back to article Fake cop Trojan 'detects offensive materials' on PCs, demands money

Security firms are warning about a rash of police-themed ransomware attacks. The Reveton Trojan warns victims that illegal content has supposedly been detected on infected machines, displaying a message supposedly from local police agencies demanding payment to unlock machines. To unlock an infected machine, marks are invited …

COMMENTS

This topic is closed for new posts.
  1. Trollslayer
    Megaphone

    Easy to fix (a couple of months ago)

    This hit me due to a website being infected, fix as follows:

    1. Log into another account or into safe mode.

    2. Search in the original user's Programs->Startup directory for an odd entry and delete it.

    3. Search in the Users/<original user> directory tree for an executable of some time that has just appeared and delete it.

    4. Reboot.

    1. NomNomNom

      Re: Easy to fix (a couple of months ago)

      next time replace 'http' in the address box of internet explorer with 'https' and you will be secure

      1. Anonymous Coward
        Anonymous Coward

        Re: Easy to fix (a couple of months ago)

        It is trivially easy for any website to obtain an SSL certificate (even scammers) and they do nothing to prevent trojans. Not one thing!

        1. NomNomNom

          Re: Easy to fix (a couple of months ago)

          I know that obviously but pedofiles cant follow you down https links

        2. Franklin
          WTF?

          Re: Easy to fix (a couple of months ago)

          "It is trivially easy for any website to obtain an SSL certificate (even scammers) and they do nothing to prevent trojans. Not one thing!"

          True that.

          And if the malware writer responsible for this malware really is the same person behind the DNSchanger malware, he knows it, too. In fact, there was one variant of the DNSchanger malware that was code-signed with a digital signing certificate in the name of "Mistland Limited," so not even running only signed code will *necessarily* protect you.

          In any event, the most common way to spread this and other malware is to hack legitimate, "reputable" sites and embed iFrames or hostile JavaScripts that then attempt to load various exploits from the malware domains. So whether or not you use https is not necessarily relevant; you may be visiting a site that you believe to be perfectly innocuous that you've used dozens of times before, or in some cases you may even be visiting a site that uses https but that's still been pwn3d.

      2. Anonymous Coward
        WTF?

        Re: Easy to fix (a couple of months ago)

        > next time replace 'http' in the address box of internet explorer with 'https' and you will be secure

        There's really no hope for some people, is there?

    2. Anonymous Coward
      Anonymous Coward

      Re: Easy to fix (a couple of months ago)

      I think I may have just experienced the shortest period of amazement ever.

      The onset came when I read the instruction to delete the other user's files. "Wait, you can do that in Windows?". Then a few abstract factoids trickled in... windows isn't really a multi-user OS, the underlying filesystem doesn't have any concept of file ownership and so on, and poof! it was over.

      Now I'm just a bit embarrassed, though whether it's because I was actually surprised in the first place or because people still expect and trust Windows to be secure, I can't say. Probably a mix of both.

      1. Fatman
        FAIL

        Re: delete the other user's files

        Someone just had their epiphany!

        You would have to be logged in as `root`, or using sudo to bring about that kind of damage under Linux.

        Windblowze, the biggest FAIL the world has ever seen.

      2. BlinkenLights
        FAIL

        Re: Easy to fix (a couple of months ago)

        You seem to be short of a few factoids. Windows does have file ownership*, and you cannot delete the files of other users unless the permissions allow. Therefore you will have to do a "run as administrator" on the tool you use to delete the files, just as you would have to sudo on Linux.

        So now you can really be embarrassed.

        * Note to the anal, this applies to NTFS only, which of course is the standard FS for Windows installs since Windows 2K.

        1. Ken Hagan Gold badge

          Re: really embarrassed

          Anyone willing to go public about how crappy Windows is when they don't even know about ACLs clearly has neither a sense of shame nor self-awareness.

          They aren't going to be embarrassed.

          1. Anonymous C0ward

            Re: really embarrassed

            Of course, using this little tool you can gain all the local admin access you need:

            http://pogostick.net/~pnh/ntpasswd/

      3. RAMChYLD
        Boffin

        Re: Easy to fix (a couple of months ago)

        Depends on the configuration I guess. NTFS does support ACLs. Unfortunately, it's mostly in the domain of the power users.

        I suspect this is due to the part where all created accounts are admin by default, it takes an additional 3 clicks to convert one account to luser level.

        i always go through the hassle of creating a Limited User account and an Admin account, and only escalate to the Admin account if I want to install something I trust. Unfortunately, most simpletons not only have only one account that is admin and not protected by password, and even with UAC disabled completely because they deem it a nuisance.

    3. Fatman
      Linux

      Re: Easy to fix

      Simples!

      get rid of that shitty operating system called Windows, and use Linux.

