Internet hit by wave of ransom malware
Computerworld is New Zealand's only specialised information systems fortnightly. Subscribe now for $100 (23 issues) and save more than 37% off the cover price!
Criminals re-used an attack from 2008 to hit the internet with a huge wave of ransomware in recent weeks, a security company has reported.
In the space of only two days, 8 and 9 February, the HTML/Goldun.AXT campaign detected by Fortinet accounted for more than half the total malware detected for February, which gives some indication of its unusual scale.
The attack itself takes the form of a spam email with an attachment, report.zip, which if clicked automatically downloads a rogue anti-virus product called Security Tool. It is also being distributed using manipulated search engine optimisation (SEO) on Google and other providers.
Such scams have been common on the internet for more than a year, but this particular one features a more recently-evolved sting in the tail. The product doesn't just ask the infected user to buy a useless licence in the mode of scareware, it locks applications and data on the PC, offering access only when a payment has been made through the single functioning application left, Internet Explorer.
What's new, then, is that old-style scareware has turned into a default ransom-oriented approach. The former assumes that users won't know they are being scammed, while the latter assumes they will but won't know what to do about it.
The technique is slowly becoming more common — see the Vundo attack of a year ago — but what is also different is the size of this attack, one of the largest ever seen by Fortinet for a single malware campaign.
Fortinet notes that Security Tool is really a reheat of an old campaign from November 2008, which pushed the notorious rogue antivirus product Total Security as a way of infecting users with a keylogging Trojan.
"This is a great example of how tried and true attack techniques/social engineering can be recycled into future attacks," says Fortinet's analysis.
According to Fortinet, the 'engine' pushing the spike in ransom-based malware is believed to be the highly-resilient Cutwail/Pushdo botnet, the same spam and DDoS system behind a number of campaigns in the last three years including the recent pestering of PayPal and Twitter sites.
Don't forget that Linux and Mac have had virus and various wares and kits desigened for it, Linux is not attacked much because it does not come from a money hungry corp such as Microsoft and are all about being open with its users, so no need to attack a company like that.... plus Windows is used in so many areas and numbers that the attack is more benefical. Think of them as E-Protestors and bored script kidies.
To Anonymous, there is no need for CW to contain information on removal of this scareware. Many of the security vendors will take care of this and also the thousands of forums and posts from googling the exact software. However as this has been detected most vendors would of updated their definitions to include this outdated software entry so you will be protected.
Posted by RC at 8:56:04 on March 9, 2010
I just thought I'd point out, for the non-technical user, a key piece of information that the article fails to mention: this only affects MS Windows. Do you dispute that? You don't actually seem to dispute my point at all. I will, however, dispute your point about malware for Linux. I've been running it for 15 years, and support businesses running it for almost that long. There has never been a Linux virus in the wild - neither I nor anyone in the Linux community I know of has *ever* heard of a virus, much less be afflicted by one.
Most websites are hosted on Linux servers (far more than WIndows-based servers), which means that on the Internet, Linux *is* more popular than Windows, and yet they're not victimised nearly as much. Yes, there are exploits for Linux-based servers, but there aren't botnets of millions of Linux machines. The world's biggest computers are the many Windows botnets. It's a real problem, and Linux isn't prone to it.
Posted by Dave Lane at 11:22:37 on March 9, 2010
However the articles in future will need to mention with all the net books running linux versions.
Yes most hosting vendors use Linux, be it web services, cloud, gaming servers etc however I believe the article is more pointing to the end user area of home and business pc users, rather then knowlegble IT people running the show.
That is strange that you have never encountered a linux virus, I myself have seen an infected linux machine, although it did no harm, it played around with settings (I believe it was a joke kind of toolkit) but yes very rare, however there are some people out there who write for linux, these types of people jsut want to annoy every PC user, winodws or linux.
Thanks
Posted by RC at 12:17:08 on March 10, 2010
Luckily, for Microsoft, they've found that people happily pay more for the security extras... last I heard, it was the fastest growing part of the Windows software industry.
Posted by Dave Lane at 8:13:48 on March 9, 2010
Posted by Anonymous at 10:27:48 on March 8, 2010
Computerworld NZ has now reached LinkedIn! Join to expand your networks and meet others interested in information systems.
