Ransomware that's better made than antivirus software
Posted on 17 Aug 2012 at 10:01
Steve Cassidy uncovers a beautifully designed piece of ransomware
I recently spent a whole afternoon removing one of the most beautifully crafted "ransomware" applications I think I’ve ever seen.
I’m not going to name it here, because I don’t want anyone falling prey to a Chinese whispers/broken telephone style of retelling in which someone decides I’m in favour of this “product” just because I said it’s well written. For the record, it’s my opinion that ransomware is a creeping, lurking horror, the technological equivalent of being mugged in a dark alley (in fact, not just mugged, but kidnapped).
The instance I had to deal with pretends to be a cleverly named replacement for various official components of the Windows security framework, and it doesn’t quite use the actual word "Microsoft" anywhere, which I suppose its authors feel will keep them from straying into the legal minefield.
That must be a false hope, though, since the other thing it does – with a rare degree of ease – is to completely nuke any running instance of the Microsoft Security Essentials antivirus package, and that’s likely to earn them the wrong kind of attention from Redmond’s lawyers sooner or later.
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it
If there were a prize for ingenious malware, they’d probably win that too – this infection prevents you from getting to anywhere online that can be used to remove it, at least if you’re a regular user sitting at your ordinary Windows 7 PC. No web surfing, no entry into the Control Panel, no running the Malwarebytes scanner. The promise is that if you supply them with a credit card number, not only will you be kept safe from future infections – and therefore allowed onto the web again – but the infections they purport to have discovered while you were prevaricating will be removed too.
The tool goes on to do an excellent job of reporting the specifics of your machine and configuration: you can see all the services you’re running in a well-designed scrolling list, for example. If this thing weren’t malware, I’d say that it delivers a class-leading look and feel.
What puzzles and saddens me is that the professional way this evil infection performs its job is entirely out of proportion to the nature and career prospects of the average malware designer.
Unless you assume that this kind of credit card details harvesting exercise is capable of reaping several million dollars in profit, I just can’t see how this level of devotion to detail could possibly be cost-effective.
People who fall for this scam, and thereby expose their credit card detail to the copiers and scalpers who collect the results, are unlikely to be all that rich, while the crooks – way across the world and in different cultures – who buy these long lists of stolen personal data don’t pay that much for them. I’d like to think we could offer developers of this expertise and professionalism something approaching a proper job.
I encountered the result of this hostage-taking masterpiece within a small business, which was victim to its own cavalier and promiscuous download policy: an outfit so utterly blasé about the risks from unidentified or “free” software, yet at the same time dependent on certain badly behaved applications, which required admin access and free installation rights to be the rule rather than the exception on all its PCs.
I have in fact mentioned this particular crew here before, when discussing a distinctly laissez-faire attitude to downloading movies that appeared to affect – and infect – their accounts department. What I really needed in order to deal with these guys was a small and neat network control utility: something that would enable them to carry on operating, without having to convert years of data kept in fossil profiles to the far more controllable domain-based model.
... AOL, isn't it?
By mrmmm on 17 Aug 2012
Many of these developers are themselves "hostages". Forced to ply their trade under threat of violence to themselves or their families. They don't see much of the income, if any.
By CraigieDD on 17 Aug 2012
Other symptoms ...
If this is the same program I think it is, then if you see it again, check to see if it has ripped out the Windows firewall service. Only seen this so far on XP machines
By Stephen_Ferns on 18 Aug 2012
- How to add in-app purchasing to an iPhone, Android or Windows app
- Remote-control ransomware: TeamViewer and software hardball
- Why laptops with serial ports matter to the Internet of Things
- Make your mobile battery last longer
- Small steps into handling Big Data
- Nexus 5: does it really run stock Android?
- How to get broadband to a garden office
- How to write your company's IT security policy
- Raspberry Pi and Wolfram: a must-have for every child
- Could you get by with Office Web Apps?
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- Windows Easy Transfer – not so "easy" in Windows 8.1
- Formula 1: what a difference virtualisation makes
- Office of the future: comfy chairs and tablets everywhere
- I went to Glastonbury and the only thing that got high was my smartphone
- Meet the robots helping teach children
- PaperLater: would you pay to print the internet?
- Amazon vs Kobo: how much to make the ebook switch?
- Phishing emails: how I nearly got caught out
- Will the next Windows 8.1 update arrive next month?
- BT One Phone lets SMBs ditch landlines for mobiles
- Microsoft shows Modern apps running in desktop windows
- Apple and IBM buddy up for enterprise push
- Windows Phone 8.1 starts rolling out to Nokia phones
- Government broadband plans "lack ambition"
- SMBs get Office 365 price cuts, new plans
- Windows 7: you can keep it until 2020
- BlackBerry Passport's square for spreadsheets
- Microsoft to release six updates this Patch Tuesday