Endpoint Protection

 View Only

Browsers and Ransoms 

Jul 25, 2009 12:15 AM

We have already written about threats that can encrypt files or lock victims out of their computers in order to extract a ransom. Today I want to talk about yet another similar threat. It uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims.

Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits. The ad will cover part of the original Web page, as shown below.

imagebrowser image

The ad will stay on the screen even if the page is scrolled:

imagebrowser image

This ad is written in Russian and states that in order to remove the ad (and to gain access a porn site) the victim must send a premium rate text message to the number provided, and the user will receive a code to remove the ad.

imagebrowser image

Rough translation:

“If you installed an advertising module has been, but you have chosen to unsubscribe, you send the MC to short number specified below. Code allows you to remove the received news ticker.
1 Informer removed automatically after 30 days.
2 Free porn video archives.
3 Technical support service.

To remove the informer, send SMS message with text [5-digit number] to number [4-digit number].
Enter the code, received in response, MC“

Obviously this is very annoying ad and the victim may just decide to use a different browser. The malware author thought of this too (see below) and actually targets the following three browsers:

Internet Explorer

imagebrowser image

So switching to another targeted browser will not necessarily solve the problem. (Actually the code that the attacker uses is not compatible with the latest version of Firefox, so there is one easy escape at the moment.)

imagebrowser image

Similar to Trojan.Ransomlock and Trojan.Ransomcrypt, this Trojan attempts to make money by utilizing a premium rate telephone number. The premise is that the victim will become so frustrated or embarrassed by the ad that they will succumb to the pressure and send the SMS text message. This threat is also interesting from a technical point of view, so I will follow up with more details in another posting.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.