Ransomware posing as Microsoft
Posted on 09/6/11 by Luis Corrons
We’ve found yet another malware piece, this time it is a ransomware to take some of your money. Once you get infected (you can receive it in a number of different ways, most likely via spam messages and P2P), your computer is restarted. What for? Well, the malware installs itself to run every time your computer is started. And at the very beginning, just after you log in, it will show you the following screen:
With my English an Spanish knowledge I was able to understand what it was saying in German, but I translated it just in case. The threat is clear: your Microsoft Windows authenticity could not be verified, you need to have it fixed, which is just a 100€ payment. They give you the payment instructions and before saying goodbye they let you know that in case you don’t pay you’ll lose access to the computer and will lose all your data, as well as that the district attorney’s office has already your IP address and that you’ll be prosecuted in case you fail to pay the 100€ in 48 hours.
Well, that would scare anyone that doesn’t know this is a ransomware attack. When you go to the website announced in the previous screen, this is what you get:
Once you enter the code given in the first screen, you are redirected to another web where you can fill all your data, so they can charge you with 100€… to start with. Once you have sent them your data, they tell you you’ll get an activation code within 24 hours when they have confirmed that your credit card is working. Well, for all of you that wouldn’t like to pay anything to these bastards, this is the code you can use to deactivate it:
QRT5T5FJQE53BGXT9HHJW53YT
Doing that your computer will be restarted and the registry key created by this malware (detected as Ransom.AN) will be removed, as well as the malware file
'Scareware' is the latest trick to fool you'
Christi Coffman/For the Times-Standard
As if the Internet wasn't enough of an obstacle course anyway -- what with popup windows, spam, and online scams -- there's always another kind of malicious software to worry about. The latest and not-so-greatest of these is called “scareware,” named for how it gets your attention by scaring the daylights out of you.
Have you ever been surfing the Web, when all of a sudden you get a notice saying you've got viruses on your computer? These are not always your friendly antivirus program trying to alert you to a problem. Scammers can create popup windows that look like regular Windows alerts, but are actually malicious ads. If it doesn't look like your normal antivirus program, beware! And we'll go over some things to look for, even if it does.
First, it helps to understand what these scam artists are trying to accomplish. Whereas the viruses we're used to are usually designed with your simple annoyance and frustration in mind, scareware is generally geared toward financial gain. The fictional “warnings” you see are intended to scare you into purchasing their software, which will either do nothing for you, or actually create new system problems. In some cases, you can end up with malware that hijacks your computer until you pay for their software (aptly referred to as “ransomware”). Recognizing these as potentially harmful ads, and not offers to “fix” your computer, is key -- and avoiding them completely is your best bet.
How can you tell if virus alerts are legitimate or malicious? It can be tough, but first make sure you have your own antivirus software and familiarize yourself with how it works. Know its name, logo, and color scheme so you can spot anything out of the ordinary. Learn to recognize when and where this program's notices appear on your screen, and when it suggests that you run a scan. The better you know your software, the better you can spot a fake.
If you're browsing online and find yourself with a window that claims you have a virus, “critical issue,” or other system problem, make sure you recognize the program name. Reputable antivirus software is installed and maintained on your system, and won't suddenly appear out of a random Web page. Try to check where this notice is coming from. If it's an Internet Explorer or Firefox window (or whatever your Web browsing software may be), that means it sprouted out of a Web page. Legitimate software programs will have their own distinct windows, which will show up separately on your taskbar. Real Windows warnings won't show up in a browser window -- if you receive a supposed system warning that does, treat it with skepticism.
You may get to the point where you know what you're looking at is an ad for illegitimate antivirus software, but the only option you have is “OK” (or “Cancel”). Don't be fooled: Usually, you can hit the “X” button in the upper right corner of this window to close it. Most of the time those “OK” buttons aren't real, anyway - they're just ad images made to look like a standard Windows alert. In fact, that's frequently how scammers trick you into clicking on their ads. It's not always a popup window, but sometimes a normally-placed advertisement that happens to look like a Windows alert.
You are not necessarily bound to come across this kind of thing in your everyday Internet travels. If you're not online frequently and only visit reputable Web sites, you run a pretty low risk of ever being confronted by one of these false virus warnings. Scareware, and malware in general, usually lurks on the lesser-known sites. While you may think you're always in the safe zones, you'd be surprised where you end up when you start “Googling” things. Don't trust all of your search results as legitimate sites! Just like you can't believe everything you read on the Internet, you can't trust every Web site to be safe.
As time goes on, scammers get craftier. While you're much more likely to encounter malware on sites about pirated software, pornography, or how to build bombs in your garage, you should still take everyday sites with a grain of salt until you know they're trustworthy.
Finally, if it's too late for any of these tips, be careful of how you go about fixing the problem. There are a plethora of different software sites out there that claim to uninstall your malware, but these can be just as sketchy as the original scam. If you're unsure where to turn, make sure you have (and keep updated) a reputable antivirus program like Norton or McAfee. It may even be worth your while (and cash) to hire a professional, considering how much more damage you could do by installing more questionable software.
Christi Coffman is a marketing assistant with Coast Central Credit Union, specializing in Web design. She is a member of the Redwood Technology Consortium -- www.redwoodtech.org.
2 Nov. 2008
Critical News: Security Patch
Please listen up! You don't want to miss this important announcement!
Last Thursday (October 23, 2008), Microsoft released a critical Windows security patch, which is something they haven’t done since April 2007. And of course, it quickly started raising eyebrows in the technology community. The security patch fixes a vulnerability that allows a remote program to be run in Windows without any authentication. A worm that uses the hole in the Windows security to take over a computer has already been released on the Internet.
