All the latest UK technology news, reviews and analysis

Malwarebytes uncovers AV-dodging ransomware in Java exploit kit

18 Mar 2013
security risk management

Security firm Malwarebytes has discovered new ransomware being spread by the Neutrino exploit kit, targeting Java with a fake Skype file.

Malwarebytes security researchers Jerome Segura and Joshua Cannell reported discovering Neutrino on Monday, warning the ransomware can bypass all major antivirus products.

"Malwarebytes identified a ransomware Trojan, part of the Urausy family, which was being spread by a new Exploit Kit dubbed Neutrino. This ransomware sample evaded AV detection for almost a day and uses several levels of encryption to hide its payload," Segura told V3.

"The Exploit Kit itself was discovered in the wild by security researcher
Kafeine and it uses two recent Java vulnerabilities and a trick to bypass
the security warnings to execute silently."

The exploit kit is designed to target security flaws in Oracle's Java version 7 update 11 platform.

"In plain English, malicious applets can run without any warnings or user interaction. Following exploitation, a malware binary is downloaded by the Java process," explained Cannell.

"This practice is becoming more and more common these days as it makes detection by looking at traffic packets more difficult.

"The file is swiftly decrypted by the Java applet which in turns launches it. Upon execution the binary connects to a remote server and downloads the ransomware interface directly onto the victim's machine."

Ransomware typically locks a user's machine and then demands that the user pays for access to be restored.

Numerous forms of the malware have been spotted in the wild masquerading as messages from legitimate companies and law enforcement agencies.

The Neutrino attack pretends to be a legitimate Skype file to gain access to a user's machine.

"Analysis reveals the ransomware binary to be a skype.dat variant that's commonly seen in the wild. It's called this because the ransomware renames itself to "skype.dat" and is placed in the folder, along with a configuration file called "skype.ini," said Cannell.

"The skype.dat ransomware has nothing to do with the legitimate Skype program that millions of people use for VoIP communication."

The exploit kit's discovery comes amid widespread warnings within the security community that criminal's use of ransomware is growing.

At the end of 2012 security firm Symantec issued a report suggesting ransomware scams are now earning criminals as much as $33,000 a day.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Tech gifts for Christmas 2014

Is a new tablet on your wish list this festive season, or have they become yesterday’s fad?

Popular Threads

Powered by Disqus
iPhone 6 is available in silver gold and space grey

iPhone 6 video review

The best iOS handset to date

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Desktop Support EMEA

The MediaMath IT team is current seeking a Desktop Support...

Head of IT Security

As the primary technical expert in IT Security within...

.Net Developer - VB, C#, MVC, SQL, jQuery.

.Net Developer required for Bristol-based (Keynsham...

Cisco CCNA/CCNP Voice Engineer | Cisco Gold Partner

Cisco CCNA/CCNP Voice Engineer The Role: The...
To send to more than one email address, simply separate each address with a comma.