Over 9,000 PCs In Australia Infected By TorrentLocker Ransomware 83
First time accepted submitter River Tam writes Cybercriminals behind the TorrenLocker malware may have earned as much as $585,000 over several months from 39,000 PC infections worldwide, of which over 9,000 were from Australia.
If you're a Windows user in Australia who's had their files encrypted by hackers after visiting a bogus Australia Post website, chances are you were infected by TorrentLocker and may have contributed to the tens of thousands of dollars likely to have come from Australia due to this digital shakedown racket.
Re:How? (Score:5, Informative)
I was wondering too, it's in the article "The main way that PCs become infected is by spam email that encourages the victim to open what appears to be a document but is in fact an executable file that will install the malware and encrypt the files. In other words, it relies on social engineering rather than exploiting an un-patched bug. In some cases, the malware is delivered within a .zip file while in others, the message contains a link to the .zip file."
Re:How? (Score:4, Interesting)
I've received dozens of these. All via hijacked SMTP hosts.
The interesting thing is that all are plain-text with the attachment. The attachment is only few kilobytes long. No HTML, no javascript, nothing. Even more telling was that they came in batches of about 5. I'd start my day with about 5 in my inbox that all arrived within few minutes of each other; all pretty-much the same. Then nothing all day until the next morning when the same thing happened.
They appear plausible, except the most recent one was "We noticed you haven't collected your tax refund of $few thousand." That's interesting because, in Australia, the ATO sends you a cheque or direct-deposits into your account for you. You don't collect anything. I've had parcel tracking ones, and all manner of other variations. There was one claiming to be a building approval. A "vehicle tax rebate" form. Then a "late fee" for something, etc.
A few years ago I would have expected them to contain some malicious HTML or javascript,to try and force the attachment to execute in outlook. I guess these days most clueless n00bs are using web based mail, which would make that a little more difficult.
It's crap like this that makes me glad I gave my (technology) clueless mother a Linux machine with all the security bells and whistles enabled. I'm sure she got more than her share of these emails, which she can try to run to her heart's content. I'm even more sure that she is the reason I got them (forwarding my mails, or sending mails To: a hundred people).
Re: (Score:3)
> I've received dozens of these. All via hijacked SMTP hosts.
Any time I see one of these I examine the headers and invariably it is some end user desktop running off of a dynamic IP from some ISP.
Re: (Score:2)
I would guess that most of those that pay are corporations that actually need that data.
Re: (Score:2)
Most small businesses are incorporated.
Re: (Score:3)
And still, MS won't make opening something and running something distinctly different actions.
Re: (Score:1)
Sad, but true. All software has bugs. Some of them are in your browser.
(Windows does tend to have more (exploited) holes than most, 'tho)
Re:How? (Score:5, Insightful)
This malware relies on weakness in wetware rather than software. No general-purpose operating system can save you from PEBKAC issues, at most partially mitigate them. Unix-style execute bit rather than Windows' extensions reduces the number of vulnerable idiots by like 2-3 orders of magnitude, but you can bet that if the webpage kindly provides instructions, a good number of marks will still manage to get infected.
Re: (Score:2)
... except when your application(s) and OS hide file extensions making it difficult for people to see it's an "exe".
(But yes, people are dumb.)
Re:How? (Score:5, Interesting)
You don't need to hide the .exe extension. People will click on it anyway if they believe they have something to gain or something to lose.
Re: (Score:2)
Those require certain filesystem attributes to be set regardless of what the name on the file is.
On the other hand, if your OS and user shell and email application simply avoid the equivalent of "bash you-don't-know-where-I-came-from.zip", you easily avoid a lot of this nonsense.
You would never consider taking random things you find on the floor or street and putting them in your mouth, but that's exactly what some "modern" software does.
Re: (Score:2)
"You would never consider taking random things you find on the floor or street and putting them in your mouth"
You clearly don't have kids. Kids don't know better and are curious. Now extend that to every person who doesn't manage computers for a living or as part of their hobby. Interestingly, that includes almost everyone born before 1960 and after about 1995. The younger generation understands computers as little as the elderly - we've simplified the UI to the to the point that they're magic boxes to both
Re: (Score:2)
I don't think young people are *that* bad. When we were kids, only people that could understand the lower level operation of a computer could use one, because there was no "high level" interface, i.e. they were not user-friendly. Since modern computers are relatively friendly and they are more useful to your average person now (the web, social platforms, etc.), you have many more people from *all* generations using computers. There are probably more young people today that understand computers well at a
Re: (Score:3)
You missed out one bit, the critical part, the ability to get away with the crime, bitcoins seem to have found their true market, criminal enterprise. Interesting side note the same countries were targeted each time and a very unlikely set, it would seem the logical relationship between the perpetrators in each targeted location would be a family relationship. There really isn't all that much secrecy in bit coins like anything else digitally transmitted across the internet bit coins have a recognisable bi
Re: (Score:2)
The main attraction of Bitcoin is that it can't be shut down. Any kind of credit card payment system or Western Union can be shut down easily and then there is no way for them to collect the money.
