ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

New ransomware attack blocks Internet access

By | November 30, 2009, 9:32am PST

Summary: Once a machine is infected, a message is posted in Russian demanding a ransom under the guise of activating the uFast Download Manager application.

Security researchers have stumbled upon a new piece of ransomware that blocks an infected computer from accessing the Internet until a fee is paid via SMS (text message).

[ SEE: Blackmail ransomware returns with 1024-bit encryption key ]

According CA researcher Zarestel Ferrer, the ransomware file is bundled with a program called uFast Download Manager.  Once a machine is infected, a message is posted in Russian (see image above) demanding a ransom under the guise of activating the uFast Download Manager application.

Here is a rough English translation:

Internet access is blocked due to violation of the
license agreement schedules of uFast Download Manager
You must activate your copy

Get a registration code by sending an SMS with the following
code fw0004199 to number 7122

In response you will receive an activation message.

Enter the activation message received from the SMS response  ________

CA is offering an activation code generator for this particular ransomware variant.

See our previous coverage of ransomware attacks:

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Internet Access, License Agreement, Computer Associates International Inc., SMS, Attack, Text Messaging/SMS/MMS, Telephony, Cellular Phones, Security, Consumer Electronics, Personal Technology, Online Communications, Networking, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
184
Comments
Add Your Opinion

Join the conversation!

Just In

RE: New ransomware attack blocks Internet access
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.
View in thread
0 Votes
+ -
If the user accepted the EULA then I guess it's all legal, right?
The Mentalist 30th Nov 2009
If the EULA says the software demands payment then the user has no option but pay.
0 Votes
+ -
Not true
jdbukis@... 30th Nov 2009
Kaspersky and Mcaffee were both taken to court over removal of adware which worked on the same basis.
They were allowed to removed the adware under the good samaratan clause, meaning they can remove software deemed of a malicous nature if the end user finds it so.
0 Votes
+ -
What if one user finds it so and another user doesn't?
AzuMao 30th Nov 2009
Does it delete half of the file?
0 Votes
+ -
RE: New ransomware attack blocks Internet access
lovedong 12th Sep
Thanks a million. chanel bags
0 Votes
+ -
RE: New ransomware attack blocks Internet access
lovedong 13th Sep
wow!!! beautiful!!! replica watches best
0 Votes
+ -
Wait, a virus blocks itself from transmitting?
georgeou 30th Nov 2009
LOL, and I thought only ISPs blocked your network access
if you were infected.
0 Votes
+ -
Several possible explanations
AzuMao 30th Nov 2009
1.
It only blocks the user from using the Internet,
not itself.

2.
It isn't a virus. It is a trojan horse.

3.
It spreads through physical media.

4.
As soon as the user enters the code, it resumes
spreading.
0 Votes
+ -
Not a virus at all
Kualinar 30th Nov 2009
That piece of shitware is not a virus but a trojan.

It mascarade as a download manager, but dissable your internet access untill you pay a ransom. That part is surely NOT advertised when you download your copy, and surely not when you install it.

It's passed along as a suposedly usefull application from a download page or some similar path, like P2P networks.

0 Votes
+ -
'Virus' and 'Trojan' are not mutually exclusive terms...
Mew-shew Updated - 30th Nov 2009
A Trojan is defined by it's delivery mechanism, i.e. how it gets on a machine.

A virus is defined by what it does once it gets there.

Therefore lots of 'Trojans' could also accurately be described as 'Viruses'.

