Web of the Day A Web threat uses the Internet to facilitate .

ISSUE NO. 8 The MonaRonaDona Extortion Scheme March 17, 2008

This example of a recently discovered Web threat illustrates how authors use all means available when coming up with a convincing scam. Unlike the majority of malware that use several techniques to hide themselves, TROJ_MONAGRAY.A actually declares its presence to the computer user. Further analysis reveals that this declaration plays an important part in the MonaRonaDona con, the intention of which is to extort money from unsuspecting users.

The Threat Defined

Social engineering is frequently used by malware authors to trick users into performing certain actions such as clicking links, downloading files or visiting Web sites. If successful, the attack opens users’ systems, often resulting in theft of data, personal details and other sensitive and valuable information.

Earlier this month, was alerted to a curious piece of malware that called itself “MonaRonaDona.” The exact source of the malware remains unclear, but some security analysts surmise that this threat comes packaged with “system optimization tools” available for free on the Internet. However, our analysts are also Message box shown by TROJ_MONAGRAY.A inclined to believe that this threat arrives on computers that are after system reboot already infected, specifically those that are already part of a .

Upon execution, this threat stays inactive until the next system reboot. Once the computer is restarted, the user encounters a message box claiming that the computer has been infected by the MonaRonaDona virus and any strange behavior from the computer is due to this infection.

True enough, this threat exhibits disruptive payloads on the infected computer. It disables Task Manager to prevent users from terminating any malicious processes on the affected system. It also hides several program windows that have certain strings in their title bars, including “Registry Editor,” “Adobe,” and “Microsoft.” The said routine prevents users from accessing these applications.

For many Internet-savvy users, the next logical step to rid their computers of this threat is by conducting an online search for a removal tool. When users type the search term “monaronadona” into a search engine, they may find several sites referring to software that claims to remove this specific threat.

Upon closer inspection, these sites seem to have been purposefully planted by the same malware authors as part of the MonaRonaDona attack. In one instance, the search result pointed to an “anonymous” blog post recommending an antivirus product called “Unigray.” Other search results even included a video and an advertising page for the same product. For a $40 fee, the said program offers to detect and clean MonaRonaDona along with other threats. However, although Unigray is indeed able to detect MonaRonaDona plus 679,871 other threats, it is really only able to remove MonaRonaDona. 1 of 2 – WEB THREAT OF THE DAY

Web Threat of the Day A Web threat uses the Internet to facilitate cybercrime.

User Risks and Exposure Some reports have identified free online offerings such as downloadable system optimization tools as one way to get infected by this threat. Users, however, can also get this threat by being part of a botnet after having been infected by other malware.

That the attackers have crafted such a sophisticated social engineering ploy is very notable. Such thorough groundwork may trick many unsuspecting users into responding to this attack. Users may then further compromise themselves by placing trust in legitimate-looking Web sites that have actually been published as part of the scam.

The use of unique terms like “MonaRonaDona” is a trick intended to ensure that users search for the term when looking for a solution, with search results then displaying planted sites. Note however that as of this writing, the said sites are down and have been pushed from the top searches by legitimate security discussions surrounding this threat. Users should also watch out for a number of fake pages that referred to MonaRonaDona, including (but not limited to) articles that have been bookmarked via social bookmarking sites, videos, and even consumer reviews.

PC users who currently do not have Trend Micro protection should be very wary when looking for a solution to this threat in order to avoid being duped into paying malware authors for the fake antivirus program. At the time of writing, the majority of tracked infections are in North America.

Trend Micro Solutions and Recommendations Trend Micro Web Threat Protection solutions provide a multi-layered, multiple threat defense against Web threats that take advantage of the interactive nature of the Internet—protecting the user’s information at the gateway, in the network, on the endpoint, and in the Internet cloud.

Another layer of defense is provided through Web Reputation technology, which identifies known malicious or dangerous Web sites and blocks users’ access based on domain reputation ratings. File Reputation technology assesses the integrity of files downloaded unknowingly onto computers. At the desktop level, the antivirus technology detects malware such as TROJ_MONAGRAY.A, and from the REGCLEAN and UNIGRAY families.

For technical information about this threat go to: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FMONAGRAY%2EA&VSect=T

This threat is discussed in the Trend Micro Malware blog here: http://blog.trendmicro.com/the-art-drama-and-sophistication-of-monaronadona/

This threat is not the first to use remarkably sophisticated social engineering techniques. Read up on recent ones at: http://blog.trendmicro.com/spyware-removal-site-delivers-malware/ http://blog.trendmicro.com/secret-crush-on-facebook-reveals-its-true-self/

This threat is also discussed in detail here: http://blog.washingtonpost.com/securityfix/2008/03/the_411_on_the_monaronadona_ex.html 2 of 2 – WEB THREAT OF THE DAY