Ransom Ware [message #73284] |
Sat, 14 July 2012 16:43 |
|
gofar99
Messages: 1955 Registered: May 2010 Location: Southern Arizona
|
Illuminati (5th Degree) |
|
|
Hi Everyone, Just a had a new experience. Two days ago my pc was hijacked by ransom ware. What happens is an intruder encrypts some key files and makes it so it looks like a hard drive failure. Nothing will work except the message they post saying they can fix it and where to send money. No files are actually erased, just everything is encrypted and not accessible. So what happens if you send the money.... my guess is they fix it for a while and then screw you again and oh by the way, now have a link to an account that you sent money from. There are programs to get rid of the infection, but they can't un-encrypt the files.
It had been several years and lots of junk was in the pc so I did a clean rebuild. Fortunately nearly anything I cared about was already off loaded. Very few things were lost in the process. But have you any idea how many updates there are to windows XP Pro? (I use it on this pc to run programs that won't run in win 7 - or at least don't like to run under a virtual disk). There were 169 updates. Fix some and then there were fixes to the fixes. Gads.
BTW the site to "fix" the PC showed up as www.file-recovery-software.com and the money would go to OnPay, INC (US). If you see that site pop up you are screwed.
Good Listening
Bruce
|
|
|
|
|
|
|
|
|
Re: Ransom Ware [message #73328 is a reply to message #73319] |
Thu, 19 July 2012 22:13 |
Thermionic
Messages: 208 Registered: May 2009
|
Master |
|
|
Bruce, what you got hit with was a rootkit. They were an epidemic a few years back when I serviced computers, that I had to deal with continuously. They're insidious beasts that practically no big-name commercial anti-virus programs can stop completely once they've sunk their fangs in.
In geek-speak, the 'root' in rootkit means the base drive, administrator account, directory, etc on a computer. The 'kit' part refers to their 'installation kit', normally a fake anti-malware scanner. The kit exploits the normal operational functions within a web browser, that unfortunately also double as security vulnerabilities in the hands of those with less-than-sterling morals. Those who take the bait and buy the "fix" are not only out 75 bucks immediately, but thieves immoral enough to write the rootkit in the first place now have possession of their credit card number. And, your computer gets even more malware downloaded and installed in the process.
There are two main categories of rootkit, which are user-mode and kernel-mode.
Windows is configured with 'heirarchical protection domains', which are a mechanism meant to protect the OS from catastrophic failure if a few non-critical files are corrupted or deleted, such as in the cases of malware infestation or minor hard drive damage. Protection domains can be thought of as four concentric rings, which are numbered 3, 2, 1, and 0 from outermost to innermost.
Windows guest accounts reside in Ring 3, and of course have no privileges to change settings or access certain files. Regular user accounts reside in Ring 2, and have limited privileges. Administrator accounts reside in Ring 1, and can do anything except modify or delete protected system files. Finally, Ring 0 is the Windows operating system's core, called the 'kernel'.
The user-mode rootkit installs itself in the outer rings (the 'Windows user' rings, hence the name), and therefore can't really totally trash your computer; it just makes you THINK it has. It blocks all your legitimate anti-virus/spyware programs from opening, and pretty much every other piece of software on your computer as well, including the web browser. The ensuing panic causes many to fork over their credit card number, which unlocks your computer but leaves it running slower than a drunk pig because of all the spyware it has installed. Generally, these user-mode kits aren't too hard to get rid of in Windows Safe Mode, if you know which software to use and how to use it. You often have to manually restore a few settings it has changed, but it's usually nothing major. So often, a user-mode 'kit's bark is worse than its bite.
On the other hand, a kernel-mode 'kit installs itself in the actual Windows kernel. These babies therefore have unfettered access to ANY file on the hard drive, and can change or delete any file or registry key, without restriction. They're also nearly impossible to detect with anti-rootkit software, much less remove. When one of these takes up residence at 1 Windows Drive, Apartment C:\, you can pretty much figure that formatting your drive and starting over with a fresh, new copy of Windows is your only recourse for complete relief.
In short, when a user-mode 'kit moves in, you can run it out of the house with the appropriate weapons, and effect do-it-yourself repairs to fix the damage to the carpet and walls. But when a kernel-mode 'kit moves in, YOU must leave the house and burn it behind you to kill the rootkit, then build a new house from the ground up.
Thermionic
|
|
|
Re: Ransom Ware [message #73329 is a reply to message #73328] |
Thu, 19 July 2012 22:22 |
|
Wayne Parham
Messages: 18793 Registered: January 2001
|
Illuminati (33rd Degree) |
|
|
I've been running a program called "UnHackMe" for about five years now. I got a copy after first encountering rootkits, and I have had several occasions where it has saved a computer, and one time where it brought one back from the dead.
It's a sort of clunky looking program, but it works well. It was obviously written by Russians, and at first that may make you suspicious, but it is good software.
If it is installed on a system with a rootkit, it will shut everything down, not even giving a screen for several minutes. The program authors were bad about not giving feedback in that case - because you think you've totally hosed the computer when it happens. But after what seems an eternity, it awakens from its slumber to run the install program. It has eradicated the rootkit and started putting things back together again.
In most cases, when installed on a healthy PC, you won't really notice anything from it. Except when new updates are installed, in which case the next time you boot the computer, it will annoyingly tell you about everything that has changed and ask you to confirm it or roll it back. It's a long process to single-step through, but it does ensure that only what you want gets in. And it helps you identify whether those cryptic processes are valid or not, by showing you what the service is trying to do, and who wrote it. It even gives an estimate of whether or not it is legitimate. It even suggests some places to look up the questionable process, if you are really unsure about a newly installed process.
|
|
|
|