Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    December 2014
    S M T W T F S
    « Nov    
     123456
    78910111213
    14151617181920
    21222324252627
    28293031  
  • Email Subscription

  • About Us

    Recently, I talked at the VB2012 conference in Dallas about one of the recent developments in today’s threat landscape: the increasing prevalence of police ransomware. Earlier, Trend Micro published a white paper discussing this threat, titled The “Police Trojan”.

    The idea behind ransomware is relatively simple: the cybercriminals block the user from accessing their own computer. This continues until the user pays the cybercriminal money in order to unlock their system. We first saw this type of threat in Russia back in 2005 to 2006.

    More recently, we’ve seen this threat spread to other countries. Using geo-location, users are presented with a notice – supposedly from local police – that they have committed some crime, and to unlock their PC they need to pay a “fine” of some sort.

    As we looked into this threat, we found that this threat was, in someways, similar to previous fake antivirus threats. Multiple gangs produce their own variants; the social engineering is very good at getting users to pay up, and new versions are appearing all the time. Affiliate programs are also used to monetize this threat.

    We found at least two groups of suspects that run separate affiliate programs. Each group targets different countries, and use locally available payment schemes. There are also differences in the Trojans themselves.

    One of these groups uses server-side scripts to serve the appropriate images and scripts, depending on the user’s country:

    A second group uses a different technique. Here, the images and scripts are embedded in base64-encoded PHP code. The images and scripts are never downloaded separately, as they might be in the first case.

    In cases where the user’s country can’t be determined (or, perhaps, not being targeted by the cybercriminals), a more “conventional” alert, similar to that used by FAKEAV attacks, is displayed.

    How do cybercriminals get their money? Instead of using credit cards, victims are asked to purchase vouchers for electronic cash. Two providers, Ukash and paysafecard, are frequently used by cybercriminals. Both of these services are legitimate; however the vouchers are like cash in that there is no record if they actually change hands.

    What happens is that cybercriminals take the vouchers they have gathered and sell them to various exchange sites, for around 40-50% of the voucher’s face value. The exchanges, in turn, sell these to other users for up to 90% of their value.

    This highlights how cybercriminals are trying out new schemes in order to replace old ones which may have become less effective. New cybercriminal groups arrive on the scene; new business models are created. It is up to the security industry to keep up to protect users.

    For further details about these attacks, you may read the following blog posts:





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://twitter.com/ComradeDanski n00bs@uc3

      affiliate programs constantly re-encrypt the binaries
      adverts redirect traffic to exploit kits
      >> use a linux machine to look at porn :)

    • DJRiddle

      Do all you computer types just write these articles to intentially make you out to seem overly verbose and at the same time not help at all? How do I get rid of the stinking virus?!!!!

    • Louis

      great information. BUT how did it get past the firewall and MORE important how to fix?



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice