The Scariest Type of Malware – Ransomware

Of all the types of malware, this one scares me the most.

Ransomware – a type of malicious software that locks, and sometimes encrypts, the victim’s entire computer. The victim is then informed that removal is only possible, when they pay a ransom fee to the creator of the malware. Basically, ALL your files get locked up, and someone else has the key. 

The Attack

On my other computer, I was catching up on celebrity gossip, and streaming TV from a sketchy Eastern European site, when this page overtook my browser.

1 – informs me all my files have been encrypted
2 – shows my IP address, which didn’t pinpoint my exact physical location, but was pretty close
3 – ransomware often uses this popular ‘police-theme’, to give the illusion of authenticity, and heighten fear
4 – a scary countdown timer; I have 24 hours to pay the ransom

The Defence

Ransomware is usually installed from clicking a bad link on social media, in a website or email, opening a malicious email attachment, or sometimes just visiting a malicious site.

closer investigation reveals this is mostly scareware. The English is poor, I’m on a Mac not a PC, the “Internet Police Department” uh-huh, and child p0rn phft as if, I don’t even really like kids.

Plus, 24 hours have passed, and my computer is fine.

Notice though, I said “my other computer“.

Because never would I visit those sites on my work computer. Which is why, had this actually happened, my solution would be to wipe the entire laptop, wouldn’t matter, there’s nothing on it. Opposite of this computer.

Keep your anti-virus software updated, your firewall on, and be careful what you click.

The Fix 

It’s up to you if you decide to pay the ransom.

F-Secure has removal instructions, as does Norton.  Or take you computer to your trusted IT repair place.

Regularly backup your files.

 

 

The Flashback Trojan is Turning Macs into Zombies

It’s here – the largest EVER Mac trojan has arrived. It’s called Flashback, it’s huge, and if you are running Mac OS X 10.6 you may be affected.

600,000 Macs around the world have been compromised. Statistically, that is a giant botnet.

A botnet: think of it like your computer has been turned into a zombie, and is under someone else’s control. Gather together enough zombies, now you have a botnet army. Most scary of all: you likely wouldn’t even realize you’ve been affected.

What you need to do:

FIRST – check to see if you are vulnerable. If you are running Mac OS X 10.6 you might be. If you are running Mac OS X 10.7 you are likely okay.

SECOND – Let’s check to see if your machine is infected. We’re going to use Terminal to do that, your Mac’s command-line interface.

Open ‘Terminal’.

Don’t be scared if you’ve never used Terminal. You’re going to feel a bit like a hacker, fun!

But – don’t screw around in here, stay focused; a couple wrong keystrokes and you’ll change and alter things you do not want to.

Now you’re looking at a window like this:

Copy and paste this line into Terminal, then hit ‘enter’:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

 

NOT AFFECTED: if it returns this line:

The domain/default pair of (/Applications/Safari.app/Contents/Info, LSEnvironment) does not exist

That’s what you want, “does not exist”

AFFECTED: if it returns anything but. If infected, click here for the remedy. F-Secure is an antivirus and computer security company in Finland. You’re going to download a Java update from Apple here.

Remember the golden rule to avoid problems:

The Golden Rule: If you installed it, update it.

 

We Mac users have enjoyed relatively virus and malware-free living, till now. I blogged about it last year over on KeriBlog, click here for why it’s no longer the case.

Further Reading:

Gizmodo

The Register

The Internet Storm Center

 

UPDATE – April 13 2012

Yesterday, Apple released a fix for the Flashback trojan.

To install it: go up to the apple top left corner, choose “Software Update”, and say yes to installing the Java update that looks like this:

Apple’s official release page is here. I’ve copied some of the text below and bolded the important parts.

This Java security update removes the most common variants of the Flashback malware.

This update also configures the Java web plug-in to disable the automatic execution of Java applets. Users may re-enable automatic execution of Java applets using the Java Preferences application. If the Java web plug-in detects that no applets have been run for an extended period of time it will again disable Java applets.

I suggested the other day it was good security practice to ensure your computer is NOT set up to “automatically open downloaded files”. Good idea to do that now. Snow Leopard users might have to do this manually.

Remember, nothing is ever 100% with this stuff. Always err on the side of caution.