Ransomware that's better made than antivirus software
Posted on 17 Aug 2012 at 10:01
Steve Cassidy uncovers a beautifully designed piece of ransomware
I recently spent a whole afternoon removing one of the most beautifully crafted "ransomware" applications I think I’ve ever seen.
I’m not going to name it here, because I don’t want anyone falling prey to a Chinese whispers/broken telephone style of retelling in which someone decides I’m in favour of this “product” just because I said it’s well written. For the record, it’s my opinion that ransomware is a creeping, lurking horror, the technological equivalent of being mugged in a dark alley (in fact, not just mugged, but kidnapped).
The instance I had to deal with pretends to be a cleverly named replacement for various official components of the Windows security framework, and it doesn’t quite use the actual word "Microsoft" anywhere, which I suppose its authors feel will keep them from straying into the legal minefield.
That must be a false hope, though, since the other thing it does – with a rare degree of ease – is to completely nuke any running instance of the Microsoft Security Essentials antivirus package, and that’s likely to earn them the wrong kind of attention from Redmond’s lawyers sooner or later.
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it, at least if you’re a regular user sitting at your ordinary Windows 7 PC. No web surfing, no entry into the Control Panel, no running the Malwarebytes scanner. The promise is that if you supply them with a credit card number, not only will you be kept safe from future infections – and therefore allowed onto the web again – but the infections they purport to have discovered while you were prevaricating will be removed too.
The tool goes on to do an excellent job of reporting the specifics of your machine and configuration: you can see all the services you’re running in a well-designed scrolling list, for example. If this thing weren’t malware, I’d say that it delivers a class-leading look and feel.
What puzzles and saddens me is that the professional way this evil infection performs its job is entirely out of proportion to the nature and career prospects of the average malware designer.
Unless you assume that this kind of credit card details harvesting exercise is capable of reaping several million dollars in profit, I just can’t see how this level of devotion to detail could possibly be cost-effective.
People who fall for this scam, and thereby expose their credit card detail to the copiers and scalpers who collect the results, are unlikely to be all that rich, while the crooks – way across the world and in different cultures – who buy these long lists of stolen personal data don’t pay that much for them. I’d like to think we could offer developers of this expertise and professionalism something approaching a proper job.
I encountered the result of this hostage-taking masterpiece within a small business, which was victim to its own cavalier and promiscuous download policy: an outfit so utterly blasé about the risks from unidentified or “free” software, yet at the same time dependent on certain badly behaved applications, which required admin access and free installation rights to be the rule rather than the exception on all its PCs.
I have in fact mentioned this particular crew here before, when discussing a distinctly laissez-faire attitude to downloading movies that appeared to affect – and infect – their accounts department. What I really needed in order to deal with these guys was a small and neat network control utility: something that would enable them to carry on operating, without having to convert years of data kept in fossil profiles to the far more controllable domain-based model.
... AOL, isn't it?
By mrmmm on 17 Aug 2012
Many of these developers are themselves "hostages". Forced to ply their trade under threat of violence to themselves or their families. They don't see much of the income, if any.
By CraigieDD on 17 Aug 2012
Other symptoms ...
If this is the same program I think it is, then if you see it again, check to see if it has ripped out the Windows firewall service. Only seen this so far on XP machines
By Stephen_Ferns on 18 Aug 2012
- Windows Server 2012 R2: how the Datacenter edition could change SMBs
- Invoices and VAT: how to set up your documents correctly
- Nexus 5 vs Samsung Galaxy S4 Active: the best phone for avoiding screen burn
- How much is a social user worth?
- The key to choosing a secure password
- Thunderbolt Bridge: a fast Mac migration tool
- Should you advertise on Twitter?
- How to track a lost smartphone
- Self-publishing success: the best way to sell your book
- 1.6TB SSD: why would you need one?
- Getty joins the race to the bottom
- Hour of Code: five steps to learn how to code
- Sony Xperia Z2 Tablet review: first look
- Sony Xperia Z2 review: first look
- Samsung Galaxy Gear 2 review: first look
- Nokia XL review: first look
- Samsung Galaxy S5 review: first look
- Nokia X review: first look
- Censorship by copyright: Myles Powers and abuse of DMCA takedowns
- Turn an old smartphone into an in-car entertainment system
- IDC: iPad intertia opens door for Windows tablets
- Office 365 goes social with "Oslo" news feed
- Windows XP: upgrading 30,000 PCs in 30 days
- LibreOffice: ignore Microsoft's "nonsense" on government's open source plans
- Intel Xeon E7 v2 servers support 6TB of RAM
- Microsoft promises video calls between Skype and Lync
- Office for iPad due before July
- Windows 7 on business PCs gets an extension
- Windows apps land on Chromebooks with VMware
- Office 365 gets two-factor authentication