Trusteer has now discovered a new variant. Using the Citadel malware platform – itself a descendant of the Zeus trojan – the new malware is called Reveton and claims to have come from the US Department of Justice. It locks the computer and displays a warning screen claiming that the IP address of the computer has been detected accessing child pornography sites. A fine of $100 is payable. It advises how the payment should be made in order to unlock the computer.
Statistically, this claim is possibly true; almost certainly it isn’t. But the threat works on several levels. Modern users are sufficiently literate to know that IP monitoring is not infallible, so this must clearly be a mistake. They are also aware that law enforcement is becoming increasingly aggressive in its internet policing. The easiest solution is to simply pay the ‘fine’ and make it all go away. It is, comments David Harley, a senior research fellow at ESET, “Effective social engineering in the short term, because law enforcement agencies tend to be very hard-line on pedophilia-related offenses, understandably, and no-one wants to stand in front of that juggernaut.”
Needless to say, it doesn’t just go away. “Citadel continues to operate on the compromised machine on its own,” writes Trusteer. “Therefore it can be used by fraudsters to commit online banking and credit card fraud by enabling the platform’s man-in-the-browser, key-logging and other malicious techniques.”
The best solution is not to get infected in the first place. The malware is delivered by drive-by downloading. “The attack begins with the victim being lured to a drive-by download website,” writes Trusteer. “Here a dropper installs the Citadel malware on the target machine which retrieves the ransomware DLL from its command and control server.”
But once infected, the user should never succumb and pay the fine, but should instead seek professional help. Unfortunately, the whole ransomware issue has not been helped by some rather lazy media reporting. F-Secure, in a separate blog, notes that the ANI newswire published a story on 24 April claiming a “scam is believed to come from Scotland Yard’s specialist cyber crime officers, the Police Central Crime Unit, The Telegraph reports.” The Telegraph did not report that. But because ANI is a news service rather than a traditional publisher in its own right, the claim was picked up by other publishers (including Yahoo News) and given wide circulation, reinforcing the possibility that ransomware might just be genuine police activity.
| Mikko Hyponen, Chief Research Officer, F-Secure, comments: |
| For the end user, the easy solution is backups. Make sure you always have up-to-date backups of your system. If you get hit by one of these ransom trojans and you have good backups, you have no problem. Just clean the system, restore your data and carry on. |