Ransomware Forces Survey on Victim

Friday, July 12, 2013 @ 04:07 PM gHale

There is now ransomware that locks computers and instructs victims to complete surveys in order to unlock the device, researchers said.

This could be the same malware that was advertising on underground forums.

Music App a Political Android Trojan
Android Master Key Open to Attack
Skype Android Vulnerability
Viber Android Security Bypass

It’s uncertain if the malware, identified by Symantec, Trojan.Shadowlock, is the same one advertised on the underground forums, but the technical details provided by the security firm match the ones from the hacker site ad.

When it infects a device, Shadowlock displays a popup box in which victims have to enter an unlock code. The unlock code will then appear after the victim completes a “quick offer.”

The popup window will not close and, while it’s running, users can’t launch the task manager, command prompt, the registry editor or other applications. The threat remains active even if the user restores the operating system to a previous restore point.

If the wrong unlock code enters three times, the computer restarts. Then 20 seconds after the restart, the popup box appears again. During the 20-second timeframe, users can execute any applications to try and neutralize the Trojan.

Shadowlock has several functions it does not utilize, such as BotKill() and EraseStartup(). It’s also capable of killing popular web browsers, disabling the Windows firewall, eject the CD tray, swap mouse buttons, and open Windows applications.

“Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak,” Symantec researchers said.

“These functions (as well as others) may find themselves being used in a future variant,” they said.

Leave a Reply

You must be logged in to post a comment.