Blackmail virus returns with browser threat
Japanese Kenzero malware issues threat we should take seriously.
By John E. Dunn | Published: 13:44, 19 April 2010
This is a crafty one. It copies the embarrassing browsing history of its victims to a website and then demands a ransom of around £10 ($15) to take it down from public view.
It first finds its way on to PCs via a sexually explicit Japanese anime program downloaded illegally from the Winni file-sharing service, before going through a bogus install routine that identifies the person by name and (one assumes) address. It then scoops up the browser history before sending a message that adds to this presumed embarrassment the fact that the user has installed illegal software.
Assuming a user’s browser history is that embarrassing, ouch. Luckily, this is not malware that poses much of a threat to the average computer user, but it holds within it a warning of sorts.
Ransom malware - malware that steals or locks/encrypts data in return for money - is one of the most obvious social engineering attacks imaginable, but since first appearing with Cryzip in 2006, there have been very few examples, and that’s because it has a small flaw. In order to be worth it, victims need a way of paying and that’s not always easy to set up.
Ideally, the criminals need an online account that can receive cash direct without an intermediary such as a credit card or bank, which might spot such transactions. Direct cash accounts (remember eGold) tend to have poor reputations and are often blocked by default. Even when not blocked, scams need to generate their profit quickly and this is tricky to do when accounts can be closed down within days.
A second reason is that criminals found an easier way to generate money from the alert-threat technique, scareware, where users are manipulated into buying bogus antivirus software by claiming that a machine is infected with a non-existent virus. That’s turned into a huge money-making industry because the user consents to installing rogue antivirus from apparently valid companies. The payments are less easy to spot and stop.
It seems plausible to me that the scareware industry could try out Kenzero-like techniques in the future. Rogue antivirus software captures enough data to identify real users, can easily steal browser or other data from a PC, and has a working means of taking the ransom that might not be quickly noticed.
An infected user could probably de-install the rogue antivirus using antivirus software, but what if the browsing history or other personal data such as emails had already been posted to a website? It’s higher risk for the criminals because it will be noticed more quickly, and would clearly fall foul of extortion and blackmail laws in most countries, but that wouldn’t necessarily worry east European gangs.
Browsers can be emptied after every session, file data can be encrypted, but the sort of people who use such features are probably not the sort the criminals are going after. The best defence is simply to have no embarrassing or personal data on a PC. So at least 10 percent of users have nothing to worry about then...
Perhaps last Year's Vundo Trojan was a halfway house to this type of attack.