Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrade.
Please accept our apologies in advance for any inconvenience this might cause.

Browsers and Ransoms

Created: 25 Jul 2009 04:15:04 GMT • Updated: 23 Jan 2014 18:33:48 GMT
Fred Gutierrez's picture
+3 3 Votes
Login to vote

We have already written about threats that can encrypt files or lock victims out of their computers in order to extract a ransom. Today I want to talk about yet another similar threat. It uses scare or nuisance tactics—similar to rogue antivirus programs—in an attempt to demand ransom from its victims.

Once infected with Trojan.Ransompage, a victim’s browser will display a persistent inline ad on every page that the victim visits. The ad will cover part of the original Web page, as shown below.

imagebrowser image

The ad will stay on the screen even if the page is scrolled:

imagebrowser image

This ad is written in Russian and states that in order to remove the ad (and to gain access a porn site) the victim must send a premium rate text message to the number provided, and the user will receive a code to remove the ad.

imagebrowser image

Rough translation:

“If you installed an advertising module has been, but you have chosen to unsubscribe, you send the MC to short number specified below. Code allows you to remove the received news ticker.
1 Informer removed automatically after 30 days.
2 Free porn video archives.
3 Technical support service.

To remove the informer, send SMS message with text [5-digit number] to number [4-digit number].
Enter the code, received in response, MC“

Obviously this is very annoying ad and the victim may just decide to use a different browser. The malware author thought of this too (see below) and actually targets the following three browsers:

Internet Explorer
Firefox
Opera

imagebrowser image

So switching to another targeted browser will not necessarily solve the problem. (Actually the code that the attacker uses is not compatible with the latest version of Firefox, so there is one easy escape at the moment.)

imagebrowser image

Similar to Trojan.Ransomlock and Trojan.Ransomcrypt, this Trojan attempts to make money by utilizing a premium rate telephone number. The premise is that the victim will become so frustrated or embarrassed by the ad that they will succumb to the pressure and send the SMS text message. This threat is also interesting from a technical point of view, so I will follow up with more details in another posting.