[kurt2121]

Hi

I'm trying to learn about this ransomware that doesn't encrypt anything on your drive, but is posting things (internet history) publicly, similar to this kenzero malware I was reading about.

Does anybody know of any other examples of this kind of malware? Is it a popular method for cyber criminals?

[constantine1090]

Below is from the symantec website

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature monitors Infostealer.Kenzero Activity over HTTP.
Additional Information
Infostealer.Kenzero is a Trojan horse that attempts to steal information from the compromised computer and sends it to a web site that can be publicly viewed.

The malicious file typically arrives as an installation file for certain computer games.

When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp

Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg

Next it sends the screenshot to the following FTP site:
[ftp://]ftp96.heteml.jp/web/img/us[REMOVED]


It connects to the following URLs to obtain global IP address and the host name of the infected machine:

* [http://]cplayer.dreamhosters.com/getho[REMOVED]
* [http://]checkip.dyndns.org[REMOVED]


Then, it displays a form and requests the user to fill it with the following information:

* first name
* family name
* email address
* password
* first name in game
* family name in game
* gender
* birth date
* company name
* telephone number
* zip code
* address

It also steals the following information from the compromised machine:

* computer name
* domain name
* OS type
* time
* clipboard

Then the Trojan sends the stolen information to the following URL:
[http://]p3p.jp/en[REMOVED]/


When the Trojan exits, it displays the following URL with the gathered information using default browser:
[http://]p3p.jp/entry/user/[RANDOM [REMOVED]

kenzero dates back to 2009

[Xylitol]

kenzero in attachment.

Code: Select all

ftp96.heteml.jp - 157.7.188.228
157.7.188.228:21 	RESPONSE 	220 157.7.188.228 FTP server ready
157.7.188.228:21 	COMMAND 	USER p3p
157.7.188.228:21 	RESPONSE 	331 Password required for p3p
157.7.188.228:21 	COMMAND 	PASS sameru
157.7.188.228:21 	RESPONSE 	530 Login incorrect.

The japanese version of symantec signature db have even screenshots https://www.symantec.com/ja/jp/security ... 99&tabid=2
about the sample:

Code: Select all

C:\Users\KENZO\Documents\Visual Studio 2008\Projects\PasswordTrap\PasswordTrap\obj\Debug\Setup.pdb

MSIL, drive letter in hard inside, buggy code and terrible programming everywhere.
not worth to look, just an infostealer who take/send a screenshot via ftp and count on you with social engineering for the rest.
seem getting rid of it easy as ctrl+f and aslo no startup persistence and self-remove.
the random sub, looks like a recycled code from a password generator

Code: Select all

private static string strPasswordChar_A = "abcdefghijlkmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

public static string GetRandom()
{
    Random random = new Random((int) (DateTime.Now.Ticks % 0x7fffffffL));
    return (((((((((((((((strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1));

'ip retrieving' in module and rest in main form, things looks like more an assembly of various codes than something else
it doesn't steal internet history and no it's not a popular thing, usually they just says that to scare user and sometime display a random url you browsed to convince.
most of time tactic is just about pedo and fake police charge, ransomwares nowaday doesn't even care about that, they just encrypt anything they can and ask cash for recovery.

[kurt2121]

Below is from the symantec website

Severity: High
This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.
Description
This signature monitors Infostealer.Kenzero Activity over HTTP.
Additional Information
Infostealer.Kenzero is a Trojan horse that attempts to steal information from the compromised computer and sends it to a web site that can be publicly viewed.

The malicious file typically arrives as an installation file for certain computer games.

When the Trojan is executed, it threat takes a screenshot of desktop and saves it as the following:
%Systemdrive%\[RANDOM LETTERS]\[RANDOM LETTERS].bmp

Then the Trojan converts the saved .bmp file to a JPEG file and saves it as the following:
%SystemDrive%\[RANDOM LETTERS]\[RANDOM LETTERS].jpg

Next it sends the screenshot to the following FTP site:
[ftp://]ftp96.heteml.jp/web/img/us[REMOVED]


It connects to the following URLs to obtain global IP address and the host name of the infected machine:

* [http://]cplayer.dreamhosters.com/getho[REMOVED]
* [http://]checkip.dyndns.org[REMOVED]


Then, it displays a form and requests the user to fill it with the following information:

* first name
* family name
* email address
* password
* first name in game
* family name in game
* gender
* birth date
* company name
* telephone number
* zip code
* address

It also steals the following information from the compromised machine:

* computer name
* domain name
* OS type
* time
* clipboard

Then the Trojan sends the stolen information to the following URL:
[http://]p3p.jp/en[REMOVED]/


When the Trojan exits, it displays the following URL with the gathered information using default browser:
[http://]p3p.jp/entry/user/[RANDOM [REMOVED]

kenzero dates back to 2009

Thanks.

So do you believe this was the first of its kind? (To use internet history as a form of blackmail?) I'm trying to find other examples but can't seem to. Additionally, is that p3p.jp site still working? I'm kinda tempted to check it out but I'm afraid I'll get some virus or something.

[kurt2121]

kenzero in attachment.

Code: Select all

ftp96.heteml.jp - 157.7.188.228
157.7.188.228:21 	RESPONSE 	220 157.7.188.228 FTP server ready
157.7.188.228:21 	COMMAND 	USER p3p
157.7.188.228:21 	RESPONSE 	331 Password required for p3p
157.7.188.228:21 	COMMAND 	PASS sameru
157.7.188.228:21 	RESPONSE 	530 Login incorrect.

The japanese version of symantec signature db have even screenshots https://www.symantec.com/ja/jp/security ... 99&tabid=2
about the sample:

Code: Select all

C:\Users\KENZO\Documents\Visual Studio 2008\Projects\PasswordTrap\PasswordTrap\obj\Debug\Setup.pdb

MSIL, drive letter in hard inside, buggy code and terrible programming everywhere.
not worth to look, just an infostealer who take/send a screenshot via ftp and count on you with social engineering for the rest.
seem getting rid of it easy as ctrl+f and aslo no startup persistence and self-remove.
the random sub, looks like a recycled code from a password generator

Code: Select all

private static string strPasswordChar_A = "abcdefghijlkmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";

public static string GetRandom()
{
    Random random = new Random((int) (DateTime.Now.Ticks % 0x7fffffffL));
    return (((((((((((((((strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1)) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1) + strPasswordChar_A.Substring(random.Next(strPasswordChar_A.Length), 1));

'ip retrieving' in module and rest in main form, things looks like more an assembly of various codes than something else
it doesn't steal internet history and no it's not a popular thing, usually they just says that to scare user and sometime display a random url you browsed to convince.
most of time tactic is just about pedo and fake police charge, ransomwares nowaday doesn't even care about that, they just encrypt anything they can and ask cash for recovery.

Thanks!

ransomwares nowaday doesn't even care about that

Yeah, it definitely seems like encryption is the main method now. Do you recall any others that claimed to steal and post internet history for blackmailing, maybe back a few years? This kenzero is the only one I can find. (and it didn't even do what I though it did lol)