Reveton Malware Rears its Ugly Head with All New Tricks

Reveton, a popular form of malware which infects users computers and demands a fine be paid after fooling them into thinking they’ve broken the law, has reappeared on underground markets in an all new form, according to a report released from the anti-virus company Avast Security.

You’ll remember that back in May of this year, we reported on the 45 percent increase in usage that Reveton had enjoyed in the year of 2013 alone, and while most major anti-virus outfits have since devised ways to prevent the virus from doing any further damage, hackers have now altered the code to evade even the most advanced detection methods and snake its way back into all of our machines.

Originally Reveton used drive-by-download techniques to latch onto legitimate websites in order to fool ordinary users into accepting files from a pre-phished location. Now, by incorporating password-stealing programs into its source code, Reveton has morphed itself into a veritable Swiss Army knife of virus toolkits, allowing those who subscribe to its surface a range of effective attack vectors that can easily fool most detection methods into allowing it into a user’s most valuable files and folders unimpeded.

The new additions to Reveton that give it its new capabilities include a password sniffer known as Pony Stealer, which can pluck and decrypt encrypted passwords for FTP, VPN and email clients, web browsers and instant messaging programs.


Photo: Avast

Pony Stealer is also capable of looting digital currencies straight off an infected machine, stealing Bitcoin and Dogecoins from encrypted wallets by sniffing out the hashed passwords that a victim might use to access their funds while the malware lies in wait for the opportune moment to strike.

“The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.

Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.”

Although Reveton on its own is threatening enough, it’s the inclusion of Pony Stealer and its associated modules that ramp this whole issue up to 11.

It is able to automatically scan through hundreds of well known accounts linked to banking websites, messaging clients, and even online poker wallets, an entire computer can essentially be stripped clean of financial data within a matter of minutes after the initial infection, making it one of the most dastardly, yet effective botnets we’ve seen to date.

The malware affects all major web browsers, including Chrome, Firefox, Opera, Internet Explorer, and Safari, and as of this article, no major security companies have come forward with a fix that would deny the program from automatically initiating an illicit download onto unsuspecting user’s devices.