According to security experts, the worm, named “Gimmiv,” locates the security hole on a computer and executes a program that steals passwords. The code for the worm was released on a popular hacking Web site, which leads many to believe that the exploit will be modified and different versions of Gimmiv will be released on the Web.
On Friday (October 24, 2008), Symantec and McAfee, Inc. stated that they had only seen a small amount of attacks based on the exploit. However, Symantec said they discovered a 25 percent increase in network scans for computers that contain the vulnerability, which suggests the amount of attacks on this security hole may increase.
Windows 2000, XP, Vista and Server 2003 are all affected by this new vulnerability and it's recommended that users of those operating systems turn on their Automatic Updates so that they can receive the security patch. (To do that, go to Start, Control Panel, Security Center, Automatic Updates). Stay safe out there!
3 Sept 2008
Latest Phishing Scams
Fake FedEx Email Borne Malware Alert
Over the last 24 hours we have seen a large influx of a new email borne malware campaign alleging to be a notification of non-delivery from FedEx.
The email alleges that you sent a package on July 25, but because the recipient's address was not correct when it was shipped it had not been delivered. It then asks the user to print out a copy of the attached invoice (a .zip file which contains malware) and to collect a copy of the package at the FedEx Office (address of office not given, which should be one clear indicator that something is fishy about the email).
Sample subject lines that we have seen in our Threat Operations Center include:
You Have A Package!!!
Tracking N <fake tracking number>
Volumes have been pretty high as we have seen over 21M of these fakes hit our systems within the last 24 hours, accounting for about 80% of all of the email borne malware that we have seen over that same period.
It's times like this that we are reminded that although many of the large scale malware campaigns that we now see are hosted on infected web sites, static malware distributed over email is still an active, viable tactic being employed by cyber criminals.
July 15 , 2008
Trojans Still Dominate
Early last week (on July 7, 2008 to be exact), the Panda Security company released their report on malware for the second quarter of 2008. As you may recall, for the first part of 2008, Trojans made the top of the list and it looks like they have dominated once again. The Panda report showed that Trojans made up 63 percent of all new malicious codes found on computers and coming in second was adware with 22.40 percent. If that strikes your interest, keep reading for even more shocking news!
The Panda company said that banker Trojans and other specific types of worms seemed to be the most infectious. First of all, banker Trojans are considered to be the most dangerous type of infection in circulation as we speak. The most prevalent banker Trojans go by the names of Sinowal, Banbra and Bancos. Others with less activity (but are still dangerous) include Dumador, SpyForms, Bandiv, PowerGrabber, Bankpatch, Briz, Snatch and Nuklus.
Like I said before, worms were also high on the list with 13.5 percent. Yes, Trojans are the most dangerous type of malware, but worms work in a way where one strain is responsible for thousands of infections. A few worms were found to have infected several computers, including Bagle.RP, Puce.E and Bagle.SP. Of course, there are several types of malware floating around these days, but at least you now have a few names to go by. Just giving you all a heads up. Stay safe out there, my friends!
Courtesy of Worldstart.com
July 10, 2009
Urban Legends
What -- Exactly -- are Urban Legends? Urban legends are stories that are either funny and/or contain horrifying content that may or may not be true. They spread quickly, and often have many different variants.
Most urban legends are false -- but some are true.
Email urban legends and email hoaxes (which are what we focus on here) usually tell recipients to forward the email to everyone they know. In fact, that's one of the tell-tale signs that you have a false urban legend or hoax!
Find out more by clicking Here
June 21, 2008
New Ransomware on the Loose
I'm sorry to be the one to break this to you, but I have some bad news on the security front today. Do you remember a few months ago when I wrote about ransomware? Ransomware is basically a virus that takes over your computer and demands you to pay the creator of the virus for a code that will bring your data back. Most of the time, viruses like that are more bark than bite. They're usually fixed rather quickly by antivirus companies that figure out the codes needed to unlock your data. Well, at least that was the case up until now.
Just last week, researchers at Kaspersky found a new ransomware virus that is on the loose and is very dangerous. The virus is called Gpcode.ak and it's a type of ransomware that has no fix as of yet. Gpcode.ak will infect your computer and encrypt all of your personal files with a 1024 bit security key. Kaspersky has said that it would take a supercomputer to figure out the code for this one.
People who are infected with Gpcode.ak will see a screen that says something like this: “Your files are encrypted with a RSA-1024 algorithm. To recover your files, you need to buy our decryptor. To buy our decrypting tool, contact us at ********@yahoo.com."
As I mentioned above, there is currently no fix for this virus, but if your computer becomes infected with it, you can help! Kaspersky is asking for anyone infected with the virus to contact them immediately. That way, they can use your experience to try and find a solution for this nasty virus.
Now, if you become infected, Kaspersky is asking you to do the following:
Contact the Kaspersky Lab using another computer connected to the Internet. Do not restart or power down the potentially infected machine.
E-mail Kaspersky at stopgpcode@kaspersky.com with the following information included:
-
Date and time of infection.
-
Everything done on the computer in the five minutes before the machine was infected, including programs executed and Web sites visited.
The Kaspersky Lab will then try to recover any encrypted data.
Kaspersky analysts are continuing to analyze the virus code in search of a way to decrypt the files without having the private key. Until a solution is found, it's recommended that your anti-malware programs are set to their maximum security and that extra care is taken while browsing the Internet and reading your e-mail. Until next time, stay safe out there, my friends!
Courtesy of Worldstart.com
Comments (0)
You don't have permission to comment on this page.