to Spanish Facebook users who are accessing the social network from an Android mobile device, because these are the types of victims that the cyber-crooks behind this scam are after. In fact you can see this here, as the screenshots are taken from a Spanish Facebook account through an Android mobile device. We also tried using the same account but from a PC, an iPad and an iPhone and in none of these cases were the ads displayed.

If you click on the image you can see here in any of the ads that we’ve shown, you’ll be redirected here:



As any Android user can tell, this is Google Play, specifically, a page for an app. It has the option to install it, and shows over one million downloads and a 3.5-star rating by users (out of 5). If you go down the screen you can see numerous positive comments, and the votes of over 35,000 users who have rated it:



However, a suspicious eye can see that not all the numbers add up:

- The app has a score of 4.5, yet the number of stars is 3.5


- You can see that the score is calculated on the basis of the votes from 35,239 users. Yet if you add up the number of votes that appear on the right, the total is 44,060 votes:


So how can this be happening in Google Play? As some of you may have guessed, this is happening because it is not Google Play. It is really a Web page designed to look like the Play Store, so users think they are in a trusted site. The browser address bar, as you can see in the screenshots here, is hidden at all times. If you click on the ‘Install’ button, a file called “whatsapp.apk” is downloaded.

When it runs, this app displays the following screen:



Look carefully, and at the bottom of the screen below the ‘Continue’ button, there is a barely legible text which, if we zoom in a bit, you can see reads as follows:


In English:

Cost per SMS received €1.45

The use of this application is subject to the following terms and conditions: On subscribing to the service you will have access to periodically updated content and multimedia content for your phone. The service provider is MICAMOSA MON DE SERVEI. SLU. Tel 900844456. contacto@appclub.es. Cost of the subscription service €1.45 per minute. Subscription to 797025. UNSUBSCRIBE to 797025 to unsubscribe.

As with a case that we reported some days ago, it lists a series of conditions regarding subscription to a premium-rate SMS service. Yet by clicking ‘Continue’ the only (visible) thing that happens is that a Web page opens which does indeed contain tips about WhatsApp, although none of these are the kind of things advertised originally (where they claimed you could spy on contacts’ WhatsApp messages).

The danger however, lies in what you don’t see. First, it goes through the list of registered user accounts searching for the WhatsApp account in order to get the corresponding phone number. If WhatsApp is not installed or it fails to get the phone number, it uses an API to access system services in order to get this information.

It then randomly selects one of the following numbers:




It does this to select which of these three premium SMS services it will subscribe the user to. The text of the service terms and conditions (the illegible text that appears when you open the application and you can see the ‘Continue’ button) will depend on the specific service selected. In this text (depending on the number selected) you can see the names of these two companies:



It then installs an SMS receiver to manage inbound text messages. What is interesting is the technique used to prevent users from realizing they have received text messages from any of the three numbers mentioned above. If everything goes fine this SMS receiver will abort the communication process and the user will never see those SMS, but if something goes wrong it uses a witty technique to try going unnoticed: it turns on the device’s silent mode for a couple of seconds, so the user won’t listen the notification sound and then it mark the message in the inbox as read.

Although this SMS receiver has a higher priority than the operating system message controller, we have been running some tests and it looks like in the most recent Android version (4.4) it can’t take control and filter the incoming SMS, and it is in this moment when this plan B takes place. In previous Android versions this trick is not needed as it can block these SMS and delete them before they are shown in the device.

The app has an SMS counter, so when the first message arrives from the premium-rate SMS service, it reads it to obtain the necessary PIN number, and registers on the corresponding website to activate the premium-rate service.Another interesting thing we’ve come across is that it hides messages from the number 22365. It turns out that Orange sends a warning SMS to users who have activated this kind of premium services, and that SMS comes from the number 22365. The Trojan deletes this message so the user won’t know he has been subscribed to this premium service.

