ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Scareware meets ransomware: "Buy our fake product and we'll decrypt the files"

By | March 26, 2009, 7:16am PDT

Summary: A newly pushed scareware called File Fix Professional 2009 (FileFix Pro 2009), has the potential to influence the way in which spreaders of rogue security software optimize their revenue in the future - by encrypting critical business files and requiring a $50 purchase of the fake software for the decryption. This piece of hybrid ransomware greatly [...]

A newly pushed scareware called File Fix Professional 2009 (FileFix Pro 2009), has the potential to influence the way in which spreaders of rogue security software optimize their revenue in the future - by encrypting critical business files and requiring a $50 purchase of the fake software for the decryption.

This piece of hybrid ransomware greatly reminds of June, 2008’s GPCode targeted campaigns, where the malware author’s tactic was undermined by their inability to securely wipe out the deleted files, allowing their recovery without having to pay the authors.

Thankfully, FileFix Pro 2009’s encryption is anything but unbreakable, with several vendors already releasing free decryption tools. FileFix Pro 2009 attempts to encrypt files with the following extensions upon executing it:

- doc, xls, ppt, pdf, jpg, jpeg, png, mp3, wma, mdb, pst, docx, docm, dotx, dotm, xlsx, xlsm, xltx, xltm, xlsb, xlam, pptx, pptm, potx, potm, ppam, ppsx, ppsm

A logical question remains - why did they introduce the ransomware motive within a business model that’s proven to be highly successful, earning cybercriminals thousands of dollars daily? The economy slowdown affecting their revenues, or plain simple profit optimization strategy? I’d go for the second, and in particular a rather logical move given all the media attention rogue security software started receiving.

From an emphasis on visual social engineering, and traffic acquisition tactics, the affiliate networks set the standards on the basis of which the participants in the network operate. If this tactic goes mainstream, the affiliate network that first implements this on a large scale will be capable of stealing market share from competing networks due to the improved payout rates thanks to the ransomware motive. So far, that doesn’t seem to be the case.

FireEye Labs, Symantec, and third party researchers have already released free decrypting tools for FileFix Pro 2009, affected parties can take advantage of.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Security, Cybercrime, Scareware, Ransomware, Encryption, FileFix Pro 2009, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Disclosure

Dancho Danchev

More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile.

Biography

Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog sharing real-time threats intelligence data with the rest of the community on a daily basis. More details on Dancho Danchev's current and past professional affiliations, can be found in his LinkedIn profile. You can also follow him on Twitter
49
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Scareware meets ransomware:
birumut Updated - 3rd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
I imagine this is targeted ONLY to Windows platforms
devlin_X 26th Mar 2009
As soon as I read this I looked over at my wife and said "God I'm glad we left Windows!" The more I read of this crap the happier I am I switched.
0 Votes
+ -
No Fanbois, This testor did it on a Linux/Firefox setup.
invmgr@... 26th Mar 2009
http://blog.fireeye.com/research/2009/03/a-new-method-to-monetize-scareware.html
So don't drop your guard just yet.

The death of one diminishes us all. I don't praise one OS over another. As all human built systems are inherently flawed. Remember while you're point at something/one there are 3 fingers pointing back at yourself.

My wife can get by on Ubuntu, I can not.

Since there's not enough users of to be profitable for malware scumbags. You may be less of a target. But you have less compatibility with popular programs and must settle for substitutes, dual boot, or do without.

Anytime anyone tries to warn us about some evil, fanbois from all sides start crawling out of the woodwork going "SEE SEE SEE". At least you didn't attack the messenger.
0 Votes
+ -
RE:No Fanbois, This testor did it on a Linux/Firefox setup.
richdave Updated - 26th Mar 2009
Followed your link and I don't see where it says this was done on a linux machine. The relevant quote appears to be: "Below you can see the webpage for the "fix", FileFixPro.com... which they clearly did not QA on FireFox 3 under Linux." I followed links from that page and they all seemed to be about Windows and Microsoft Office files. I may have missed what you were referring to. Could you provide quote from web site or a link to elsewhere which describes its actions on Linux with Firefox or any other browser?
0 Votes
+ -
No he didn't!
InAction Man 26th Mar 2009
Failed at reading comprehension?
0 Votes
+ -
Shocker your link says nothing about Linux
devlin_X Updated - 27th Mar 2009
Nice try!



