AV-School.com - Trojan-Ransom - Security

Авторское право © WWW : AV-School.com
Перепубликация материалов,возможна только с устного или письменного разрешения Администрации сайта !

Название статьи , Published Articles » Security » Trojan-Ransom
13 January 2010 в 14:15

The users increasingly complain that their computer is blocked by malware. Why ever the popularity of Trojan-Ransom family is constantly growing?

I first knew about the Trojan designed to block the PC when I was analyzed the Trojan.Win32.Restarter.b. Once launched it "swap" the mouse button and displays a fake form over other forms constantly hooking the input focus:

Where should I send the money?

The user was given a few minutes to enter the password. If the correct password was not input, the Trojan reboots the system. In addition, it blocked the common system shutdown. In order to ensure that the Trojan is launched automatically each time the system is booted, it adds a link to its executable file in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"IceBomb"="<path to the original Trojan file>"

The correct code in analyzed Trojan was 4242625. You could delete the malicious program if simply delete the original malicious program file (of course, if the user knew where it is located).

In fact it is not Trojan-Ransom because unclear where you should send the money. But the conditions creation when impossible to ignore the Trojan is an indispensable attribute of modern Trojans-Ransoms. And also the possibility (often imaginary) recovers the system without removing the Trojan but performing the required actions.
A few months ago I met the modern Trojan-Ransom.Win32.BlueScreen.a that blocked the system more globally:

How much is this SMS?

The translated text appears as follows:
The device driver has not a license. Send the sms that contains the text adn9 2 to the number 6008, and the driver will be activated. Note the space between adn9 and 2. Then you receive the sms with activation code driver.

In this case it was complete system blocking. The user also should enter the code, but this time it is obvious what to do for receiving the code.

Another example of malicious program that blocks the OS is the Trojan-Dropper.Win32.Blocker family. Some modifications are provided with a timer that counts the time remaining for unlock.

Translation:
Windows is blocked. You need to send the sms with following text t7580620000 to the number 3649 for unlocking.
Enter received code.
For unlocking you have...

Why these malicious programs are so popular?

Firstly, the cyber criminal immediately gets money from the victims (direct monetization). It does not matter a lot of infected PC or only a few because cyber criminal can get the money even with one user of the infected computer. At the same time, for example, a botnet for generating income must be increased to such sizes that could interest the buyers. But it needs time during which the anti-virus companies can release the security solution against the spread of threats.

Secondly, the user can not ignore the fact of infection. When the user can not cure PC it looks much more convincing than an ephemeral possibility fall a victim to steal passwords from e-mail or ICQ. Clearly, the aims of creators of Trojan-Spyware and Trojan-Ransom are different, but for users the presence in the system of unclear process or untargeted banner on all pages inInternet browser is unpleasant. But it allows to continue work on the computer. Often, even knowing that the computer is infected user does nothing to cure the system. And if the botnet creators dream about such user behavior, in case the cyber criminal that practice blackmail or provide fake antivirus service such behavior is a failure.

Typical false threat of fake anti-virus.

Thirdly, it is the simplicity of the proposed solutions. Mobile phones became an integral part of our life. Services are provided by the mobile operator often involve the payment by SMS. It is usual and convenient. You do not need to download anything to open a virtual account, to transfer money via a bank card. You simply should send SMS and your problem will be solved. Compare it with the effect of fake antivirus. The user is said "Your computer is infected! Our antivirus will solve your problem!" And then it turns out that these fakes never offer trial versions of their products, and the program costs fifty dollars. And not all payment systems are suitable. Agree, send SMS is easier.

Fourthly, it is guilt. It is not the secret that a lot of people are using unlicensed software. The cyber crimes use this. But there are not so obvious, because the users on which the malicious program is designed might do not understand such details as licensed software and users who understand it are unlikely fall for the bait.

Fifthly, users often find faults in the Trojan programs and write about that on the forums. The messages that contain advices how to combat against the malicious program designed to block the system appears fairly quickly. At first someone finds out that the Trojan does not block the system message when you repeatedly press the button "Shift". Then it became clear that the hot keys for calling the menu of special features, such as a screen magnifier are not blocked too. But the malware writers read all these messages. And in the next versions of the malicious programs they cover these ways to fight.

As a result such SMS-ransoms became so popular. Currently, the most effective way to kill such malicious programs is using various LiveCDs and booting from flash drives. You can download a boot Rescue Disc with Kaspersky Anti-Virus by the following link:
http://dnl-eu10.kaspersky-labs.com/devbuilds/RescueDisk/kav_rescue_2008.iso

Dmytro Krasylnikov, Alexander Adamov
"Design and Test Lab" , Ltd. 2009
/specially for www.av-school.com/

Article from blog: Marina.

URL / WWW

http://av-school.com/article/a-24.html