Going back to the ‘visible’ part of the app, after clicking ‘Continue’ you will see some supposed ‘tricks’ for WhatsAp:


As you can see in the complete list, there is absolutely nothing special about these, and they can’t reasonably be referred to as ‘tricks’:

  • How to tell if you’ve been blocked
  • How to block a contact
  • Change your status
  • Send much more than just messages
  • Change your profile image
  • Create shortcuts to chats
  • Use Enter to send messages
  • Make a backup of your chats
  • Save the pictures you’ve been sent
  • Change the chat background
  • Send someone the chat history

In fact all these ‘tricks’ are readily available from the page that hosts the apps and without having to subscribe to a premium-rate service. If you go to the main website, you can see that they are not only using WhatsApp as bait, but also any popular app or topic:


And the way they operate is identical. It takes you to an imitation of Google Play, where you can download the corresponding app, and which has the same hidden functions as described above:


If you look closely, you can see that they reuse some of the data from the first case we described (rating, downloads, and the number of votes) but the comments are customized in each case:


Finally, we want to remind users of Panda Mobile Security that the ‘Privacy Auditor’ feature can be used to check whether these apps are classified under the category ‘Cost money’ and if so they can be deleted from there. We also remind you that this does not mean that all apps that are in this category are malicious: any app with sufficient permissions to operate in the way we have described will be in this category. If you see an app you’ve installed and which shouldn’t have these permissions, delete it immediately.


Post to Twitter

  • (2) Comments

New malware attack through Google Play

Update 17/02/2014:

All 4 apps have been removed from Google Play. These are the SHA1 hashes belonging to the 4 apps in case any security researchers need them:







Our Panda Mobile Security research team has found a new threat that has infected at least 300,000 people, although that number could be 4 times higher: 1,200,000. All of those malicious apps are downloadable from Google Play:









How is it possible that malicious apps are allowed here? Well, it is not the first time that all kind of malware has been able to go through the different filters and being published. However, I think this is a different case and it might stay in Google Play for long… first let me tell you how it works and how it steals your money.

Let’s take one of them, “Dietas para reducir el abdomen”. Once you install the application, you open it and it will start loading:


Afterwards it will show the following screen:


When you click on “Siguiente” (next) it will offer you to access one of the diets:


Hard to see the cross in the upper-right side of the screen… they want to make sure we click on “Entrar” (Enter). When you click on it a new message will be shown on top of the last screen:


Basically they are asking you to accept (“Aceptar”) the terms of service to be able to see the content. But look again at the picture: behind this message it is still the previous screen, however there is a “minor” difference, look at the green button “Entrar”, below there is a small text, completely unreadable, that wasn’t there before. Let’s zoom the image a bit:


These are the terms of service you are accepting if you click on “Aceptar”, where they say you will be subscribed to a service to obtain contents for your mobile phone. Of course that is completely unreadable in its original size.

Once you accept the terms of service and click on enter (“Entrar”) 2 different things happen:

  • The user will see a number of advices to reduce his abdomen.
  • Without the user knowledge the app will get the phone number of the device, will go to a website and will register it to a premium SMS service. This service require a confirmation to be activated, which means it sends a SMS to that number with a PIN code, which have to be entered back to end the process and start changing you money. This app waits for that specific message, once it arrives it intercepts its arrival, parses it, takes the PIN number and confirm your interest in the service. Then it removes it, no notification is shown in the terminal and the SMS is not shown anywhere. Again, all this is done without the user knowledge.

It is worth mentioning how the telephone number is “acquired”. The usual way for an app to do it is to take this number from the SIM card -there is a function in the Operating System to do that- however due to security issues there are a number of providers that do not store the number there as a safety measure. To circumvent this what this app does is to “steal” it from one of the most popular mobile apps in the world: WhatsApp. As you probably remember, once you open WhatsApp for the first time you are asked for you mobile phone number. The popular messaging app uses this number, among other things, as an identifier to synchronize with WhatsApp:


According to Google Play this app has between 50,000 and 100,000 downloads. The other ones I mentioned do exactly the same. If we add the downloads of all 4 apps, there are between 300,000 and 1,200,000 downloads of all of them. 2 were published in December 2013 and the other 2 in January 2014, so that number of downloads is pretty impressive. Taking a look at the comments made by some users, a number of them are installing it because they are given tokens / credits in some games by installing these fraudulent apps.

They charge a lot of money for this premium SMS services, if we make a conservative estimate of 20$ charged by terminal, we are talking of a huge scam that could be somewhere between 6 and 24 million dollars!

PandaPanda Mobile Security detects this threat, but that is not a big deal: tomorrow we could find hundreds of apps with the same behavior that would not be detected by any antivirus product. Then, what can we do to protect ourselves? If you are a user of Panda Mobile Security, you will know we have “Privacy Auditor” functionality. If you go there, any app with permissions to behave in this malicious and dangerous way will be flagged as “Cost Money” and you can remove it from there. It does not mean that all applications listed there are malicious, you can see how Facebook or WhatApp are there and I wouldn’t call them malicious. Any application with enough permissions to perform the tricks described here will be in this category: if you see an app that you have installed and should not have those permissions remove it right away:


And whatever security solution you use –if any- please always read the permissions needed to install each application and if among them it is the one letting the app read your SMS and connect to Internet and it is not really needed, do not install it.