" Since there's not enough users of to be profitable for malware scumbags. You may be less of a target. But you have less compatibility with popular programs and must settle for substitutes, dual boot, or do without."

Can your Windows machine run Linux apps? can it run Mac apps? I think your point is worthless. I can however run most Windows apps thanks to utilities such as Wine, Cedga, Win4Lin and others. What cross platform utility do you have to make use of Linux apps? hmmmm.... didn't think so. I will say thought open source community has made nice in roads in the world of Windows.... Who needs proprietary software?

http://osswin.sourceforge.net/
0 Votes
+ -
Duh?!?
LeeC Updated - 27th Mar 2009
Why would you want to run shareware quality Linux apps on a Windows machine for gods sake?

I don't know where you people get the idea that people want Linux apps, or most open source software for that matter. It's 90% crapware and nobody except the amateurs on this site want it.

I'll take paid for software over crapware-apps any day of the week.

Oh, and maybe those in Linux-denial mode could explain what OS shell that person in the link used to get the Windows desktop looking like that. My Windows taskbar certainly doesn't look like it (in either XP or Vista), but when I used Linux, it looked much more like that. 4 virtual desktop areas, looks like Linux to me.

Or aren't you clued up enough to recognise GUI details? Or maybe you are and that's the whole point?
0 Votes
+ -
Of course...
fairportfan 27th Mar 2009
...it was a Linux machine. He said so.

Probaly he was using the Linux machine to investigate it because he could download the Trojan without worrying it might actually do some damage.

As to paidfor software being better than free/open-source - i assume you'd buy a Lincoln Town Car over a Mercury Marquis, because it costs more and therefore must be better. (Clue: Town Car and Marquis are just Ford Crown Vic with fancier trim and doodahs.)
0 Votes
+ -
Shareware quality apps?
Snooki_smoosh_smoosh 14th Sep 2009
That is a bunch of bunk.

You can continue on paying your huge premiums for software if you wish, and paying the tax every time a new upgrade comes out. Open Office open source and love it. Truecrypt love it. Gimp, Aptana, XMind, Password Safe, Firefox, Thunderbird, Virtualbox, and more. In fact all of these I have listed are Windows compatible as well.

I am not going to go into a pissing match over what is good for industry or not, as every industry is different. The fact is whether you are running Windows, Apple, or a *nix or BSD kernel, each can be equally productive. Having flame wars over it is not productive. Several of Disney Pixar movies were made and produced using linux. many of the MINOS researchers run linux, others use Windows and Apple.

Sorry but I don't think that there is a one size fits all. And the ability to run a app on a given platform lies with the dev. Any software written for Windows could be written to run just as well and identically on other platforms and Vice Versa.

So the Flame war is artificially created.
0 Votes
+ -
Will somebody PLEASE write a virus for *nix
dmarston 27th Mar 2009
Will somebody PLEASE write a virus for *nix / Mack so we can quit hearing this kind of crap from fanboiz
0 Votes
+ -
Here.
kozmcrae 27th Mar 2009
http://www.geekzone.co.nz/foobar/6229

Do it yourself, it's easy.
0 Votes
+ -
They already have them...
dayjm 30th Mar 2009
The issue is trying to find them for *nix.

Mac's can easily get a few that are floating around right now.

The main issue is social engineering the end-user to install them with root privilages.
0 Votes
+ -
Of course, if you had a decent backup regimen...
JohnMcGrew@... 26th Mar 2009
...this wouldn't be such a problem.
0 Votes
+ -
Backup
lynnguist@... 26th Mar 2009
yes, yes, yes
0 Votes
+ -
The seriousness of this problem is being overly exaggerated
InAction Man 26th Mar 2009
People do have a choice. They can avoid this problem entirely if they want. If they choose to expose themselves to software abuse it is their choice and we must respect that.
0 Votes
+ -
RE: Scareware meets ransomware:
Loverock Davidson 26th Mar 2009
DOA. The user would need to get infected first, Microsoft Windows prompts you if you want to run any file before actually opening them. Plus the fix is already out. Malware writers waste their time on Windows as its security has proven to beat them every time.
0 Votes
+ -
Well for users who understand the security
Been_Done_Before 26th Mar 2009
I spent two hours this sunday fixing a friends computer after "somehow" installed antivirus 2009 which then installed a plethra of other crap.
0 Votes
+ -
Hence the reason...
Dave32265 27th Mar 2009
the UAC is useless.
0 Votes
+ -
UAC is unsafe.
jamsoftgamedev@... 31st Mar 2009
People will click Yes anyways. If a site tells
them they are getting free emoticons, they
believe they are getting free emoticons.