Similarly most 'Worms' would also be considered viruses from a technical perspective. As they actively imbed themselves within a host (virus) in addition to automatically propogating across networks (worm).
0 Votes
+ -
Virus vs Trojan vs Worm
fish7170 30th Nov 2009
I think mew-shew addresses an interesting point about classifying and labelling
malware accurately. And there is some disagreement and confusion about what
is what. I'm not the definitive expert, just another systems support type working
in a mult-vendor environment. When I explain to my customers the differences I
say a "virus" is a platform specific (often) computer program which takes
advantage of an application feature or an operating system feature to elevate
it's own operating permissions above the user sitting at the keyboard to effect
changes (often negative) that the user themselves can't undo because the user
has "lower" permissions than the virus which generally tries to elevate itself to
administrator, domain administrator, root, or system permissions. A virus often
hides, on windows systems anyway, in the ADS (alternate data stream - the file
behind the file you can see, sorta) of the NTFS file system for instance making
it double-difficult to even find the virus parts. Whereas I tell my customers a
Trojan is a computer program which often simply listens for patterns (spyware)
at the same permissions level as the user then uses what's already available
onthe users system (smtp, web, etc) to relay specifc data patterns (soc sec #s,
credit card numbers, etc) back to it's home base. And further describe Worms
to my customers as a kind of virus at the network layer which takes advantage
of gaps in network and port protocols to move from system to system. And of
course the "best" type of malware leverage all three to infect, listen/send, and
propogate.
0 Votes
+ -
Virus vs Trojan vs Worm
bkfriesen 1st Dec 2009
Well said.
0 Votes
+ -
While there are technical differences between them...
ye 1st Dec 2009
...it is not uncommon that the word virus is used to encompass all forms of malware (viruses, worms, and trojans).
0 Votes
+ -
It might be common, but it is still misleading, and thus shouldn't be done.
AzuMao 1st Dec 2009
0 Votes
+ -
Not really misleading...
Mew-shew 2nd Dec 2009
...as most people are not aware of the proper technical definitions and 'virus' is a widely accepted colloquial term. Most people will not care what the difference between virus/spyware/adware, they just want it off their machine.

As for the definitions, while the description above is interesting, the definitions provided are far too specific.

Virus = application/code that actively imbeds itself within a host system without the permission of the user.

Trojan = application/code that is delivered to a host by "piggy-backing" another process/download that the user may have believed was legitimate.

Worm = application/code that actively propogates across networks.

Therefore trojans are often viruses. Worms are also commonly viruses.
0 Votes
+ -
@Mew-shew
AzuMao 2nd Dec 2009
No. Not everything the user doesn't want is a
virus.
It is only a virus if it automatically infects
other files (replicates).
0 Votes
+ -
@AzuMao - Did you even read my post?
Mew-shew Updated - 3rd Dec 2009
Where did I say everything the user doesn't want is a virus?

I said that the typical users consider any nuisance/malicous app/code to be a "virus". It's an accepted colloquial term. Do you understand this now that I've repeated myself? Read it again, really... slowly... and it might sink in.

Your definition of virus is very simplistic. It's not necessary as simple as infecting other executables you know, have a look at the 'Vectors & hosts' section here: http://en.wikipedia.org/wiki/Computer_virus

The wiki terminology should be simple enough for you to comprehend if you read it slow enough. Probably best to go over it a few times to let it really sink in.
0 Votes
+ -
@Mew-shew did you even read the page you linked to?
AzuMao 11th Dec 2009
It says that a virus is something that infects
files but that many users call anything they don't
like a virus.
0 Votes
+ -
RE: New ransomware attack blocks Internet access
pj@... 30th Nov 2009
..so explain to me again, why is it illegal to inflict retroactive abortions on these bastards???
0 Votes
+ -
LOL!
John Zern 30th Nov 2009
Never heard it called that.
0 Votes
+ -
The reason that..
AzuMao 30th Nov 2009
..it's illegal to kill someone for sneezing on you
(which is really all it takes to crash Windows; a
sneeze).
0 Votes
+ -
I think what you're referring to is...
TranMan 30th Nov 2009
...more commonly known as a "postnatal abortion". I've been advocating the process for years. happy

It sounds like these guys are prime candidates. Then again, there is the postesticular abortion...
0 Votes
+ -
Ya..
AzuMao 1st Dec 2009
..killing somebody is only called abortion if they
aren't born yet. And postnatal = after birth, so
he's referring to "murder".
  • Flagged
0 Votes
+ -
re retroactive
andypiesse@... 30th Nov 2009
It is only illegal if you can identify their father
0 Votes
+ -
These clowns are born of parthenogenesis
NickNielsen 30th Nov 2009
No father.
  • Flagged
0 Votes
+ -
You mean like Jesus?
AzuMao 1st Dec 2009
Cool, I guess that makes it fine to kill them huh?


Damn those silly little clowns hacking Windows
again. I'm glad none of them are professional
hackers, or they might actually hack a *nix
system!
  • Flagged
0 Votes
+ -
Say's you..
ess@... 1st Dec 2009
"I'm glad none of them are professional
hackers, or they might actually hack a *nix
system!"