      TUX, because you are less likely to get "infected" surfing the web.

    4. Anonymous Coward
      Joke

      @Troll

      No, no no... All wrong.

      What you do is sue the hell out of your local police squad because the malware has pointed you to them. While this probably won't fix your PC it might get you rich (though I wouldn't bet on it).

  2. Anonymous Coward
    Anonymous Coward

    Politician tactics

    And yet you've got MPs once again proposing shit like mandatory censorship of ALL UK ISPs and Mobile Phone operators as a means of supposedly protecting children from pornography *. (As usual, no mention of violent or any other non-sexual materials that could be equally unsuitable for children).

    Given the reaction of many people to the trojan's claim of having found "offensive materials" on their computers, do MPs really think that adults won't be restricted by having to contact their ISPs and specifically requesting that the "porn be turned back on".

    They're just using the same technique as blackmailers in order to allow a "great wall" style blanket internet filter to be put in place (which, of course, can and will be extended and abused as was the case with RIPA, Extradition laws, Section 44 and njust about everything else.)

    * Yes, I am aware that the latest proposal is just a private members bill.

    1. Ben Tasker

      Re: Politician tactics

      Awesome! Those are the exact words I'm going to use just to see what the reaction is;

      Them: Hello Sir, how can I help

      Me: I'd you to turn my porn back on please!

  3. Anonymous John

    Statistically, some recipients will have an illegal porn stash.

    1. Gordon Fecyk
      Paris Hilton

      As opposed to a legal porn stash?

      1. Francis Boyle Silver badge

        I don't

        live in Iran.

      2. Anonymous Coward
        Anonymous Coward

        Legal porn stash

        Hot barrister-on-barrister action, volume III.34234234.2(a)!

  4. mark 63 Silver badge
    Headmaster

    "Even when somebody is savvy enough to recognise the message is a fake, the malware's accusations of offensive materials having been discovered on the user's hard drive creates a chilling effect, which has likely prevented some folks from seeking outside help,"

    That would suggest they havent, in fact, recognised that the mesasge is fake.

  5. NomNomNom
    Linux

    otoh if this trojan stops just one pedofile it will be worth it

    1. Francis Boyle Silver badge

      What have you got

      against footcare implements.

  6. Anonymous Coward
    Anonymous Coward

    Got hit with this, too.

    Was setting up a gaming PC and foolishly trusted Google to help me find patch files for out of circulation games I wanted to play again (KOTOR and KOTOR2, specifically). Got sent to an infected site and told I had illegal porn on my pc.

    There was nothing on the PC save the OS, firewall and AV. I hadn't even gotten around to install any of the games.

    Decided to flatten the PC and reinstall from scratch as I just couldn't be bothered trying to clean it. Had it been my main PC, I'd have been tempted to fix it instead. Bottom line: I don't trust search engines to provide safe links, so I now use an old laptop to do my searches.

    As for porn: Not all porn is illegal. A lot of what is classed as porn is quite legal and barely offensive even to the Mary Whitehouse brigade.

  7. Kubla Cant

    Payment?

    So this purports to be "a message supposedly from local police agencies demanding payment to unlock machines". Just how likely is it, even in countries with dodgy police, that they would display a message on your computer asking for 100 EUR, to be paid with a funny card?

    So often these scams seem to be so transparent that you'd have to be terminally thick to fall for them. Like the interminable phishing messages that come from a bank where nobody has any knowledge of English spelling, grammar or punctuation.

    1. Jimbo 6
      Windows

      Re: you'd have to be terminally thick to fall for them

      Luckily for the scammers, one thing of which there will never be a shortage, is terminally thick people. (Average person = pretty thick; ergo, 50% of population is more thick than that.)

      Windows user icon, natch.

      1. Ken Hagan Gold badge

        Re: you'd have to be terminally thick to fall for them

        Perhaps this piece of malware was written by a bank, trying to flush out customers who are "too stupid to be creditworthy". Perhaps when victims try to get the credit card payments reversed, they'll find that the bank will oblige on this occasion but wants the card back.

    2. Chicken Marengo

      Re: Payment?

      ---messages that come from a bank where nobody has any knowledge of English spelling, grammar or punctuation.

      Like the last latter I received from my business account manager?

      Seriously, you would not believe the standards of some of Britain's biggest banking institutions.

      The managers look about 15 as well. But that could be me getting old.

      1. Anonymous Coward
        Anonymous Coward

        Re: Payment?

        > messages that come from [X} where nobody has any knowledge of English spelling, grammar or punctuation.