In Linux, even when the user accepts it, it
doesn't do anything, because it does not have
the privileges. Besides, it's hard to convince
a Linux newbie to run it under root, since he
probably won't even know how to get there.
Security by obscurity might not be good, but at
least better than the Windows protections.
0 Votes
+ -
Right...
Timpraetor 26th Mar 2009
That's why this isn't a problem.

I believe that Dancho's point is that the malware authors are getting ever more crafty in their approaches to parting a fool and his money.
0 Votes
+ -
RE: Scareware meets ransomware:
RyuDarragh 7th Mar 2011
@Loverock Davidson: Uhm, it's the scripting/java tools built into most browsers (and the Chrome "sandbox" was already broken out of not once, but twice, using these) that allows most infections of scareware/ransomware. I've seen far too many of such on all kinds of machines. If third party tools/helpers/plugins allow a macro/script language to run and create/DL files on the users machine, such will be exploited.
0 Votes
+ -
No problem here.
kozmcrae 26th Mar 2009
I use Vista so I'm totally immune from all that malware intended for Linux. That is the target, isn't it?
0 Votes
+ -
Close, but ...
Timpraetor 26th Mar 2009
The article isn't about who's exposed, but that the malware authors are getting even more creative.

0 Votes
+ -
RE:No problem here.
richdave 26th Mar 2009
Not intended for Linux! Everything I have looked at shows it is Windows specific. invmgr@... is wrong! I don't think that he really read the page he linked to. I asked him to clarify, to provide some kind of unambiguous reference to Linux being a targeted platform but I don't expect that he will be able to do so.
0 Votes
+ -
Actually...
kozmcrae 26th Mar 2009
I was making a reference to the fact that the target of all this malware is never mentioned. That's very strange. It would be like writing an article about the Holocaust and never identifying the victims. We are suffering a digital holocaust but these authors rarely mention who the victims are. So according to Dancho Danchev people who use an operating system made by Microsoft need not worry. They're not the target. Isn't that right Dancho?
0 Votes
+ -
RE:Actually...
richdave 26th Mar 2009
>>>...I was making a reference to the fact that the target of all this malware is never mentioned...

Reference seems unnecessarily obtuse and oblique.
0 Votes
+ -
Re: No problem here
LeeC 27th Mar 2009
Then identify the OS in the screenshots posted on that linked page?

Tell me the add ins to give you a quadrant based virtual desktop (a la Linux) in a Windows environment. You can clearly see that on the taskbar. Prove people wrong by stating what apps can create that taskbar display on a Windows desktop.

Just because Linux is never mentioned, doesn't mean that the screenshots aren't clearly identifiable.

Reading a page involves more than looking at the words, try reading the pictures too.
0 Votes
+ -
You are so silly. Could you please explain
InAction Man Updated - 27th Mar 2009
what a "quadrant based virtual desktop (a la Linux)" is?

