Computer & Network Security>Malware

The Zenis Ransomware Variant Goes the Extra Mile


Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer or files.  A subset of ransomware called crypto ransomware (or crypto virus) has seen a dramatic rise in use over the last few years.  Crypto ransomware’s modus operandi involves encrypting popular and common file types on a compromised system and then demanding a ransom from the user for a key that can then be used to decrypt the files.

In Q3 2017, according to Malwarebytes, a company is hit with ransomware every 40 seconds.  This was an increase of 3x over Q1.  “While attacks against consumers are still more prevalent, this acceleration in attacks against businesses indicates criminals are developing targeted campaigns and setting their sights on bigger scores”[1]

When a particular type of malware proves to be effective (and profitable) many variants inevitably arise.  A recently discovered ransomware-type variant titled Zenis is one of the new breed.  Not only does Zenis encrypts files on a compromised system, it also disables the Windows repair and backup option and deletes shadow volume copies on the system.

Zenis is currently in the wild and the exact distribution method is unknown at this time.  Initial analysis suggests compromised Remote Desktop Services could be used.

Ransomware Behavior

After Zenis is installed on a target system it executes the following processes:

  • Runs a check to verify that it’s executed file name is “iis_agent32.exe”
  • Runs a check to verify an “Active” registry value exists named KEY_CURRENT_USERSOFTWAREZenisService.
    • If these two conditions are met then it proceeds to create a ransom note and proceeds with its next steps
  • Deletion of shadow volume copies
  • Disable startup repair
  • Clear event logs
  • Termination of Processes
    • sql
    • taskmgr
    • regedit
    • backup
  • Encrypts Files

 Protect Yourself

Following good computing habits and utilization of security software is important in protecting your systems from ransomware.  Some best practices are as follows:

  • Backup your system and store backup data off-site
  • Do not open attachments if you do not know who sent them.
  • After verifying that an attachment has come from a known source, scan the attachment
  • Make sure all Windows updates are installed as soon as they are released.  Also, make sure you update all programs, especially Java, Flash, and Adobe Reader.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology.
  • Use strong passwords and do not reuse passwords on multiple sites.


Some additional guidance you can reference to hardening your system against ransomware can be found here: .


[1] Barkly


Computer & Network Security>Malware

Top 5 malware that kept researchers up at night

Which malicious code would be most frightening if sinister pieces of malware could rise from the dead on Halloween? Well, malware researchers spend all their time working with the creations of people who intend others harm, so you might expect they would be pretty immune to nervousness about the effects of malicious code. And it is true; a lot of us are very jaded about your average malware. Researchers certainly have a sense of the potential danger of the materials we are working with and are appropriately cautious, but there are some threats that are so scary that we will double or triple-check everything to make sure we cannot possibly let it loose somewhere accidentally.

While there are certainly other malware that has been more costly to fix or which spread much more widely, in terms of inconvenience or outright damage the following are the five malware that really give me the creeps:

1. CIH (aka Chernobyl)
CIH is the oldest of the malware on this list, and it was first discovered in 1998. This virus caused such pain for its victims that it was brought up in the news every year for ages, and almost every year it seemed to have a brand new nickname in the press, but the one that stuck was related to its particular payload.CIH would spread by hiding itself in “empty” spaces within innocent files, which made it very hard to clean – the size of those empty spaces varies a lot, so the virus code could be broken up in different ways, so it was hard to be sure that cleaning routines got every last bit of it out of a file. That could mean possibly manually replacing a lot of damaged executable files.Worse than that, if your system was still infected on April 26th (the anniversary of the Chernobyl disaster, which was speculated by some to be why the date was chosen) the virus was set to overwrite the first megabyte of the hard-drive, which made the computer hang or blue-screen. In some cases the virus would even flash the BIOS, which is to say it rendered the computer completely unusable by overwriting code on a chip attached to the motherboard that enables computers to turn on. This virus hit over a million computers worldwide, and stuck around for many years after the last variant was found.

2. ExploreZip
ExploreZip is a pretty old virus too, first discovered in 1999. This comes from back in the days when people started using the term “blended threat” to describe the increasingly popular tactic of worms spreading by using a variety of different mechanisms. This one spread both by replying to your unread email with a copy of itself, and by searching for network shares that it could silently copy itself to. Once it was executed, it showed an error message that seemed to indicate that you’d just run a corrupted ZIP file.So far, pretty mundane stuff. But in the background, this virus overwrote .DOC files and certain programming source files with zeroes, which meant the files were destroyed in a way that could not be undone without resorting to expensive data recovery techniques.

3. CryptoLocker
CryptoLocker is the newest threat on this list, having first been discovered in the last few months. It too causes changes to affected users’ files such that they may be beyond repair. This malware is considered ransomware, which means that it scrambles files from a list of different file-types, if the scammer is not paid $300 within a fixed time frame of a few days.That list of file-types it seeks is very extensive, so the odds are good that if you do not have a backup of your data files, they will soon be completely garbled. Sometimes with ransomware we will get lucky and there will be some sort of clue in the files or weakness in the encryption that will allow us to figure out how to decrypt the files. But as this uses asymmetric encryption (similar to the technique used by commercial products), without the attacker’s key the files cannot be retrieved.

4. Mebromi
Mebromi is a nasty beast that was discovered in 2011, which takes a tip from CIH in that it flashes the BIOS to store some of its code. This puts part of its code outside the confines of the hard disk, which means it is outside the reach of the usual software-based cleaning mechanisms. As this would mean monkeying with the motherboard, this is a process that would probably require a trip to a repair shop.

5. ZMist
You may have heard of polymorphic viruses, which are viruses that change the appearance of their code from one infection to the next so that they appear different enough to hopefully fool anti-malware scanners. The problem with this is that the code used to change itself is static, and can be used by scanners as a way to identify the virus. ZMist, which was discovered in 2002, was called a “metamorphic” virus because it took this idea to an even more complicated level. Rather than simply changing its appearance, it contained code to completely recompile itself from one infection to the next. This made it incredibly difficult to detect, with the technology that was available at the time.

These malware are all terribly unnerving in that they work hard to elude removal or create permanent damage on infected machines. But none of these threats managed to be truly undetectable, and most of them will not work at all on the latest versions of Windows.

The first two threats managed to become quite widespread, and they genuinely did cause a lot of damage. Because threats are now mostly financially motivated, it is generally not a good idea for them to announce their presence by causing a lot of damage on affected systems, as they are effectively killing their source of income. CryptoLocker is something of an exception to this rule, as some people are apparently paying to get their data back, but it is not truly damaging the files so much as rendering them unusable. But if you have backed up your data, this is merely an annoyance rather than a genuine problem.

The last two threats had researchers on tenterhooks for a while, as it could really have caused some major headaches or necessitated some changes in defensive technology, if malware authors had continued development of these strategies. But the thing is, malware authors looking for financial gain are not going to sink more of their time or money into development than they need to. Enough people are not employing good security practices that malware authors are able to make a considerable amount of money with much less complicated techniques.
Malware authors do not need to develop the most stealthy, armor-piercing creations imaginable to get what they want. But at the same time, this means you will not need bulletproof technology to defend yourself. For most people, practicing above average security hygiene–including good, up-to-date antivirus–is enough to evade most threats.

The post Scary Code: Top 5 malware that kept researchers up at night appeared first on:
We Live Security.

View article…