"Police e-Crime Unit" malware

[Jamie123]

I don't know if anyone here has seen this - it has to be one of the most interesting, clever and vile pieces of "ransomware" ever found, and I suspect has been very lucrative to the people who designed it. What it does is to lock your computer, replacing your desktop with a single window saying that "Illegal activity has been detected on your computer". It goes on to quote your location and IP-address, list the sort of activity that has been detected, i.e. terrorism, illegal porn, illegal gambling, copyright infringlement and the fictional offence of "negligent use of a computer" (by which they mean unwittingly allowing your PC to become part of a botnet).

Now here's the clever part: it goes on to tell you that you can avoid prosecution if within the next 24 hours you pay a £100 on-the-spot fine - for which you need to buy "UKASH" and enter the credit code into a textbox which they usefully provide. If you do this then they will unlock your computer and the whole episode will be forgotten.

Now this is obviously nonsense because:

(i) Remotely locking suspects' PCs would be a stupid way to fight e-crime. Given such a warning, any genuine e-criminal could just rip out his hard drive and throw it into the nearest incinerator, thus destroying the evidence.

(ii) If the authorities genuinely suspect someone is involved in terrorism don't you think they'll at least want to question them before letting them off with a £100 fine?

(iii) Although at first glance the window looks professionally designed (with the Metropolitan Police logo and the coats of arms of all the other UK police forces) if you look closely you see that the grammar is that of a 13-year-old and they can't even spell "pornography" right.

However, none of this is going to occur to the poor angst-ridden individual who has a guilty conscience about something he's seen or done on the Internet. "It's all been found out!" he wails. "I'll go to jail! I'll lose my job, my home, my marriage! It'll be in all the papers...my mother will die of shame! My wife and kids will leave me! I'll be a social pariah..." and then he notices the £100 get-out clause. Hope wells up within him. "Why don't I just pay and be done with it?" he asks. "Then no one will know!"

And that's how (or so I bet) the hackers who made this will be raking it in!

If this happens on your PC don't panic. There are plenty of websites with instructions on how to get your PC back (there is a video on it here:

) though obviously you will need another computer to get to it.

And the moral of this story is keep your antivirus software updated!

P.S. Another thought has just struck me - I wonder what message you get if you do pay the fine. I suspect something along the lines of "Thanks for the money Mr. Stupid!" but I'm not going to spend £100 to find out!

Edited January 23, 2013 by Jamie123
Afterthought

[selek]

The FBI virus is a variation on the same theme- but is a cast iron monster to remove and clean-up.

That one had a six-month or so learning curve before the anti-virus folks caught up with it.

[kartvines]

I was hit by the FBI one and had to roll back my system by a few days to get rid of it, being it was locked for hours. If it happens to anyone and they pay understand it take them hours to collect, so if you fall victim to it and you pay out of fear, go to your paypal account and add the number of the cash card and it will put the money into your paypal account and they will not be able to collect the ransom.

[RipplecutBuddha]

the thing is, even if you do pay the fine (which you should never do with these), who says they'll ever unlock your computer again?

Just clean up your drive, and move on. I've been hit twice with this one over 'illegally downloaded music' even though I've never downloaded any music onto my computer. I usually buy the cd then rip it to my hard drive. That way the CD is my backup. Just pick a good restore point, set it with windows, then use it when you need to lock out the virus. OH, and put your router settings to public system. It makes it tougher for the viruses to get in.

[NeuroTypical]

Maybe clever and certainly vile, but it's basically the same old "someone you don't know shows up saying you need to give them money" deal. There's nothing interesting or new about preying on people's fears and ignorance.

Hey everybody on the planet - if someone you don't know shows up and says you owe them money, they might be scamming you. It doesn't matter if it's a popup pretending to be law enforcement, or the toner guy calling your office demanding payment for a printer you don't have, or a guy from Zimbabwe telling you that your $200 will get you millions, or your distant aquaintance who contacts you via Facebook to say they're trapped in Heathrow airport, or the guy you just hit in the parking lot demanding a hundred bucks or he'll sue, or an interesting job opportunity that requires you to 'buy in', or the guy who saw your car ad and runs a consignment shop and is certain he can find a buyer for a thousand more than you're asking, or anything else. Think humans - does whatever you're looking at involve you taking money from you, and putting it at them? Then it might be a scam.

No really.

[selek]

I was hit by the FBI one and had to roll back my system by a few days to get rid of it, being it was locked for hours. If it happens to anyone and they pay understand it take them hours to collect, so if you fall victim to it and you pay out of fear, go to your paypal account and add the number of the cash card and it will put the money into your paypal account and they will not be able to collect the ransom.

The original FBI virus exploited (as I recall) a Java loop-hole and was fairly easy to roll-back (which is what I did the first time I got hit).

The second time, the code had "evolved" so that it overwrote and corrupted the directory and basic DOS files to the point that it COULD NOT be rolled back. Not in "safe mode", and not at the command level Even if the malicious bastards had been paid, they couldn't have fixed the damage they'd done.

All of the major anti-virus/anti-malware suites were days/weeks/months behind a fix for the problem.

McCaffee finally got a fix two weeks after I was hit the second time- and it involved (again, as I recall, an upgrade to Java rather than to the anti-virus suite).

The only solution was to do a complete rebuild/re-install of the Operating System.

When my roommate was hit a week later, he had to take the same steps.

Fortunately, when you do a re-install/clean install onto a system that already has a Windows OS, it gives you the choice of saving an archive image of the old OS.

I was able to crack into that to recover most of my data and files.

Lessons learned?

1) Hackers are scum.

2) Even reputable websites can give you viruses.

3) Even up to date anti-virus files are one-step behind the leading edge.

4) Backup your files.

[BadWolf]

Lessons learned?

1) Hackers are scum.

2) Even reputable websites can give you viruses.

3) Even up to date anti-virus files are one-step behind the leading edge.

4) Backup your files.

5) Macs are awesome

[Mahone]

5) Macs are awesome

^^ This doesn't get infected with viruses often either. Viruses are for real computers only.

I've seen the e-crime malware and it's variants multiple times. It's not a particularly advanced piece of malware, almost anyone can exploit the java plugin nowadays and they usually exploit already known vulnerabilities - if you have it, unless you really need it I recommend you disable it, it's so full of holes that I doubt it'll ever be reasonably secured.

No, a real piece of malware is flame and it's predecessor stuxnet. Suspected to have been created by Israel in conjunction with the USA to target Iran, it's considered to be the most complex malware ever found in the wild and the first real instance of cyber warfare. The most interesting part of it is just how many exploits (including zero day exploits) of independent pieces of software/firmware that it makes use of.

http://en.wikipedia.org/wiki/Flame_(malware)

Edited January 24, 2013 by Mahone

[RipplecutBuddha]

5) Macs are awesome

The virus being discussed has been found on Mac systems as well.

Just thought it oughta be pointed out.....

[M_T_E]

Malware that hijacks your computer, prevents certain actions such as accessing the Internet while looking like authentic software has been on the rise lately.

My desktop has the issue, can't access the Internet. Demands I pay Microsoft money so the virus is removed. It's a scam, and I have to edit my registries and make a big hassle to just remove the malware. Super annoying but I have my laptop. :)

[miztrniceguy]

Try Malwarebytes Anti-malware to remove infection from your desktop. Load it onto a usb thumb drive, boot to safe mode then run it. If that doesn't do it, post in the "am I infected" forum on Bleeping Computer. This is where I go for help for almost any computer issue, including BSOD's, malware, or anything else. Be patient, as it is all volunteer people who most have regular jobs.

Bleeping Computer - Technical Support and Computer Help