0 Votes
+ -
Did the author say the OS in the screenshot is the same with malware?
InAction Man 27th Mar 2009
Did he?

When you're showing malware you can't use a compromised system, you must use something secure and reliable, so the author chose Linux, of course!
0 Votes
+ -
Just wishful thinking...
Dave32265 27th Mar 2009
on his part. Glad I stepped away from windows a long time ago.
0 Votes
+ -
RE: Scareware meets ransomware:
RyuDarragh 7th Mar 2011
@InAction Man: Quadrant based refers to the small square of numbers where one (the 1 position) has the FireFox logo. This looks like a flavor of Debian installation as I see both KCalc and Root and Buddy on there in the quicklaunch and those are common in Debian installations.
0 Votes
+ -
RE: Scareware meets ransomware: RICO
jhorowitz@... 26th Mar 2009
By any reasonable judgement, all these malware programs are nothing but extortion, which is a federal felony. And, these malware companies could easily fall under the organized crime, or RICO statutes. And they all have a US (albeit unwitting)partner in their criminal enterprises: VISA and MasterCard. Attaching VISA and MasterCard to a RICO investigation would stop these corrupt businesses in their tracks, as the credit card companies would then move extremely quickly to disable their merchant accounts and they would no longer be able collect money from their victims.
I puzzles me why the Feds have not moved already in this direction.
0 Votes
+ -
What makes you think they operate from the U.S.?
InAction Man 26th Mar 2009
Most probably they are located in Russia or the Ukraine and thus above American law.
0 Votes
+ -
Whereever they are,
arcebus@... 27th Mar 2009
if there's money flowing, there's information where it goes.
We don't need another discussion about "see, my gnagna-OS is bigger than yours and if you don't believe me my little sister will come over and beat your xss up".
What we need is gallows and scaffold for the "authors" of such "business plans".
0 Votes
+ -
Of course there's information where it goes, only outdated
InAction Man 27th Mar 2009
See, when you try to act on the info you gathered it will be too late. Those guys will be somewhere else and the money will be flowing to new accounts.

They move so fast, that you will have to make a few changes in the banking system to be able to get them.
0 Votes
+ -
You have no clue about merchant accounts...
Marty R. Milette 30th Mar 2009
I hate to break it to you -- but it is difficult to impossible for someone outside a 'western' country to even GET a credit card merchant account.

PERIOD.

I'm a Canadian, living in Russia but despite having a perfect credit and paypal record for the past 20 years -- not only is there is not a snowball's chance in hell of GETTING a merchant account -- if I so much as even DARE to LOG IN to my Canadian PayPal account from Russia -- they'll block it instantly and it will take MONTHS to get it unblocked.

The truth is that the credit card companies make BILLIONS from processing these transactions -- and MOST of the money happily ends up in US bank accounts.

Don't believe it - do your own research. For example, according to Spamhaus (http://www.spamhaus.org/statistics/countries.lasso) The USA is the NUMBER ONE source of SPAM on the entire planet. As of today, for "Number of Current Known Spam Issues" they are listed as having 1,548 -- which is 320% more than China, and almost 500% that of Russia.

Interestingly enough, the UK is listed in 4th place -- another western country capable of easily processing credit cards -- but with a lot more checks and balances than the USA.

I suspect Russia and China are only so high because they have western partners -- able to process the credit cards for them.

Again -- we need to point the finger of blame squarely where it belongs -- to the people PROCESSING and RECEIVING the MONEY.
0 Votes
+ -
Visa and MC are "witting" partners
terry flores Updated - 30th Mar 2009
and the reason that ransomware, kiddie porn and identity theft are so lucrative on the internet. They look the other way when all that illicit money is flowing through their network. The merchant banks are the ones left holding the bag on most of the scams, or left with the task of figuring out who is a law-abiding merchant and who is gangster scum.

Sadly, the laws are written to protect the credit card companies and the banks, not the consumer. The Feds do try to track some of the money going for "high-profile" crimes like kiddie porn, but they could care less about unsexy crimes like ransomware and plain old fraud, since they don't get the headlines.

And since the Feds are quite willing to let a paltry few billion dollars per year go to malware writers and identity thieves, it's a profitable business that will continue to thrive.
0 Votes
+ -
RE: Scareware meets ransomware:
PhotoLeon1935 26th Mar 2009
I refused to pay the ransom and could not find help. Norton and Mcafee did not have a solution. I had to reformat and re install everything. I had to add a system and removable drives and spent many thousands of dollars to recover. It confirmed my suspicions that virus removal companies plant their own garden. It is an evil I have to live with. Who can you trust?
0 Votes
+ -
"Who can you trust?"   you ask. That's too easy to answer,
InAction Man 26th Mar 2009
just browse the comments posted in these forums and you will find the answer spread all over the place.
0 Votes
+ -
With his luck...
MGP2 26th Mar 2009
he'll read Lovey's first. happy
0 Votes
+ -
Good one!
InAction Man 26th Mar 2009
That in fact is a serious risk. He is on a losing streak and an encounter with loverock's drivel would only make things even worse.
0 Votes
+ -
You're Right! Most of them ARE offshore.
jhorowitz@... 26th Mar 2009
You're right. They are nearly always somewhere like Russia or Pakistan. But, in order to collect money from American credit cards, they have to use the VISA/MasterCard network HERE. And VISA and MasterCard (and Discover and American Express) can easily block those merchant account numbers from the networks. Thus by NOT blocking those merchant accounts, and also TAKING MONEY for the transactions through their interchange fees, they are effectively a party to these organized crime activities. Hence my RICO suggestion.
0 Votes
+ -
It's not that simple!
InAction Man 26th Mar 2009
Or it would have already been done. Establishing all the links and producing the necessary proof is often too difficult, and those crooks move so fast that when you go to get them they are not there any more.
0 Votes
+ -
Risk report: Four years of Red Hat Enterprise Linux 4
Richard Flude 26th Mar 2009
Worth a read and how professionals do security reporting
(note ZDNet, George Ou and others).

