TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit

This post was written by Sriram P. and Varadharajan Krishnasamy.

TeslaCrypt is a ransomware family that encrypts files and extorts money from its victims to decrypt the files. Similar to other ransomware variants, TeslaCrypt propagates through a wide range of spam campaigns and is also downloaded with the help of other malware:

  • W97M/Downloader
  • JS/Nemucod
  • Angler exploit kit
  • Neutrino exploit kit
  • Generic downloaders

Last week, Intel Security observed a novel approach in downloading TeslaCrypt using the Neutrino exploit kit.

Like other exploit kits, Neutrino redirects users to a malicious landing page that hosts exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of spam campaign.

Once successful, the exploit kit delivers a Trojan downloader and executes it on the victim’s machine. The payload then starts generating random domain names and contacts a remote server with the following parameters.


The variable “_wv=” is assigned to the Base64 text string “ZW50ZXI=” which decodes to the command “enter.”

The server responds with a 404 error page. The response for the command “enter” is present in the comments section of the HTML page, which is again a Base64-encoded (<!—c3VjY2Vzcw==—>) text that decodes to the response “success.”


Upon receiving the success message, the malware responds with the same cookie-auth browser agent, along with a reply containing an encoded data.


The encoded data has the following format:

cmd&<GUID of Machine >&<Logged-in Username: System Name: Domain Name>&<Windows Version and Platform> &<AV product Info>&<Date and Time of Execution>

The compromised machine receives another 404 error page along with a download link that delivers a TeslaCrypt variant from the remote server.


The decoded comments section has the following format:

<random ldap timestamp>#<>#<>#LOADER hxxp://103.*****.148/*****.exe#

After successful execution, TeslaCrypt encrypts files in the victim’s machine and demands money to decrypt them.

We have seen the following domain names associated with this malware:

  • nutqauytva100azxd.com
  • nutqauytva11azxd.com
  • nutqauytva513xyzf11zzzzz0.com
  • nutr3inomiranda1.com
  • nutqauytva9azxd.com

These domains are already flagged by McAfee SiteAdvisor as malicious.


How to prevent this infection:

  • In spite of the availability of patches for known vulnerabilities such as CVE-2015-2419, CVE-2015-7645, and others, this exploit kit still targets these weaknesses. Intel Security recommends users install the latest patches for Internet Explorer, Adobe Flash, etc.
  • We advise all users to be extra careful when opening unsolicited emails and clicking unknown links.
  • We strongly advise all users to block the preceding domain names.

Intel Security products detect these TeslaCrypt variants as “Ransom-Tescrypt!<Partial hash>.”



The post TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit appeared first on McAfee.

HostGator’s Dangerous Misrepresentation of the Security Value of An SSL Certificate

While working on a client’s website hosted with HostGator recently we noticed this odd ad in their cPanel account:

Install An SSL!, Stop Evil-Doers!, ADD SSL Today!

SSL is a protocol, so isn’t something that you would install. It seemed like they were probably referring to installing an SSL certificate, which would have a decidedly non super-human ability to stop evil-doers. Clicking the image took us to this page, where they were selling SSL certificates, but again they referred to SSL in a strange fashion:

Why get an SSL certificate?

An SSL reduces your risk by keeping sensitive data collected on your website safe. The data is encrypted and backed by a warranty worth up to $1.75M.

Having HTTPS in the address bar and displaying a seal of trust increases customer confidence in your website and drives more sales.

It seems like they marketing something they don’t really understand on basic level, which leads to the aspect we find more troubling than there odd phrasing, the claim that SSL keeps sensitive data collected on your website safe. To understand why, first it helps to have a basic understanding of what SSL is. SSL is a series of protocols for transferring data from one location to another in encrypted form. An SSL certificate is used identity that that the SSL connection is in fact being made to the website you are connecting to.

SSL should protect against someone gaining access to data being transmitted from a customer’s computer to a website while it is being transmitted, but that is where SSL’s role ends. Once the data is decrypted on website’s end its safety relies on the website being otherwise secure. If someone were to believe that getting SSL certificate is going to keep the data safe, they would be more likely to not take the other measures they need to keep that sensitive data secure (which isn’t an insignificant issue these days).

On top of all of this you can get an equivalent SSL certificate from other providers for significantly less money.

Big-name sites hit by rash of malicious ads spreading crypto ransomware [Updated]

Enlarge / If you're a gamer (or anyone else), this is not a screen you want to see. (credit: Bromium Labs)

Mainstream websites, including those published by The New York Times, the BBC, MSN, and AOL, are falling victim to a new rash of malicious ads that attempt to surreptitiously install crypto ransomware and other malware on the computers of unsuspecting visitors, security firms warned.

The tainted ads may have exposed tens of thousands of people over the past 24 hours alone, according to a blog post published Monday by Trend Micro. The new campaign started last week when "Angler," a toolkit that sells exploits for Adobe Flash, Microsoft Silverlight, and other widely used Internet software, started pushing laced banner ads through a compromised ad network.

According to a separate blog post from Trustwave's SpiderLabs group, one JSON-based file being served in the ads has more than 12,000 lines of heavily obfuscated code. When researchers deciphered the code, they discovered it enumerated a long list of security products and tools it avoided in an attempt to remain undetected.

Read 7 remaining paragraphs | Comments