Ransomware that's better made than antivirus software
Posted on 17 Aug 2012 at 10:01
Steve Cassidy uncovers a beautifully designed piece of ransomware
I recently spent a whole afternoon removing one of the most beautifully crafted "ransomware" applications I think I’ve ever seen.
I’m not going to name it here, because I don’t want anyone falling prey to a Chinese whispers/broken telephone style of retelling in which someone decides I’m in favour of this “product” just because I said it’s well written. For the record, it’s my opinion that ransomware is a creeping, lurking horror, the technological equivalent of being mugged in a dark alley (in fact, not just mugged, but kidnapped).
The instance I had to deal with pretends to be a cleverly named replacement for various official components of the Windows security framework, and it doesn’t quite use the actual word "Microsoft" anywhere, which I suppose its authors feel will keep them from straying into the legal minefield.
That must be a false hope, though, since the other thing it does – with a rare degree of ease – is to completely nuke any running instance of the Microsoft Security Essentials antivirus package, and that’s likely to earn them the wrong kind of attention from Redmond’s lawyers sooner or later.
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it, at least if you’re a regular user sitting at your ordinary Windows 7 PC. No web surfing, no entry into the Control Panel, no running the Malwarebytes scanner. The promise is that if you supply them with a credit card number, not only will you be kept safe from future infections – and therefore allowed onto the web again – but the infections they purport to have discovered while you were prevaricating will be removed too.
The tool goes on to do an excellent job of reporting the specifics of your machine and configuration: you can see all the services you’re running in a well-designed scrolling list, for example. If this thing weren’t malware, I’d say that it delivers a class-leading look and feel.
What puzzles and saddens me is that the professional way this evil infection performs its job is entirely out of proportion to the nature and career prospects of the average malware designer.
Unless you assume that this kind of credit card details harvesting exercise is capable of reaping several million dollars in profit, I just can’t see how this level of devotion to detail could possibly be cost-effective.
People who fall for this scam, and thereby expose their credit card detail to the copiers and scalpers who collect the results, are unlikely to be all that rich, while the crooks – way across the world and in different cultures – who buy these long lists of stolen personal data don’t pay that much for them. I’d like to think we could offer developers of this expertise and professionalism something approaching a proper job.
I encountered the result of this hostage-taking masterpiece within a small business, which was victim to its own cavalier and promiscuous download policy: an outfit so utterly blasé about the risks from unidentified or “free” software, yet at the same time dependent on certain badly behaved applications, which required admin access and free installation rights to be the rule rather than the exception on all its PCs.
I have in fact mentioned this particular crew here before, when discussing a distinctly laissez-faire attitude to downloading movies that appeared to affect – and infect – their accounts department. What I really needed in order to deal with these guys was a small and neat network control utility: something that would enable them to carry on operating, without having to convert years of data kept in fossil profiles to the far more controllable domain-based model.
... AOL, isn't it?
By mrmmm on 17 Aug 2012
Many of these developers are themselves "hostages". Forced to ply their trade under threat of violence to themselves or their families. They don't see much of the income, if any.
By CraigieDD on 17 Aug 2012
Other symptoms ...
If this is the same program I think it is, then if you see it again, check to see if it has ripped out the Windows firewall service. Only seen this so far on XP machines
By Stephen_Ferns on 18 Aug 2012
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- The best Android antivirus apps for 2014
- Headings vs headers: how to use both in Word
- Hello Cortana, it's nice to meet you
- Windows 8.1 Update: an abject surrender
- The insane economics of Sky Now TV
- No such thing as a free app... so pay up if you want quality
- Time to outlaw crapware-laden installers
- Windows Phone 8.1 video: hands-on
- Office for iPad: key information
- Why every PC buyer owes Richard Durkin a debt of gratitude
- HTC One M8 vs Samsung Galaxy S5: 2014's big-hitters compared
- Windows XP end of life: key information
- Microsoft supercharges PowerPoint with Office Mix
- Microsoft and Nokia deal tweaked ahead of completion
- Microsoft slashes custom XP support price
- Ubuntu LTS Server 14.04 extends cloud support
- Intel: PC sales are "encouraging"
- Google to rank encrypted pages higher
- Heartbleed: the race to reissue security certificates
- Dropbox boosts app line-up with Carousel and Mailbox for Android
- BlackBerry CEO says not selling off phones "any time soon"
- Microsoft halts business downloads of Windows 8.1 Update