Pierluigi Paganini November 04, 2012

Do you remember the case of the Anonymous OS proposed during last months?

Who developed that OS and why?

Difficult to say, maybe law enforcement to track members of the collective or someone else that desired to benefit of the popularity of the group to exploit a large number of users.

A similar case has emerged recently, the Swiss security blog abuse.ch has revealed to have found ransomware currently circulating in the wild infecting many Windows users.

The singular features of the malware is that the authors have used the Anonymous name to spread the agent, it’s clear the intent to discredit the collective.

The attacks to Anonymous brand are not new, recently a twitter account named @FawkesSecurity posted a threat to bomb a government building but Anonymous promptly denied with the following post:

“Anonymous is not a terrorist organization. Anonymous does not use bombs. Anonymous does not condone violence in any way. Anonymous supports justice and universal equal rights. We support peaceful protest.”

Returning to the malware, it doesn’t presents any particular features, it’s a Ransomware that once infected the victim prevents the access to the owners demanding a ransom paid to the creator of the malware in order for the restriction to be removed.

The malware request 100 € to provide access again to the computer and restore its original condition, the paternity of the ransomware is attributed to Anonymous by the following message:

“We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us. Tango down!

Your computer has been hacked by the Anonymous Hackers Group and locked for the moment. All files have been encrypted. You need to pay a ransom of £100 within 24 hours to restore the computer back to normal. If the ransom is not paid on time all the contents of your computer will be deleted and all your personal information such as your name, address, D.O.B, etc. will be published online, after this has been done the processor, ram and motherboard will be fried. Any attempts to remove this virus will result in the consequences mentioned.”

It does not end here, the malware also threatens to delete files and to publish on-line personal information, in the event of non-payment of ransom within 24 hours.

A further fake information is spread on the malware, rumors announce that malware is able to turn the computer in a bomb overclocking the system.

The malware has a size of 47.0 KB and 28 out of 44 Antivirus are currently able to detect and neutralize it according VirusTotal report.

“The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.

The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.”

The malware is distributed using drive-by downloads and black-hole exploit kits, user must be aware on what  he download possibly from legitimate sources, as usual the primary suggestion is to keep the computer security systems updated and operative.

Despite the threat related to the malware is considerable low I prefer to analyze the phenomenon of a different perspective trying to image who has developed the agent.

I totally exclude any government or security agency, the malware is really to simple and the idea to muddy the Anonymous brand in this way is very stupid. The case is totally different from the diffusion of the fake OS, I bet on a group of cyber criminals that has modified an instance of existing malware pulling the ball to the famous group of hacktivists.

Pierluigi Paganini