As I said earlier they might stay in Google Play for long, as a matter of fact users accept the terms of service, so they might have a legal defense at some level. However not enough to avoid Panda Mobile Security detecting and removing it, that’s for sure.

Post to Twitter

  • (27) Comments

How to Steal Credit Cards from Half a Country’s Population

Korea Credit Bureau (KCB), a credit rating company, has been stolen 105.8 million accounts that included credit card details, full name, telephones, home addresses and even passport numbers. Each Korean has an average of 5 credit cards (highest in the world!) which would mean that at least 21 million of Korean citizens have seen how all their personal details have been stolen. For a country with less that 50 million inhabitants, this means that a 42% has been a victim, although the real figure has to be way higher as not every victim will have had all his credit cards compromised. Probably at this point it would be easier to ask in South Korea  who has not been a victim in this single data theft incident.

Unlike the Target incident we related in this blog, this time no malware was used in order to access the data. The thief worked for KCB –ironically enough, in the anti-fraud department-  and during 11 months he just copied all the information and sold the data. If the data had been properly encrypted the data theft damage would have been limited, although it looks like this was not the case. Being able to steal information during 11 months also points to a lack of data access control and supervision.

There are also some preventive measures that could have been taken: it is true that the person involved in this incident was part of the anti-fraud department, and as such it is likely that he had access to the stolen data. What could have been done? Well, as stated earlier, data encryption can help here, although it is true that at some point this person could have had information to decrypt  it. Limiting the amount of information that can be accessed to might also help against such big data thefts: if you can only access a limited number of data base entries at a time -let’s say 10- this person would have needed to repeat the same operation 10 million times. Not only that, you can also limit the amount of information read during a period of time, or even better, set some alarms linked to some complex rules that send a warning when something unusual is going on. This is something that most banks have already in place and helps them to detect fraud and identity theft cases.

On a separate case, in Germany, the Federal Office for Information Security (BSI) has warned that email accounts belonging to 16 million people have been compromised. It looks like this time a botnet was behind the attack, which means that probably computers belonging to users whose email accounts have been compromised could as well be part of a botnet controlled by cybercriminals.

BSI has created a website to find out if a particular email account is among the victims. If you are among those affected,  there are high chances that your computer is infected with some malware, so feel free to use our Panda Cloud Cleaner free tool to scan and remove any malware lying around.

Post to Twitter

  • (0) Comments

Neymar used as bait to install malware

During the last hours we have detected spam messages containing fake news about the Brazilian football player Neymar da Silva Santos, actually playing at F.C. Barcelona. Neymar has been in the media during the last days for a number of reasons: one due to certain irregularities when he signed up for F.C. Barcelona, and in fact this has had already some serious consequences, such as the resignation of the president of F.C. Barcelona. The other hot topic has been the supposed break up with his Brazilian model girlfriend, Bruna Marquezine, although both of them have claimed that it is not true.

This last topic is the one used as bait, as the fraudulent email message has the following subject: “Mostra tudo Video intimo de Neymar e Bruna Marquezine!!” (private video of Neymar and Bruna Marquezine showing all!!) and it contains a link to download the video. The downloaded file name is Video_Intimo.zip, once opened it contains a file called Video_Intimo.cpl.

When run, this file tries to open a web site that says that it is under maintenance  anf the video cannot be played. Meanwhile in the background it is connecting to different URLs to download and install malware. So far the downloaded malware is a banking Trojan designed to steal credentials from Brazilian banks’ customers.

Two different files are downloaded, it is also created a registry entry to ensure it is executed every time the computer is started. To go unnoticed this entry uses the name “GForce Update Monitor” and malware copies itseld with a random name inside a folder called GForceCmp. GForce has been chosen as it is a reference to the well known graphic cards from Nvidia, and due to this many users can recognize the name and think it is harmless. However, far from that it is able to capture everything we type in the computer and also takes screenshots when we are using Internet Explorer.

All this malware is detected as Trj/Banker.LDW.

