Ransomware that's better made than antivirus software
Posted on 17 Aug 2012 at 10:01
Steve Cassidy uncovers a beautifully designed piece of ransomware
I recently spent a whole afternoon removing one of the most beautifully crafted "ransomware" applications I think I’ve ever seen.
I’m not going to name it here, because I don’t want anyone falling prey to a Chinese whispers/broken telephone style of retelling in which someone decides I’m in favour of this “product” just because I said it’s well written. For the record, it’s my opinion that ransomware is a creeping, lurking horror, the technological equivalent of being mugged in a dark alley (in fact, not just mugged, but kidnapped).
The instance I had to deal with pretends to be a cleverly named replacement for various official components of the Windows security framework, and it doesn’t quite use the actual word "Microsoft" anywhere, which I suppose its authors feel will keep them from straying into the legal minefield.
That must be a false hope, though, since the other thing it does – with a rare degree of ease – is to completely nuke any running instance of the Microsoft Security Essentials antivirus package, and that’s likely to earn them the wrong kind of attention from Redmond’s lawyers sooner or later.
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it, at least if you’re a regular user sitting at your ordinary Windows 7 PC. No web surfing, no entry into the Control Panel, no running the Malwarebytes scanner. The promise is that if you supply them with a credit card number, not only will you be kept safe from future infections – and therefore allowed onto the web again – but the infections they purport to have discovered while you were prevaricating will be removed too.
The tool goes on to do an excellent job of reporting the specifics of your machine and configuration: you can see all the services you’re running in a well-designed scrolling list, for example. If this thing weren’t malware, I’d say that it delivers a class-leading look and feel.
What puzzles and saddens me is that the professional way this evil infection performs its job is entirely out of proportion to the nature and career prospects of the average malware designer.
Unless you assume that this kind of credit card details harvesting exercise is capable of reaping several million dollars in profit, I just can’t see how this level of devotion to detail could possibly be cost-effective.
People who fall for this scam, and thereby expose their credit card detail to the copiers and scalpers who collect the results, are unlikely to be all that rich, while the crooks – way across the world and in different cultures – who buy these long lists of stolen personal data don’t pay that much for them. I’d like to think we could offer developers of this expertise and professionalism something approaching a proper job.
I encountered the result of this hostage-taking masterpiece within a small business, which was victim to its own cavalier and promiscuous download policy: an outfit so utterly blasé about the risks from unidentified or “free” software, yet at the same time dependent on certain badly behaved applications, which required admin access and free installation rights to be the rule rather than the exception on all its PCs.
I have in fact mentioned this particular crew here before, when discussing a distinctly laissez-faire attitude to downloading movies that appeared to affect – and infect – their accounts department. What I really needed in order to deal with these guys was a small and neat network control utility: something that would enable them to carry on operating, without having to convert years of data kept in fossil profiles to the far more controllable domain-based model.
... AOL, isn't it?
By mrmmm on 17 Aug 2012
Many of these developers are themselves "hostages". Forced to ply their trade under threat of violence to themselves or their families. They don't see much of the income, if any.
By CraigieDD on 17 Aug 2012
Other symptoms ...
If this is the same program I think it is, then if you see it again, check to see if it has ripped out the Windows firewall service. Only seen this so far on XP machines
By Stephen_Ferns on 18 Aug 2012
- How to sell more ebooks on Amazon
- 10 ways to make your business more secure
- Top five VoIP mistakes
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to check your identity hasn’t been sold to the hackers
- Tim Cook: this is how much TV has changed since the 70s
- Westminster wins the .London battle
- 20 years of PC Pro: from deep pan pizza to virtualisation
- Five reasons why the Apple Watch leaves me cold
- Apple Watch, iPhone 6 and 6 Plus: Tim Cook's Apple back with a bang?
- BT Home Hub 5: how to get maximum speed
- 20 years of PC Pro: one-star reviews (including "the worst tablet we've ever seen")
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- Microsoft set to make more job cuts
- Is Peter Pan panto tickets email genuine? Oh no, it isn't
- Intel triples Xeon E5 chip performance, adds DDR4
- Patch Tuesday targets critical IE flaw
- Microsoft refuses to hand over customer emails
- Microsoft yanks Windows 8.1 update after crash reports
- Microsoft backtracks on blocking out-of-date Java
- Gartner: time to start planning your Windows 7 upgrade
- Still on IE8? You've got 18 months to upgrade
- Who's buying Chromebooks? American schools