Ransomware that's better made than antivirus software
Posted on 17 Aug 2012 at 10:01
Steve Cassidy uncovers a beautifully designed piece of ransomware
I recently spent a whole afternoon removing one of the most beautifully crafted "ransomware" applications I think I’ve ever seen.
I’m not going to name it here, because I don’t want anyone falling prey to a Chinese whispers/broken telephone style of retelling in which someone decides I’m in favour of this “product” just because I said it’s well written. For the record, it’s my opinion that ransomware is a creeping, lurking horror, the technological equivalent of being mugged in a dark alley (in fact, not just mugged, but kidnapped).
The instance I had to deal with pretends to be a cleverly named replacement for various official components of the Windows security framework, and it doesn’t quite use the actual word "Microsoft" anywhere, which I suppose its authors feel will keep them from straying into the legal minefield.
That must be a false hope, though, since the other thing it does – with a rare degree of ease – is to completely nuke any running instance of the Microsoft Security Essentials antivirus package, and that’s likely to earn them the wrong kind of attention from Redmond’s lawyers sooner or later.
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it, at least if you’re a regular user sitting at your ordinary Windows 7 PC. No web surfing, no entry into the Control Panel, no running the Malwarebytes scanner. The promise is that if you supply them with a credit card number, not only will you be kept safe from future infections – and therefore allowed onto the web again – but the infections they purport to have discovered while you were prevaricating will be removed too.
The tool goes on to do an excellent job of reporting the specifics of your machine and configuration: you can see all the services you’re running in a well-designed scrolling list, for example. If this thing weren’t malware, I’d say that it delivers a class-leading look and feel.
What puzzles and saddens me is that the professional way this evil infection performs its job is entirely out of proportion to the nature and career prospects of the average malware designer.
Unless you assume that this kind of credit card details harvesting exercise is capable of reaping several million dollars in profit, I just can’t see how this level of devotion to detail could possibly be cost-effective.
People who fall for this scam, and thereby expose their credit card detail to the copiers and scalpers who collect the results, are unlikely to be all that rich, while the crooks – way across the world and in different cultures – who buy these long lists of stolen personal data don’t pay that much for them. I’d like to think we could offer developers of this expertise and professionalism something approaching a proper job.
I encountered the result of this hostage-taking masterpiece within a small business, which was victim to its own cavalier and promiscuous download policy: an outfit so utterly blasé about the risks from unidentified or “free” software, yet at the same time dependent on certain badly behaved applications, which required admin access and free installation rights to be the rule rather than the exception on all its PCs.
I have in fact mentioned this particular crew here before, when discussing a distinctly laissez-faire attitude to downloading movies that appeared to affect – and infect – their accounts department. What I really needed in order to deal with these guys was a small and neat network control utility: something that would enable them to carry on operating, without having to convert years of data kept in fossil profiles to the far more controllable domain-based model.
... AOL, isn't it?
By mrmmm on 17 Aug 2012
Many of these developers are themselves "hostages". Forced to ply their trade under threat of violence to themselves or their families. They don't see much of the income, if any.
By CraigieDD on 17 Aug 2012
Other symptoms ...
If this is the same program I think it is, then if you see it again, check to see if it has ripped out the Windows firewall service. Only seen this so far on XP machines
By Stephen_Ferns on 18 Aug 2012
- How to boost your mobile reception
- How to fix Facebook: Social Fixer
- Taking the stress out of WordPress updates
- Where to download free web fonts
- Turn your tablet into a Sky+ remote control
- How to measure the success of a new IT system
- Three years on: the state of the tablet market
- Windows 8: what works and what doesn't
- Yes, I write down my passwords
- How to make money from apps
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Dell profits slide 79% amid buyout talks
- Forget cloud subscriptions: users prefer standard licences
- McAfee: cloud storage could help spread viruses
- Analysts question Windows 8 as UK PC shipments slump
- Google pools storage across Gmail and Drive
- Ofcom accused of killing off VoIP competition
- ShoreTel dock turns iPhones and iPads into desk phones
- Bill Gates says iPad users "frustrated"
- Intel Silvermont promises three-fold boost for tablets
- Customers fume as BT introduces IP sharing