On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

April 22nd, 2009

New ransomware locks PCs, demands premium SMS for removal

Posted by Dancho Danchev @ 1:30 pm

Categories: Anti Virus, Browsers, Hackers, Malware, Microsoft, Russia, Viruses and Worms

Tags: PC, Cybercriminal, Security, PandaLabs, Dr.Web, Ransomware, Text Messaging/SMS/MMS, Telephony, Search, Dancho Danchev

UPDATE: Another variant has been detected.

Following the recently uncovered hybrid scareware with elements of ransomware, and last year’s GPcode ransomware attacks, cybercriminals have once again demonstrated their interest in the concept of ransomware.

PandaLabs is reporting on a newly discovered ransomware variant which locks the affected user’s PC, and demands a premium SMS in order to deactivate it.

Trj/SMSlock.A doesn’t have any self-propagation functions and appears to be coming under the form of a typical fake codec that has been affecting users for over a week now. The message (in Russian) demands that the affected user sends an SMS with the pseudo-unique number to the given number in order to receive deactivation code. From a monetization perspective, the approach is pretty similar to the recent Trojan-SMS.Python.Flocker mobile malware which was transferring account credit, and mimicking the original functionality of the RedBrowser mobile malware which was automatically sending SMS messages to premium-rate numbers in 2006.

Just how dangerous is SMSlock.A? Compared to GPcode, it’s the work of less technically sophisticated people, making it fairly easy to bypass. Dr.Web has even released a generator for deactivation codes so that affected users don’t have to pay.

Ransomware is not a fad, that’s for sure. In fact, Trend Micro’s Annual Threat Report: Cybercriminals are Working Faster than Ever stated that ransomware attacks are prone to increase in a targeted fashion during Q2 of 2009. And whereas the current variants do not have self-propagation functions, their primarily propagation vector remains the hundreds of currently active blackhat search engine optimization campaigns serving the ubiquitous fake codecs (Cybercriminals syndicating Google Trends keywords to serve malware; Massive comment spam attack on Digg.com leads to malware).

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 51 Talkback(s)
MS APOLOGIST speaks. (NT)
(NT) (Read the rest)
Posted by: Intellihence Posted on: 10/28/09 You are currently: a Guest | | Terms of Use
Maybe I overestimate the average person's intelligence  Michael Kelly | 04/22/09
It's not maybe, you do overestimate...  ThePrairiePrankster | 04/22/09
If they are really that stupid, they shouldn't be allowed near a PC  Lerianis | 04/22/09
RE: If they are really...  bfilipiak@... | 04/23/09
Or this....  ThePrairiePrankster | 04/23/09
Agreed!  ThePrairiePrankster | 04/23/09
Or...  eric_s@... | 04/23/09
Huh?  Mewshew | 04/22/09
Or, perhaps...  fairportfan | 04/23/09
LMAO!  ejhonda | 04/23/09
One of them was my Ma  ThePrairiePrankster | 04/23/09
I wouldn't be  Lerianis | 04/23/09
Small victories  ejhonda | 04/23/09
Or the intelligence of the good guys .....  Dr.C | 04/27/09
When I saw ransomware in the title...  kozmcrae | 04/22/09
RE: New ransomware locks PCs, demands premium SMS for removal  gertruded | 04/22/09
Because it's very, very securable  mechBgon | 04/22/09
Windows is very securable  Lerianis | 04/23/09
Consider using RunAs, or Vista  mechBgon | 04/23/09
A Well Disguised Troll  TheGooch1 | 04/28/09
Yep, It's Another Windows Hit  itanalyst2@... | 04/23/09
Get real  Lerianis | 04/23/09
Wake up  T1Oracle | 04/23/09
The problem *IS* the OS....  Rick S._z | 04/28/09
No But  TheGooch1 | 04/28/09
RE: New ransomware locks PCs, demands premium SMS for removal  athaki | 04/23/09
Wait a minute. I thought MS called this a feature nt  T1Oracle | 04/23/09
Where are Loverock, NoAxe, and Bott to defend MS?  nizuse | 04/23/09
loverock just got his third zdnet NIC  InAction Man | 04/23/09
RE: Where are ...  bfilipiak@... | 04/23/09
Linux has evolved.... but not far enough  Lerianis | 04/23/09
LMAO  T1Oracle | 04/23/09
Going backwards.  bfilipiak@... | 04/23/09
Valve stats, anyone?  mechBgon | 04/24/09
In The End The OS Doesn't Matter - Its the Apps  TheGooch1 | 04/28/09
humans are evolved  ljenux-23043766007667558234416105604265 | 10/28/09
RE: New ransomware locks PCs, demands premium SMS for removal  mobyprick@... | 04/23/09
Why is it...  library assistant | 04/23/09
Vista and Win 7 not affected  Qbt | 04/23/09
It affects a windows version still on sale. Windows IS windows  InAction Man | 04/23/09
I find it funny  NStalnecker | 04/23/09
Customer Used Backasswards Compatability  mobyprick@... | 04/23/09
Yes, but given the flop Vista is and the flip Vista2 (aka Win7) will be,  HypnoToad | 04/26/09
You might find the file in Task Manager Prosesses  BALTHOR | 04/23/09
Good Shot!  mobyprick@... | 04/23/09
RE: New ransomware locks PCs, demands premium SMS for removal  phatkat | 04/23/09
MS APOLOGIST speaks. (NT)  Intellihence | 10/28/09
RE: New ransomware locks PCs, demands premium SMS for removal  UK_PJC | 04/25/09
Wouldn't it be cheaper just to buy a Mac?  HypnoToad | 04/26/09
RE: New ransomware locks PCs, demands premium SMS for removal  Steve KTG | 04/28/09
yes you keep using MS bloatware  ljenux-23043766007667558234416105604265 | 10/28/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc