Study of a new genre of Malwares called “Scarewares”
Depending on their characteristic, Malwares can be broadly classified into various types. Most of us are probably aware of the terms like Virus, Trojan, Spyware, Adware etc. However, on the basis of certain behavioral traits, further classification of these broad types is possible. For example, based on the cloaking and stealth mechanism of certain Malwares we can identify them as Rootkits, some are called Rogue Anti-Spywares because they try to fake themselves as Anti-Spyware Applications etc. The purpose of this article is to make people aware about a new genre of Malwares called “Scarewares”.
With the focus of Malware authors changing, off late there has been an explosion of a new breed of more financially motivated threats called “Scarewares”. A “Scareware” is a kind of Malware which has been designed to trick victims, using various Scare mechanisms, into buying, downloading or installing fake, useless or potentially malicious files. This is perhaps a very bookish definition of what we would actually mean by the word “Scarewares”. In recent times, this definition is no longer sufficient enough to describe these threats properly. To understand them in a better and simpler way, we will take a look into some of the most common Scarewares available today. We will also see the various tricks and scare tactics these Malwares use to lure, intimidate or trick the unsuspecting users into their traps.
Rogue Anti-Spyware –
Rogue Anti-Spyware applications have plagued the internet. These are part of a very well thought of and well planned attack. Also called Rogue Security Software, these are applications that pretend to be legitimate security applications. They use various kinds of tricks to make the user believe the legitimacy of these applications. From the names given to these applications to the look and feel of the application, the Malware authors make it sure that the average user surfing the internet will believe it to be something that can be useful for him/her to get rid of unwanted files and Malware from the system. Seldom do they know that the stuff that they are relying upon is in reality a specific kind of Malware in itself.
They display colorful advertisements of AntiSpyware applications, which are anything but legitimate. They instigate the user to download these Rogue applications. However, at times, they don’t even need the user’s intervention for downloading them into the system. The download can also automatically begin without the user’s knowledge. This is called “Drive-by download”. Drive-by downloads can happen by visiting an infected website, viewing a specially crafted e-mail message or even by clicking a deceptive popup window. There are numerous ways by which Malware authors try to lure users to download or install these Rogue Security Softwares. From compromising vulnerable websites and injecting malicious codes in them, social engineering the unsuspecting users to click and download stuff that usually people would ignore, using scare tactics by displaying elevated security risks, its all part of the evil plan to get you infected and extort money.
The scare mechanism used by these so called “Scarewares” is proving to be an effective way to squeeze out money. To understand the nature of these “Scarewares” in a much more detailed way, we will have to look further into the actual tricks and tactics involved. Let us take a closer look at some of these scare tactics now:
While surfing, it may happen that we will encounter a sudden popup that imitate a Warning!! or a System Error!!. It might display a fake alert or a fake Malware infection warning. The popup may further offer a free download of the actual application for the user to use and clean the ‘so called’ infected files.
These applications can even install a BHO that would show Internet Explorer’s alert messages to a great level of accuracy. We have a tendency to trust alerts or messages that seem t be coming from the Operating System or some trusted application and most of the times this judgment is based on visual confirmation of the shown alert. The purpose is simply to make the user panic and do things that are mentioned in these alerts.
These above methods are very effective because they can deceive even the most tech savvy users. Below is the screenshot of a fake popup window that imitates the ‘Windows XP Help and Support Center’ to a great extent.
These Malwares can imitate the alerts of some of the most reliable applications or services and takes advantage of their goodwill and reputation.
From fake IE alerts to Microsoft Windows messages, from Google’s interface to an operating system’s crash window, they will try everything to put the user into a state of panic. In the below figure, you can see that these applications will even try to scare the unsuspecting user by recreating the dreaded BSOD (Blue Screen of Death) Screen. They show a fake BSOD screens or fake Windows Loading screens that would tell the users that a unregistered version of the application has been detected, and hence, upgrade it to a full version. These techniques are getting better and better with every generation of these Fake Applications.
If you look closely, you will see that all of these Rogue Security Softwares will make sure that for working in a smooth way these applications are recommended and they need upgradation and for that you have to purchase the full version of these applications. If you are aware of these tricks then these may appear funny, but to a normal unsuspecting user, this is very scary and very convincing.
One of the worst things about a Rogue AntiSpyware is that it will bombard the system with continuous popup, sometimes even when the system is not connected online. Along with popup, they may also continuously show fake warnings or system errors.
These warnings and errors are mainly exaggerated and display non existent threat lists.
The reason is to make the user panic and force them to make payments to buy the full version of the perhaps non existent software. Clicking the “Remove all threats now” will show the “Registration” window for purchasing the full version of this software.
