Webroot: this PC will self-destruct in ten seconds

According to Webroot, several new variants of existing malware families are even taking a 'scorched earth' approach to infecting computers, rendering the PC unbootable once the malware has completed its appointed tasks.

This is not, says the IT security vendor, the same as 'hostageware', where the user is required to pay out a registration fee to keep their machine working, but something a lot more sinister.

"In some cases, the crashes we saw were the result of poor coding by the malware author. But increasingly it appears that this behaviour is deliberate, and occurs without warning," said Andrew Brandt, a senior security analyst with Webroot.

And, he added, this unfortunate trend appears to be getting worse, leaving a raft of perplexed, angry victims unable to use their computers in the wake of a malware infection.

In his security blog, Brandt says that the commands within malware capable of rendering infected machines inoperable were first documented in detail last year.

But, he explained, recent files added to at least two of Webroot's definitions – Trojan-Downloader-Tacticlol and Trojan-Backdoor-Zbot – indicate that someone has begun to use this functionality.

"Many, if not most of the Trojans we investigate turn an infected computer into a node on a botnet. A computer on a botnet becomes a usable, rentable, or sellable asset to the person who controls the botnet", he said.

"Bots can send spam, spread malware to other computers, engage in distributed denial-of-service attacks, serve as covert file storage areas, and a host of other undesirable activities", he added.

According to Brandt, the longer an infected PC remains infected and functional, the more the person or group controlling the botnet can do with it, and the more valuable it is. There is, he says, a financial disincentive for the botnet's controller to terminate nodes on the network.

After, say, two minutes post-infection, Zbot usually remains active, quietly logging any non-saved usernames and passwords a victim might enter into a web form.

But, he explained, the fact is, most people instruct their applications and browsers to store usernames and passwords, so they don't have to log into a website or application time and time again.

"It's just easier that way. There's a pretty severe case of diminishing returns from Zbots after the initial infection", he said.

Brandt went on to say that several of Webroot's threat research and advanced malware removal teams have speculated as to motives: Once Zbot has stolen the information it needs, these new variants may deliberately disable the PC as a distraction, making it more difficult for the victim to become aware that credentials were stolen and used until it's too late.

In the case of these destructive Zbot trojans, he adds, the system bluescreens soon after an infection. Because Zbot runs upon reboot,

"PCs infected with this variant go into a spasmodic reboot cycle. Booting from another device, like a boot CD, can permit a victim to remove the Trojan components (if you know where to look) and get back to work quickly. Less technically savvy victims are not so lucky", he said. 

What’s Hot on Infosecurity Magazine?