Wednesday, May 27, 2009

3rd SMS Ransomware Variant Offered for Sale

The concept of ransomware is clearly making a comeback. During the past two months, scareware met the ransomware business model in the face of File Fix Professional 2009 and FakeAlert-CO or System Security, followed by two separate SMS-based ransomware variants Trj/SMSlock.A and a modified version of it.

The very latest one is once again offered for sale, with a social engineering theme attempting to trick the infected user that as of 1st of May Microsoft is launching a new anti-pirates initiative, and that unless a $1 SMS is sent in order to receive the deactivation code back, their copy of Windows will remain locked.

Key features:
Support for Windows 98/Vista
- Blocks the entire desktop
- Locks system key combinations attempting to remove it
- Copied to the system folder (the file is almost impossible to find)
- Can be put in the startup
- Launches the blocking system before the desktop appears upon reboot 
- Blocks all windows including the Task Manager
- Upon entering the secret code, the ransomware is removed from the system folder and autorun

The price for a custom-made version with the customer's own SMS data is $10, with $5 per new (undetected) copy, as well as the complete source code available for $50 again from the same vendor.

From a "visual social engineering" perspective, the one that make scareware what it is as product -- a product which would have scaled so fast if it wasn't the distribution channel in the form of web site compromises and blackhat SEO at the first place -- the latest SMS ransomware variant lacks any significant key visual features which can compete with for instance, the DIY fake Windows XP activation trojan and its 2.0 version.

With the emerging localization on demand services offering translations for phishing, spam and malware campaigns into popular international languages, it wouldn't take long before the SMS ransomware starts targeting English-speaking users next to the hardcoded Russian speaking ones for the time being.

No comments:

Post a Comment