This is nothing more than a scam and whatever the methodologies of infection maybe, the ultimate intention is to scare the user and force them to purchase the product.
Ransomware –
If Rogue Security Softwares were just tricking you to cough out money, then there are Malwares that FORCE you to payoff. Recently there have been quite a few instances of a kind of Malwares that extort Ransom money from victims. A new terminology called “Ransomware” was devised for this class of Malwares that actually forces the victims to payout Ransom or Protection money.
Like any other Malware, these also infect the computer and do something unbelievable. They block access to the computer or encrypt the user’s data and give a deadline to the user to payout the Ransom money. There are known instances of these “Ransomware” in the wild. Trojan.Ransomlock, Trojan.Randsom, Trojan.Ransomcrypt etc are known to be lurking in the wild. Let us look into some of these threats:
When Trojan.Ransomlock.B infects the system it locks the desktop and displays a grayed out screen. Refer to the screenshot below:
Translation of the text from Russian to English is given below:
Windows Blocked
For unlocking you need to
Send Text: #win1 t5680
To the number: 6008
The cost of communications is about 60 EUR.
In the reply message you will get a registration code, which should be put in the text box. To activate your copy of Microsoft Windows you have 3 hours from the time of the lock otherwise, the system files of your computer will automatically be deleted, and all data on it destroyed. Attempting to reinstall the system can lead to data loss.
The Malware has the unlock key hard coded inside it. There is apparently no easy way to stop the process associated with this Malware because it disables Task Manager.
Furthermore, there are also known “Ransomware” in the wild that go beyond locking the desktop. They encrypt specific files in the system and force the user to payoff. When Trojan.Ransomcrypt infects a system, it encrypts the files with the below mentioned extensions:
| .doc .jpg .rar .zip | .txt .rtf .jpeg .html .7z | .htm .php .eml .3gp |
It will encrypt all the files with the above extension that it finds in the system and adds a .vscrypt extension to it and deletes the original file. Once all the files are encrypted, it modifies the desktop wallpaper with the below picture and restarts the computer.
Similarly, Trojan.Ransomlock will display a message (translation of the text from Russian to English):
To unlock you need to send an SMS with the text
[RANDOM NUMBERS]
To the number
3649
Enter the resulting code:
[TEXT BOX]
Any attempt to reinstall the system may lead to loss of important information and computer damage
The threat executes every time the computer is started, even in safe mode.
Trojan.Randsom.A blocks access to the compromised computer and issues a ransom demand. It then displays a dialog box with the following messages:
"Deleted files are going to be saved into a hidden directory and replaced during uninstallation."
"(1) files are being deleted every 30 minutes"
It then locks the desktop with the below screen with two pornographic images:
Text from the locked screen:
-----
environment loaded
windows locked
Listen up xxxxxxxxx
is this computer valuable. it better not be.
is this a business computer. it better not be.
do you keep important company records or files on this computer. you'd better hope not.
because there are files scattered all over it tucked away in
invisible hidden folders undetectable by antivirus software
the only way to remove them and this message is by a CIDN: number
This X.aip will load every time you start windows scattering more and more copies of itself until your computer is fried to a pulp. Until then you may even notice other programs missing critical files.
How to remove it?
Simple: You must receive a CIDN: number from Western Union
go to Western union, fill out the grey form labeled "SwiftPay" pay $10.99 as your customer access number enter "4 8 7 0 9 3 0 1 0 1 3 0 8 6 9 7"
you may sign any name, i.e John Doe and wait for a receipt from the clerk. Look on the top right-hand corner of the receipt for a number that starts with CIDN: i.e CIDN: 203-093-1903 comeback to this computer an enter your CIDN number. The uninstall process will begin.
Note: if you don't pay exactly $10.99 you will generate an invalid CIDN number and be forced to start all over.
If you have a valid CIDN: Number and have problems uninstalling send a request to
unlock3713@yahoo.com
I will research the problem and if applicable send an alternate CIDN: universal key by email.
-----
Worms such Trojan.Gpcode brought the biggest change in the world of “Ransomware” as it uses RSA encryption algorithm with a 1024-bit key, making it impossible to crack without the author’s key. The malware author is the only party that knows the needed private decryption key. As part of the attack email address is supplied through a ReadMe.txt or Attention.txt file, which users are supposed to request for their files to be released after paying a ransom of $100-200.
Some files are coded.
To buy decoder mail: [user]@yahoo.com
with subject: PGPcoder 000000000032
Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes which makes it large enough to be computationally infeasible to crack them. More sophisticated “Ransomware” may hybrid-encrypt the victim's plaintext with a random symmetric key and a fixed public key.