Post to Twitter

  • (1) Comment

How to avoid becoming a ‘Target’

There is some more information about Target’s data breach we reported last month and how it happened. According to information leaked to Brian Krebs, a web server would have been compromised, and from there a Trojan would have been distributed to Point of Sale (POS) terminals.

This malware is specifically designed to work in POS and steal credit card information directly from RAM memory, as soon as a credit card is swiped. Cybercriminals were entering Target’s network periodically to gather stolen information from the different POS.

How can companies protect themselves against this kind of attacks? Antivirus are obviously not the solution, we are talking about targeted attacks where the malware has been specially designed to avoid the installed antivirus detection as a starter.

As POS are usually closed platforms, people could think a good solution would be a whitelisting solution. This type of programs are designed to only allow certain applications to be executed on a computer, and in fact this could be a valid approach to certain kind of attacks: for example, an insider attack where an employee tries to infect a POS installing some malicious software in it. However, that solution does not cover all the holes. Many times malicious applications are installed exploiting vulnerabilities, and this kind of installations are not detected necessarily by whitelisting software.

POS are a really appealing target, and cybercriminals will try to sneak in. It is not a matter of luck, eventually they will give it a try, and to be protected you need a solution that covers different aspects of the POS and is able to:

-          Restrict execution of software: only allowed programs will be allowed to run.

-          Identify vulnerable applications: warn about outdated software.

-          Enforce behavior of trusted processes: in case a vulnerability in a trusted process is exploited.

-          Traceability:  In case an incident takes place, tools to facilitate all necessary information to answer the 4 basic questions: since when the intrusion has happened, which users have been affected, what data have been accessed and what have they done with them, and how and where the attackers were coming from.

documented recorded information that allows to find the source of the attack.

These are not all the security measures that can be taken, but at least these four points should be mandatory.

Post to Twitter

  • (0) Comments

Credit Card Data Theft, More and More Frequent in Stores

Last December 18th, the well known American retailer Target Corp informed that hackers had stolen data from 40 million credit cards of customers who had bought on their stores during the first days of the Christmas shopping season, from November 27th to December 15th. These cards are now being sold in the black market to be cloned and used for fraudulent shopping or for money withdrawal.

The company has not yet specified how the hackers carried out the attack, they are actually investigating it with the US Secret Service, although it is believed that their point of sale terminals have been compromised. This kind of attack is on the rise lately and has become a great concern for worldwide authorities.

The largest known data theft to date, of 130 million credit cards, was perpetrated against a payment processing company, Heartland, in 2009. Next one in size was the one suffered by the discount retailer TJ Maxx, who was stolen 94 million customer’s data. A similar and recent case is the one done to Barnes&Noble, when in October last year had its POS terminals compromised. Data theft is becoming more common and many large companies are being attacked, like Sony Online Entertainment (PSN), Ubisoft, Facebook, LinkedIn and eHarmony.

One hypothesis that is being heard about the Target theft is that the cyber criminals had infected the software installed on the POS terminals on their physical stores. To date, the attack has not affected their online store. Another hypothesis is the installation of information recording devices on the terminals, although it is very unlikely to steal data from so many millions of cards, from almost 1800 stores across the US, from an attack of this sort. Installing a physical device in several dozens of stores, at the same time, would imply an unheard of logistic capability from these cyber criminals.

A more plausible theory, at least for us, is that this attack could have been perpetrated by installing a malicious software which stole the data of the credit cards swiped through the stores terminals. This is a similar attack to the one in Barnes&Noble, where one of the Keypads of 63 stores were compromised to obtain the information from the card and pin number entered by the customers. The company was forced to disassemble and analyze 7000 of those Keypads from their stores.

It is believed as well that the attack could have been carried out form the inside, since some knowledge about Target’s internal network and terminals is needed to perform such a breach. One first terminal would have been infected by someone inside the company, or by an employee deceived with social engineering techniques. Once that terminal had been infected, the malware would have propagated through the stores network.

It is also possible that the malicious software, once in the internal network of the stores, had exploited some vulnerability in order to get access the servers where cards or transactions related information is stored. This would be similar to the Heartland case where 130 millions of data were stolen. The attack was carried out installing bugging programs on Fortune 500 companies’ corporate networks, and those programs intercepted credit cards transactions and transferred the information to servers in different countries. This attack run undetected from 2006 to the beginning of 2008.