Re: (Score:2)
Actually bitcoins can be quite readily shutdown, they can simply be detected and filtered off the internet between points of transmission and either kept or destroyed. Likely to become a growing target of opportunity for corrupt ISP employees or management.
Re: (Score:2)
Very true. I was working in our office in Milan when two users PCs were hit.
Email avoided Barracuda mail firewall device, Sophos on two Excahnge servers, Sophos on the endpoint and Outlook junk-email filters. It also came in through our Cisco firewall with an IDS module.
Email appeared to be a legit email from a logistics company in Italy (in Italian). Only three users out of 60 got the email, those that deal with the company. Two users opened the mail and the attachement.
So, one, it avoided a lots of checki
Re:How? (Score:5, Informative)
It's really just another form of Dancing Pigs [wikipedia.org] social engineering attack. You give the user a plausible reason for downloading and installing software, and you'll find users go out of t heir way to install it.
Doesn't matter the OS. And it can be anything - be it porn, a "private porn browser" or other such tool and any OS is vulnerable. (Yes, "private porn browser" - download now and browse your porn in privacy and even your wife won't find out...).
Not as such (Score:3)
Re: (Score:2)
So on Linux, this malware can install itself without asking for a password?
Humans are the weakest chain.... (Score:1)
The software pretends to be from the post office and asks a use to execute an executable that is thought to be some sort of package tracking program.
Since the logos and other stuff all match up with the real post office's stuff, many users are tricked into believing that it is indeed some legit executable.
As usual humans are the weakest link in the chain.
But someone should offer a big reward for cracking this type of ransomware to our more skilled and knowledgable readers....
Re: (Score:2)
Re: (Score:1)
On Windows 8.1, using IE [non-Metro], just visiting a website using the default configuration for security settings, lets it display the drivers that are installed, with version numbers, which presumably could also be uploaded to the server, without needing further interaction with the user [after clicking a link to go to that page].
You might as well just have the web browser directly publish the vulnerabilities...
It's Over 9000! (Score:4, Funny)
Re: (Score:2)
OMG I was blind to miss that.
Re: (Score:2)
https://www.youtube.com/watch?... [youtube.com]
9000 (Score:2)
So, like half?
Re: (Score:1)
Except that if the victims do even the sightest research (say, oh, I don't know... a "Google" perhaps) and find that NO ONE is getting the key (or, conversely, that keys are being given for the ransom)... You think THAT might give the hackers incentive? Keeping the gravy train running? For the price of an emailed key, to keep those hundreds of thousands of dollars flowing in?
Fucking derp.
I can't believe people would fall for this! (Score:2)
Re:I can't believe people would fall for this! (Score:5, Funny)
Yeah, like I'm going to click on that link you posted! Can't fool me.
Backups solve much of the problem: (Score:5, Insightful)
As computer files become more valuable to ordinary people (rather than just IT geeks and businesses), backup plans become more important.
Most general users don't do this, but as the data becomes more damaging if it's lost, encrypted or maliciously destroyed, they may need some sort of solution.
Even a pretty sophisticated ransom-ware would have a hard time if you take an occasional backup and check it by restoring/reading the file on another machine.
Re: (Score:3, Interesting)
Word.
Posting Anon because I'm embarressed, but our business got hit hard by a rootkit two weeks ago (not TorrentLocker). Proved damn near impossible to get rid of.
In the end we erased the physical desktops and rolled all the VM's back to our August DR backup. Fortunately all our work is done in VM's and we backed up data offsite religiously (with version histories).
So we had a shitty virus protection policy but were saved by good backups.
We now have WebRoot rolled out via group policy, firewalls, windows u
Re: (Score:1)
We got hit by this in a small way a few weeks ago, driveby download exploiting a Flash vulnerability for which a patch had been issued just the previous day but not rolled out. Not a huge impact on us, but Flash was just one day out of date and everything else was fully patched.
Backups are the only real defence though. Offline backups too, as it is perfectly possible for ransomeware to encrypted mapped network drives, USB devices and even in theory some cloud backup service
What kind of statement is this (Score:2)
They sure as hell know how to backup their stuff, and they've had a lot of practice.
