Feeds

back to article Fake cop Trojan 'detects offensive materials' on PCs, demands money

Security firms are warning about a rash of police-themed ransomware attacks. The Reveton Trojan warns victims that illegal content has supposedly been detected on infected machines, displaying a message supposedly from local police agencies demanding payment to unlock machines. To unlock an infected machine, marks are invited …

COMMENTS

This topic is closed for new posts.
Megaphone

Easy to fix (a couple of months ago)

This hit me due to a website being infected, fix as follows:

1. Log into another account or into safe mode.

2. Search in the original user's Programs->Startup directory for an odd entry and delete it.

3. Search in the Users/<original user> directory tree for an executable of some time that has just appeared and delete it.

4. Reboot.

0
0
Silver badge

Re: Easy to fix (a couple of months ago)

next time replace 'http' in the address box of internet explorer with 'https' and you will be secure

0
17
Anonymous Coward

Re: Easy to fix (a couple of months ago)

It is trivially easy for any website to obtain an SSL certificate (even scammers) and they do nothing to prevent trojans. Not one thing!

1
0
Silver badge

Re: Easy to fix (a couple of months ago)

I know that obviously but pedofiles cant follow you down https links

0
11
Anonymous Coward

Re: Easy to fix (a couple of months ago)

I think I may have just experienced the shortest period of amazement ever.

The onset came when I read the instruction to delete the other user's files. "Wait, you can do that in Windows?". Then a few abstract factoids trickled in... windows isn't really a multi-user OS, the underlying filesystem doesn't have any concept of file ownership and so on, and poof! it was over.

Now I'm just a bit embarrassed, though whether it's because I was actually surprised in the first place or because people still expect and trust Windows to be secure, I can't say. Probably a mix of both.

2
10
Bronze badge
Linux

Re: Easy to fix

Simples!

get rid of that shitty operating system called Windows, and use Linux.

TUX, because you are less likely to get "infected" surfing the web.

10
12
Bronze badge
FAIL

Re: delete the other user's files

Someone just had their epiphany!

You would have to be logged in as `root`, or using sudo to bring about that kind of damage under Linux.

Windblowze, the biggest FAIL the world has ever seen.

8
12
WTF?

Re: Easy to fix (a couple of months ago)

> next time replace 'http' in the address box of internet explorer with 'https' and you will be secure

There's really no hope for some people, is there?

8
0
FAIL

Re: Easy to fix (a couple of months ago)

You seem to be short of a few factoids. Windows does have file ownership*, and you cannot delete the files of other users unless the permissions allow. Therefore you will have to do a "run as administrator" on the tool you use to delete the files, just as you would have to sudo on Linux.

So now you can really be embarrassed.

* Note to the anal, this applies to NTFS only, which of course is the standard FS for Windows installs since Windows 2K.

13
0
Gold badge

Re: really embarrassed

Anyone willing to go public about how crappy Windows is when they don't even know about ACLs clearly has neither a sense of shame nor self-awareness.

They aren't going to be embarrassed.

8
0

Re: really embarrassed

Of course, using this little tool you can gain all the local admin access you need:

http://pogostick.net/~pnh/ntpasswd/

1
0
WTF?

Re: Easy to fix (a couple of months ago)

"It is trivially easy for any website to obtain an SSL certificate (even scammers) and they do nothing to prevent trojans. Not one thing!"

True that.

And if the malware writer responsible for this malware really is the same person behind the DNSchanger malware, he knows it, too. In fact, there was one variant of the DNSchanger malware that was code-signed with a digital signing certificate in the name of "Mistland Limited," so not even running only signed code will *necessarily* protect you.

In any event, the most common way to spread this and other malware is to hack legitimate, "reputable" sites and embed iFrames or hostile JavaScripts that then attempt to load various exploits from the malware domains. So whether or not you use https is not necessarily relevant; you may be visiting a site that you believe to be perfectly innocuous that you've used dozens of times before, or in some cases you may even be visiting a site that uses https but that's still been pwn3d.

0
0
Bronze badge
Boffin

Re: Easy to fix (a couple of months ago)

Depends on the configuration I guess. NTFS does support ACLs. Unfortunately, it's mostly in the domain of the power users.