Who says they aren't and who says they haven't.

Suggest it might be time for a reality check dude.
  • Flagged
0 Votes
+ -
NickNielsen does.
AzuMao 1st Dec 2009
He says they're just clowns.

Suggest you read the thread before replying dude.
  • Flagged
0 Votes
+ -
hey dude
LinuxFlamer 2nd Dec 2009
Suggest you get a brain before posting dude
0 Votes
+ -
Hey LinuxFlamer
AzuMao 2nd Dec 2009
Suggest you get a sense of humor.
0 Votes
+ -
They do have a father...
phatkat 1st Dec 2009
Satan.
Using the term "clown" also demeans all good clowns that make us happy through comic acts. These people should be called scum of the earth.
  • Flagged
0 Votes
+ -
Agreed.
AzuMao 1st Dec 2009
Clown is so overused as a derogatory nowadays.
It's getting boring. Just call them what they are.
  • Flagged
0 Votes
+ -
Retroactive Abortion Is NOT Neccessary!
arcebus@... 1st Dec 2009
The "pill after" will do as well.
I'd suggest one of Cal .454 Casull.
And now guess where I think it should be placed---
0 Votes
+ -
Ya
AzuMao 1st Dec 2009
Great idea.

Let's just kill everyone who gets alleged to be
a hacker.

"Salem hacker trials" what a great ring!


Be right back, I'm going to go hide virus source
code on the computers of everyone I want dead.
That'll teach 'em.
  • Flagged
0 Votes
+ -
hacker is not the proper term.
satovey@... 2nd Dec 2009
Hackers hack into machines to find vulnerabilities in order to fix and patch those vulnerabilities.

To deceptively install software on a person's computer that unlawfully blocks their internet access is a crack and said actions were performed by one or more 'crackers'.

While both individuals are fall under the broad term of programmer, the general term for a programmer is one who writes a program that people can and will use without damaging the system.

Your idea of putting virus code on peoples machines would not work as we would use hackers to determine whether or not the individual could have written the code or not.

A hacker helps heal systems, a cracker cracks systems in order to cause a crash or other harm like blocking internet access.

ST
0 Votes
+ -
Actually the term is neutral.
AzuMao 2nd Dec 2009
Whether you're breaking into a system to do bad,
or to do good, you are a hacker.

And, according to most people, should be burned at
the stake, or burned at the stake, respectively.
0 Votes
+ -
RE: New ransomware attack blocks Internet access
l.stevens1@... 30th Nov 2009
Well maybe they will join us ( the ones who use Linux ) And not worry about their computers getting taken over . .
0 Votes
+ -
I don't worry about it now.
John Zern 30th Nov 2009
with my Windows machine.

If Linux is that good, why are you worried?
0 Votes
+ -
Who is worried?
apostate 30th Nov 2009
And what are you talking about? I think it safe to say it DOES NOT work on Linux, only Windows OSes. I could go grab the file and look to be sure, but it sounds like a Windows .EXE. So how exactly did you turn this around so that Linux users should be "worried" when it is only your patently inferior OS that is at risk?

Wow.
0 Votes
+ -
Because
AzuMao 30th Nov 2009
If all the windozers switch to Linux, thousands of
horrible programmers will be out of their poorly
earned jobs.
0 Votes
+ -
Don't forget, too
NickNielsen 30th Nov 2009
All those clueless users will still be clueless, no matter what operating system they use.
0 Votes
+ -
Exactly. So it would be very very bad.
AzuMao Updated - 1st Dec 2009
Although it is easy for malware to trash a
Windows system, it is hard for the users
themselves to actually do anything. But most OSs
based on UNIX-like kernels are very easy to
change by the user, so their computers would all
get hosed even faster than with Windows.

This, in addition to the job losses of all the
incompetent programmers MS has given jobs, makes
it a very bad idea! The economy would
suffer greatly as a result.
0 Votes
+ -
When the users switch, so do the malware authors...
Mew-shew 30th Nov 2009
And given the numbers of vulnerabilities on Linux compared to Windows 7, I'd say at that point we'd all be well and truly screwed.