Re: (Score:3)
In my experience: not really. They just have virusses and don't know it.
Most users still don't backup. They just don't think about it.
Re: (Score:2)
"How can you even say that."
It's been my observation over years of dealing with them.
Most people who use computers aren't the Slashdot crowd. They "kinda, sorta" know enough to be able to check their email, surf the web, or play some games.
Usually when they have a failure from malware, they've been infected (perhaps with other things as well) for some time. If they can even find the original system restore disk, they're way ahead of the game.
They get Cousin Jimmy (or one of their kids), cause he's g
Re: (Score:2)
Re: (Score:2)
Sandbox before browsing (Score:2, Interesting)
Re: (Score:3)
We install Sandboxie on all computers that are in for service. The benefits of using it are explained to the customer. A rogue website only takes over the sandboxed session. If infected, close the box, delete the contents and you're up and running again.
That's completely useless in this case as the malware fools the user into installing it. The user downloads a zip file containing an executable, so its well outside the sandbox by that point.
Re: (Score:2)
I'm running a browser in a VM. Everything that happens happens inside the VM. Shit goes south, kill the VM, start it up again from a read only image. What malware?
Re:Sandbox before browsing (Score:5, Informative)
> I'm running a browser in a VM... What malware?
Your faith in the security of VM sandboxes is misplaced.
It is trivial to write a program which can detect if it is in a VM. And then, attack the hypervisor and escape the protected environment. As virtualization has become more common, such malware has gone from academic exercises to real-world exploits.
http://www.symantec.com/avcent... [symantec.com]
My favorite line:
With virtualization becoming more and more common
Re: (Score:1)
1) Run a VM on hardware.
2) Run a VM in the VM.
3) Move the first VM into the second VM.
4) Remove hardware.
What malware? This malware (Score:2)
Hopefully it's scaring people into having REAL backups that can't be corrupted without loading/attaching external media or deleting snapshots.
Re: (Score:2)
one would assume that had one taken the trouble to sandbox an operating environment to mitigate risk of data corruption by malware, one would also have made sure that no folder shares were available to that sandbox. Your argument is moot.
Re: (Score:2)
How do you attach documents to an email in a full-sandboxed world?
How do I receive a document by email, update it with my comments, and pass it along to the next reviewer?
A virus news (Score:2)
Why single out Australia? (Score:2)
Re: (Score:2)
Most people on Slashdot are from the US. Australians speak more or less the same language so we care more what happens to them.
Re:Why single out Australia? (Score:4, Interesting)
We care about you, too. Seriously - the support from other countries during the recent tragedy in Sydney is very much appreciated.
Company I work for got hit... (Score:5, Interesting)
Re:Company I work for got hit... (Score:4, Interesting)
Because anyone who has been in IT for any length of time knows McAfee is complete shit? Proxies trying to stop the spread of things distributed by sites that bust their ass to avoid being caught by a blocking proxy?
I.E. If you DEPEND on anything from a 'security' company like McAfee, Kaspersky, F-secure, whoever ... you've already failed. Those are backups that hopefully help to catch the things that the user didn't.
Your first and only REAL line of defense is the user and proper administration like only letting people access files they NEED to access.
Re: (Score:2)
Re: (Score:2)
I'm not sure that McAfee is that horribly bad (as opposed to being bad), but I suspect malware authors test against the latest versions of all the commercial anti-malware vendors to make sure they'll get through. The malware protection guys will catch up, so McCrappy can be useful against older malware, but no commercial product will stop the latest stuff.
Re: (Score:2)
Interesting note about cryptoviruses (Score:5, Informative)
One last note, in about 5%-10% of the cases I have worked on, I was able to recover files from VSS. Most of these variants attempt to disable VSS and delete the shadow copies, but they either are not successful or do it slowly. Yanking the drive from the running environment and looking at it with shadow explorer on a clean box can sometimes save some data. Here in the US Cryptorbit variants seem to be the most frequent I see (cryptodefense, cryptolocker, howdecrypt, etc). They have really exploded in the past month. A recent fake ADP email that was making it through spam filters was responsible for a lot. The linked site downloaded a zip containing an exe with an adobe pdf icon. If you have a suspect exe, see if it has been analyzed n malwr.com and you can get a good breakdown of its precise behavior.
Re: (Score:1)
Right now, I have a spam purporting to be from FedEx: "Dear Customer, Your parcel has arrived at December 12. Courier was unable to deliver the parcel to you. To receive your parcel, print this label and go to the nearest office. " with their logo and a "Get Shipment Label" button. I could see some people falling for it.
I also have an email suppo
Wording (Score:1)