I suspect this is due to the part where all created accounts are admin by default, it takes an additional 3 clicks to convert one account to luser level.

i always go through the hassle of creating a Limited User account and an Admin account, and only escalate to the Admin account if I want to install something I trust. Unfortunately, most simpletons not only have only one account that is admin and not protected by password, and even with UAC disabled completely because they deem it a nuisance.

0
0
Silver badge
Joke

@Troll

No, no no... All wrong.

What you do is sue the hell out of your local police squad because the malware has pointed you to them. While this probably won't fix your PC it might get you rich (though I wouldn't bet on it).

0
0
Anonymous Coward

Politician tactics

And yet you've got MPs once again proposing shit like mandatory censorship of ALL UK ISPs and Mobile Phone operators as a means of supposedly protecting children from pornography *. (As usual, no mention of violent or any other non-sexual materials that could be equally unsuitable for children).

Given the reaction of many people to the trojan's claim of having found "offensive materials" on their computers, do MPs really think that adults won't be restricted by having to contact their ISPs and specifically requesting that the "porn be turned back on".

They're just using the same technique as blackmailers in order to allow a "great wall" style blanket internet filter to be put in place (which, of course, can and will be extended and abused as was the case with RIPA, Extradition laws, Section 44 and njust about everything else.)

* Yes, I am aware that the latest proposal is just a private members bill.

4
0

Re: Politician tactics

Awesome! Those are the exact words I'm going to use just to see what the reaction is;

Them: Hello Sir, how can I help

Me: I'd you to turn my porn back on please!

3
0

Statistically, some recipients will have an illegal porn stash.

2
0
Paris Hilton

As opposed to a legal porn stash?

2
4
Bronze badge

I don't

live in Iran.

4
0
Anonymous Coward

Legal porn stash

Hot barrister-on-barrister action, volume III.34234234.2(a)!

0
0
Bronze badge
Headmaster

"Even when somebody is savvy enough to recognise the message is a fake, the malware's accusations of offensive materials having been discovered on the user's hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help,"

That would suggest they havent, in fact, recognised that the mesasge is fake.

5
1
Silver badge
Linux

otoh if this trojan stops just one pedofile it will be worth it

2
15
Bronze badge

What have you got

against footcare implements.

25
0
Anonymous Coward

Got hit with this, too.

Was setting up a gaming PC and foolishly trusted Google to help me find patch files for out of circulation games I wanted to play again (KOTOR and KOTOR2, specifically). Got sent to an infected site and told I had illegal porn on my pc.

There was nothing on the PC save the OS, firewall and AV. I hadn't even gotten around to install any of the games.

Decided to flatten the PC and reinstall from scratch as I just couldn't be bothered trying to clean it. Had it been my main PC, I'd have been tempted to fix it instead. Bottom line: I don't trust search engines to provide safe links, so I now use an old laptop to do my searches.

As for porn: Not all porn is illegal. A lot of what is classed as porn is quite legal and barely offensive even to the Mary Whitehouse brigade.

4
0
Silver badge

Payment?

So this purports to be "a message supposedly from local police agencies demanding payment to unlock machines". Just how likely is it, even in countries with dodgy police, that they would display a message on your computer asking for 100 EUR, to be paid with a funny card?

So often these scams seem to be so transparent that you'd have to be terminally thick to fall for them. Like the interminable phishing messages that come from a bank where nobody has any knowledge of English spelling, grammar or punctuation.

4
0
Windows

Re: you'd have to be terminally thick to fall for them

Luckily for the scammers, one thing of which there will never be a shortage, is terminally thick people. (Average person = pretty thick; ergo, 50% of population is more thick than that.)

Windows user icon, natch.

11
0

Re: Payment?

---messages that come from a bank where nobody has any knowledge of English spelling, grammar or punctuation.

Like the last latter I received from my business account manager?

Seriously, you would not believe the standards of some of Britain's biggest banking institutions.

The managers look about 15 as well. But that could be me getting old.

6
0
Anonymous Coward

Re: Payment?

> messages that come from [X} where nobody has any knowledge of English spelling, grammar or punctuation.

Sadly, I don't think that the lack of these is enough to always spell "scammer". I've have so many dealings with actual companies and "professionals" who have such a poor command of language (reading comprehension, as well as an ability to write sentences that make any kind of sense) that it's hard to believe they're actually native speakers, let alone that they (presumably) got through university and got qualified, hired, etc..