To avoid this kind of attacks and data thefts is essential to have a complete protection against malware, active and updated on real time, properly installed in all the terminals and endpoints of the company.

Post to Twitter

  • (4) Comments

Predictions for 2014

2014 is less than one month away, what better time to ask ourselves about the top security trends to watch for in the coming year.

Malware Creation: OK, this won’t sound too original but it is a safe bet to say that malware creation will hit a new record high in 2014. Actually, such was the case in 2013, 2012, etc. Most new malware will be variants of known malware conveniently modified to bypass security products.

Vulnerabilities: Security holes in Java have been responsible for most infections detected throughout 2013, and this is not likely to change during 2014. The fact that Java is installed on billions of computers and is apparently affected by countless security flaws has made it a favorite target of cyber-criminals. There is no exploit kit on the market worthy of that name that doesn’t exploit a set of Java vulnerabilities.

Social Engineering: Social engineering is a field that gives cyber-crooks freedom to show their creativity. After vulnerabilities, the second most frequent cause of computer infections is… users themselves, who many times fall into the trap set by cyber-criminals. Despite many scams propagate via email, most of them occur on social networking sites, a meeting place where users share information, but also the perfect place for malware to spread.

Mobile Malware: Android will continue to be the number one mobile target for cyber-crooks in 2014, and the coming year will set a new record for the number of threats targeting this platform.

Ransomware: In addition to banking Trojans and bots, ransomware will be one of the most pervasive threats in 2014. Get ready for new waves of malware asking victims to pay a  ransom to unlock their computers, access their files (CryptoLocker), remove supposed threats (fake antivirus software), or even pay a ‘fine’ for supposed illegal activities (Police Virus). Ransomware allows criminals to obtain money directly from users, and so we can expect it to soar and extend to other types of devices, like smartphones, for example.

Corporate Security: As malware attacks become increasingly aggressive (look at CryptoLocker for example) and the number of targeted attacks suffered by companies rises, there will be a demand for extra-tight security measures that go beyond the protection provided by a “traditional” antivirus. Traditional perimeter solutions are still a necessity, but they have become obsolete in some of the new scenarios companies have to face: users who bring their own devices to work and connect them to the corporate network… Not to mention the espionage operations conducted by governments themselves (NSA, etc.). It is for all these reasons that new solutions will be released capable of responding to these needs and offering protection levels that ensure data security and integrity much more effectively.

Internet of Things: The number of objects and devices connected to the Internet is ever-increasing, and will continue to do so. IP cameras, TVs, multimedia players are now an integral part of the Internet, and often share a characteristic that sets them apart from other devices such as laptops, smartphones or tablets: Users rarely update them. As a result, they are extremely vulnerable to security flaw exploits, and so we are likely to see attacks that target these devices as well.

Post to Twitter

  • (9) Comments

FakeAV + Ransomware = Windows Expert Console

During the last months we have been talking mainly about police virus infections, and more recently about CryptoLocker, the new major ransomware family. However that doesn’t mean that our good “old friends” known as FakeAV aren’t around. Fake antivirus have been infecting users for years and they have not disappeared,  although it is true they are not as prevalent as they were in the past. This week we have seen a rise in FakeAV attacks using a new aggressive ransom-like approach.

The malicious file uses the following icon:

windows expert icono

Usually it gets in the computer under the name “cleaner.exe”, although we have seen it using different names. As soon as it is executed, it appears a screen where it shows the installation of a program called “Windows Expert Console”:

windows expert 1

It only takes a few seconds, and before user is able to react it restarts the computer. Once restarted the following screen will show up and we won’t be able to do anything:

windows expert_eng

If you try to get back to the desktop or run any application, you won’t be allowed. The only thing you can do is to click on that “Remove All” button, and that will take you to a different window in order to buy a license of this FakeAV. It costs $99.

At the same time we found this malware, we detected another variant, this one is less aggressive (it does not block your computer) although they share the same interface, the only difference is the name, this new one is called VirusBuster, the same as the historical antivirus company that closed last year. In this case you get this kind of warnings to make the user pay the license fee:


As we mentioned, both programs share the same interface, and they are in 4 different languages (English, Spanish, German and French), in the following animated GIF you can see how they look like:

virusbuster-windows expert

In case you have been infected with any of these, you can use our free malware removal tool Panda Cloud Cleaner.

Post to Twitter

  • (5) Comments
  • Become a fan!

    Panda Security on Facebook
  • Blogroll

  • Categories