        Sadly, I don't think that the lack of these is enough to always spell "scammer". I've have so many dealings with actual companies and "professionals" who have such a poor command of language (reading comprehension, as well as an ability to write sentences that make any kind of sense) that it's hard to believe they're actually native speakers, let alone that they (presumably) got through university and got qualified, hired, etc..

        > The managers look about 15 as well. But that could be me getting old.

        This makes me feel old too, like "born in the wrong century" kind of old.

        1. Anonymous Coward
          Anonymous Coward

          @ 15?

          Well, not quite 15, but I have had a few managers who just scrapped out of their teens.

          I was only a few years older, so could not (and did not!) judge. But must be difficult managing at that age. Where is the experience you need when you need it? Plus both were banking/finance jobs too.

          PS, anon, for obvious reasons.

  8. Anonymous Coward
    Joke

    oh well

    Least it's easier to reinstall your OS on your PC than it is to go to a STD clinic.

    1. Anonymous Coward
      Anonymous Coward

      Not to mention...

      ...that it's easier at that point to *replace* said dodgy OS with something a bit more secure than it is to, say, install a prosthetic replacement todger...

      1. Fatman
        Linux

        Re: *replace* said dodgy OS with something a bit more secure

        Hint: see icon.

        1. Anonymous Coward
          Anonymous Coward

          Linux?

          I think that was the point of "replace dodgy OS with something a bit more secure"...

    2. NomNomNom

      Re: oh well

      I'll take your word on that

    3. Anonymous Coward
      Anonymous Coward

      Re: oh well

      I see someone has not turned off their auto-update...

    4. Anonymous Coward
      Anonymous Coward

      Re: oh well

      speaking as someone who has had to re-install the OS on PCs in an STD Clinic I can tell you that your statement is not *always* true.

  9. 0_Flybert_0
    Boffin

    there was a simple but harmless trick years ago, where I'd create a webpage with a big title I SEE YOU and within a large iframe have the path something like /My Documents/My Pictures which would display the persons My Pictures folder on their screen

    I'd post it on forums to people I didn't like and totally freak them out, they thinking I could see into their computers .. was especially effective against computer *experts* who would threaten to report me to "authorities*

    such fun .. if I had the time I'd post the code, set the page up and test it again .. might still work seeing as iframes still work

    1. Anonymous Coward
      Anonymous Coward

      You are using...

      Windows XP and Firefox...

      .. Well, you've seen the real ones that point out the browser. It's a nice little trick.

  10. Boris the Cockroach Silver badge
    FAIL

    Best advice

    I was given was to customise your windows settings so that the nice blue bar at the top of the window was a different colour to standard (mine are greeny red)

    Then when the scammer pops up a standard windows dialog box using default colours, it stood out like a sore thumb.

    But it did'nt help when the window said it had scanned 10 000 files on my C: drive and said I had 25 illegal files.

    Which I found very odd

    Since I was surfing using a Linux box.......

    1. Anonymous C0ward
      Pirate

      Re: Best advice

      I've got a hell of a lot more than 25 illegal files. Y'arrr.

  11. Anonymous Coward
    Anonymous Coward

    nice

    I'll just sit and wait for the phone calls then....

    Easy fix means some income this month

    anon, because my customers read El Reg

  12. Anonymous Coward
    Anonymous Coward

    Got whacked by this one a while ago.

    Knew something was up when I aborted an alert about untrusted Java and heard the drive grinding of Java firing up anyway. I now no longer have Java. And OpenOffice still works - didn't know that, or it would have gone long ago.

  13. Anonymous Coward
    Anonymous Coward

    ROFLMAO

    Computer equivalent of the Darwin Awards methinks.

    People dumb enough to PAY for the fix should have their broadband taken away.

    On the flip side, something I'd like to see done is basic antivirus on the router itself.

    Most home routers have USB these days and its not exactly hard to write custom software which scans all incoming data for known scumbagware and if found blocks the page entirely.

    Have it update from the antivirus servers automatically and also scan for attempted intrusion via Wifi and record the MAC addresses of machines attempting this.

    1. Anonymous Coward
      Anonymous Coward

      Re: ROFLMAO

      so not only do you have the delay of the PC based AV scanning stuff that comes down off the web for 'known' scumbagware, you have the router slowing down all your net traffic while the *reactive* software scans everything. Meanwhile, the new scamware that your freshly updated AV knows nothing of oozes through at the speed of cold molasses.

      Nice.

      Which MAC address would you like me to tell my laptop to impersonate today? MAC address is *not* a unique identifier, is so easy to spoof it's just not clever and if anyone approached me with such 'evidence' I'd laugh at them.

  14. nexsphil

    Scammers

    So hard to tell difference between scammers and politicians. Wait...

This topic is closed for new posts.

Other stories you might like