> The managers look about 15 as well. But that could be me getting old.

This makes me feel old too, like "born in the wrong century" kind of old.

1
0
Anonymous Coward

@ 15?

Well, not quite 15, but I have had a few managers who just scrapped out of their teens.

I was only a few years older, so could not (and did not!) judge. But must be difficult managing at that age. Where is the experience you need when you need it? Plus both were banking/finance jobs too.

PS, anon, for obvious reasons.

0
0
Gold badge

Re: you'd have to be terminally thick to fall for them

Perhaps this piece of malware was written by a bank, trying to flush out customers who are "too stupid to be creditworthy". Perhaps when victims try to get the credit card payments reversed, they'll find that the bank will oblige on this occasion but wants the card back.

0
0
Joke

oh well

Least it's easier to reinstall your OS on your PC than it is to go to a STD clinic.

0
0
Anonymous Coward

Not to mention...

...that it's easier at that point to *replace* said dodgy OS with something a bit more secure than it is to, say, install a prosthetic replacement todger...

4
0
Silver badge

Re: oh well

I'll take your word on that

0
2
Bronze badge
Linux

Re: *replace* said dodgy OS with something a bit more secure

Hint: see icon.

5
8
Anonymous Coward

Linux?

I think that was the point of "replace dodgy OS with something a bit more secure"...

1
3
Anonymous Coward

Re: oh well

I see someone has not turned off their auto-update...

1
0
Anonymous Coward

Re: oh well

speaking as someone who has had to re-install the OS on PCs in an STD Clinic I can tell you that your statement is not *always* true.

0
0
Boffin

there was a simple but harmless trick years ago, where I'd create a webpage with a big title I SEE YOU and within a large iframe have the path something like /My Documents/My Pictures which would display the persons My Pictures folder on their screen

I'd post it on forums to people I didn't like and totally freak them out, they thinking I could see into their computers .. was especially effective against computer *experts* who would threaten to report me to "authorities*

such fun .. if I had the time I'd post the code, set the page up and test it again .. might still work seeing as iframes still work

5
0
Anonymous Coward

You are using...

Windows XP and Firefox...

.. Well, you've seen the real ones that point out the browser. It's a nice little trick.

0
0
Silver badge
FAIL

Best advice

I was given was to customise your windows settings so that the nice blue bar at the top of the window was a different colour to standard (mine are greeny red)

Then when the scammer pops up a standard windows dialog box using default colours, it stood out like a sore thumb.

But it did'nt help when the window said it had scanned 10 000 files on my C: drive and said I had 25 illegal files.

Which I found very odd

Since I was surfing using a Linux box.......

6
0
Pirate

Re: Best advice

I've got a hell of a lot more than 25 illegal files. Y'arrr.

0
0
Anonymous Coward

nice

I'll just sit and wait for the phone calls then....

Easy fix means some income this month

anon, because my customers read El Reg

0
0
Anonymous Coward

Got whacked by this one a while ago.

Knew something was up when I aborted an alert about untrusted Java and heard the drive grinding of Java firing up anyway. I now no longer have Java. And OpenOffice still works - didn't know that, or it would have gone long ago.

0
0
Anonymous Coward

ROFLMAO

Computer equivalent of the Darwin Awards methinks.

People dumb enough to PAY for the fix should have their broadband taken away.

On the flip side, something I'd like to see done is basic antivirus on the router itself.

Most home routers have USB these days and its not exactly hard to write custom software which scans all incoming data for known scumbagware and if found blocks the page entirely.

Have it update from the antivirus servers automatically and also scan for attempted intrusion via Wifi and record the MAC addresses of machines attempting this.

0
0
Anonymous Coward

Re: ROFLMAO

so not only do you have the delay of the PC based AV scanning stuff that comes down off the web for 'known' scumbagware, you have the router slowing down all your net traffic while the *reactive* software scans everything. Meanwhile, the new scamware that your freshly updated AV knows nothing of oozes through at the speed of cold molasses.

Nice.

Which MAC address would you like me to tell my laptop to impersonate today? MAC address is *not* a unique identifier, is so easy to spoof it's just not clever and if anyone approached me with such 'evidence' I'd laugh at them.

0
0

Scammers

So hard to tell difference between scammers and politicians. Wait...

0
0
This topic is closed for new posts.