"Red Hat? Enterprise Linux? 4 was released on February
15th, 2005. This report takes a look at the state of security
for the first four years from release. We look at key
metrics, specific vulnerabilities, and the most common
ways users were affected by security issues. We will show
some best practices that could have been used to minimise
the impact of the issues, and also take a look at how the
included security innovations helped."
http://magazine.redhat.com/2009/03/10/risk-report-
four-years-of-red-hat-enterprise-linux-4/
0 Votes
+ -
RE: Scareware meets ransomware:
atari8bit@... 27th Mar 2009
all free scans do nothing to FIX what's wrong. All they want is #29.95 or more for the program.

In the last 2 days I have had 2000 spams at gmail and I've won so much stuff, it's funny. That's how people get in trouble. Win a Motherboard and your bank account gets tapped for $600.

This just shows how creative the jerks are and how they think of new ways to get your money.
0 Votes
+ -
Easy to stop, but nobody wants to...
Marty R. Milette 27th Mar 2009
This product and every other product sold by spam could be stopped in its tracks very simply -- just FOLLOW THE MONEY.

When you buy anything with a credit card -- it goes to the merchant's account -- all you need do is block that bank account -- problem solved.

The trouble is that nobody WANTS to stop the sale of these bogus products because the banks and credit cards make BILLIONS doing it.

Interestingly enough -- what you'd also find id that the vast majority of this money heads straight into US bank accounts -- because people in countries like Russia, China, etc. simply CANNOT GET merchant accounts...
0 Votes
+ -
GO FOR THE MONEY!!!!!
theteamtec Updated - 27th Mar 2009
I have been shouting this from the rooftops for YEARS! It only makes logical sense! People can spoof IP addresses, hijack web servers and maintain a level of anonymity, BUT the goal is to get money in their grubby little hands and there is ALWAYS a trail.

If the IRS can squeeze the Swiss bankers to divulge secret account info, then the Justice department should be able to do something similar with regards to these high-risk merchant providers that process the transactions for these jerks. Imagine the cost to society in lost productivity and having to hire people to remove this crap off of their systems.

I think perhaps the lobbyists from Best Buy might be blocking legislation to go after malware vendors in an effort to protect the primary function of the Geek Squad wink

Matt Fleming
StealthVue.com
0 Votes
+ -
RE: Scareware meets ransomware:
Bilmekanikeren 30th Mar 2009
ROFLMAO
0 Votes
+ -
It's called security.
jamsoftgamedev@... 31st Mar 2009
In Linux, there is something called security. In fact,
you can't destroy your system without logging in as
root first, or sudo'ing yourself (Linux, contrary to
Windows, does NOT encourage use of an administrator
account).

Also, there is a HUGE user AND programmer base behind
Linux. Any vulnerability gets patched up by them
before Microsoft can even say "oh ****, there's an
exploit".

The advantage of Linux is that the developer team is
WAY bigger, and things are fixed a lot faster.

And of course I will still get the reply "that's
because no viruses have been made for Linux ".
Well, about 80% of the webservers in the world is
running some sort of Unix or Linux. Webservers being
really powerful machines, and being able to take down
website easily, you would expect a virus already being
written for it, no?
In fact, there ARE *nix viruses, they simply cannot do
damage due to the superior security system that *nix
uses.
0 Votes
+ -
RE: Scareware meets ransomware:
birumut Updated - 3rd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix