Thursday, 12 January 2012

FakePoliceAlert updated

FakePoliceAlert winlocks was recently updated.
I see more and always more blackhole exploit kit spreading theses winlocks in DLL version.


Some pictures of winlocks found in the wild:





So what's new ?
They can download file, now that become necessary to also monitor these package.
They also create a new desktop for the winlock and load a iexplore fullscreen inside.
Most of them are on the IP range 92.241.*

Version 1.2.2:

Check if the winlock is run by rundll32

Check if there is AVP.EXE in running process

CreateDesktopA/SwitchDesktop

Load notepad/explorer/iexplore

Disable taskmgr

Download payload

The payload (a password stealer always in dll format who target alot of things)







Avast identify some of these dll winlocks as 'SmokeLoader' according to VirusTotal


If you look's for samples:
188.138.28.175/files/21
188.138.28.175/files/20
188.138.28.175/files/19

Parallèlement, merci à Malekal et Secubox Labs, encore du bon travail d'équipe.
Posted by at 14:19
Labels: ,

1 comment:

  1. Anonymous28 September 2015 at 13:13

    can you contact me
    i want to talk to you

    ReplyDelete

Subscribe to: Post Comments (Atom)