I honestly think a lot of the current Linux fanboy crowd would just ship if Linux went truly mainstream, i.e. gained the majority market share. It just wouldn't retain the same counter-culture coolness that these posers value so highly (Linux professionals excluded).
0 Votes
+ -
Mainstream OS
fish7170 Updated - 30th Nov 2009
I only partly agree with the common Mainstream OS arguement which
minimizes the differences between Windows and Linux-type and BSD-type
(Mac and non-Mac). Viruses are found more on Windows because the OS
architecture has gaps which both allow programs to elevate themselves above
the users and also hide using features and gaps built right in to Windows. But
on Linux and BSD it's technically possible but not likely and not at all trivial to
elevate permissions in part because both have been "network aware" and
"multi-user" aware since before Windows was even invented. Linux and BSD
are also open source operating systems so when vulerabilities are seen they
can be fixed by literally anyone in the world who can read and program and
submit a fix. (PS - can you name even one Linux or BSD virus?) Whereas
vendor-owned OSes have to kind of get around to
prioritizing fixes with one hand while continuing to grab money with the other.
And as long as customers keep buying the vendor is encouraged to think
they're doing a good enough job even if, when comparied to it's OS peers, they
aren't doing near as well on security (although they win on games hands down).

Where are the Linux and BSD viruses? Where are the programs on either
which can elevate their own permissions and hide. There aren't any. Both have
vulnerabilites and anyone can be tricked into installing a program (effectively
giving a program your user permissions) by simply misrepresenting or lying.

And if you want to talk popular, take a look at the netcraft site and see how
many hosting providers -- providers of server solutions which host multi-user
websites like the one you're using now -- and see who uses what. It's primarily
Linux and BSD.

On a related note, Windows can be hardened to an extent but why it doesn't
come that way is a serious stumper. And further why Windows doesn't simply
adopt a more mature multi-user operating system under the covers (like Apple
did with BSD) I again don't quite understand. MS is still one of the richest
companies in the world so it has the resources and they certainly could if only
they wanted to. Perhaps it's that one-handed problem?
0 Votes
+ -
re: Mainstream OS
Badgered 1st Dec 2009
Linux and BSD are also open source operating systems so when vulerabilities are seen they can be fixed by literally anyone in the world who can read and program and submit a fix.

Sure they can, but even so a vulnerability went unnoticed for 8 years. Assuming Linux and BSD had the widespead marketshare that Windows has... I have little faith it would be any better.

(PS - can you name even one Linux or BSD virus?)

Nope. But they would bother why again? Their purpose is to make money.
0 Votes
+ -
re:Mainstream OS
mb06bps 1st Dec 2009
One of the best stated arguments I've ever read. Start a column...it might be worth reading vs. this other crap.

Thanks.
0 Votes
+ -
Re: Badgered
AzuMao 1st Dec 2009
There's more than one factor to security.

You should also take into account how serious
the vulnerability is, and whether many people
know about it.


If it requires direct hardware access to
exploit, it doesn't matter if it exists for a
hundred years.

If it's a denial of service at worst, and gets
fixed as soon as it's discovered, it doesn't
matter.

So please give the whole story; what could your
8-year-old vulnerability do? And how long did it
take to be fixed once it was known?
0 Votes
+ -
Location?...
JCitizen 1st Dec 2009
You say where are the linux viruses? I assume you mean location, so here goes!

http://www.sophos.com/blogs/sophoslabs/v/post/1748

This is just one link; I don't want to bomb you with hyperlinks running out our ears.
0 Votes
+ -
OH NO!! Something that takes advantages of crappy passwords!
AzuMao 1st Dec 2009
We're all gonna die!
0 Votes
+ -
Sophos FUDware
Wintel BSOD 1st Dec 2009
Written by an anti-virus company to boost sales.

lol...
0 Votes
+ -
Always the response...(nt)
JCitizen 1st Dec 2009
.
0 Votes
+ -
RE: New ransomware attack blocks Internet access
FAULKNE 13th Oct
Good day to confirm this comment I would appreciate T h e b e s t o f Z D N e t d e l i v e r e d your website very nice to everyone Yes, Oracle is the only one with shared-disk architecture, but that is there advantage. It means you can add or remove nodes and the database lives on. In a shared nothing architecture, if you lose a node, you lose the system. I'm sure Oracle appreciates EMC highlighting their advantage.I also desire to signal in your RSS feeds. Thank you as soon as once again and maintain up the great operate Awesome post! Thank you very much || thanks for nice content this is really benefit to me.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix