Two threats prey on SMS users, one as blackmail and the other as a trick to install malware.
A new "ransomware" threat described by Symantec
uses SMS as part of the scheme. Meanwhile, according to F-Secure, the Waledac botnet is pushing fake programs
that supposedly let you monitor other people's SMS messages.
The ransomware threat is in Russian and identified by Symantec as Trojan.Ransomlock
The software locks up the system and demands a code from the user in
order to unlock it. The window in which it presents this demand
resembles vaguely the Windows activation screens, perhaps attempting to
look legitimate in that way.
The demand states (the numbers here are just examples):
To unlock you need to send an SMS with the text 4113558385 to the number 3649
Enter the resulting code:
Any attempt to reinstall the system may lead to loss of important information and computer damage
Symantec did not test the actual SMS sequence. Probably the attackers receive money for each SMS sent to that number.
Instead, Symantec reverse-engineered the code generator and created a tool to generate codes
It should also be possible to remove Trojan.Ransomlock by booting off a
separate operating system and removing the relevant files and registry
After you enter the unlock code, the message goes away, but Windows
could still be locked up. At this point you can use Ctrl-Alt-Del (which
doesn't work before you enter the code), log off and the log back in.
The Trojan is gone at this point.
Symantec doesn't say how the Trojan spreads; it may be that it was not found in the wild.
The second threat is new activity by the Waledac botnet, which has
been around for some time and is thought to be related to the Storm
worm. Recent reports indicate that Waledac is being spread, among other
methods, by the Conficker botnet
Waledac-pushing Websites (a list of many of which may be found in the F-Secure writeup
are now pushing a "30-day free trial" of a program that supposedly lets
you monitor other people's SMS messages. "Do you want to test your
partner or just to read somebody's SMS? This program is exactly what
you need then!"
The Websites are in a classic "fast flux" network, meaning that they
are actually hosted on zombie consumer ISP systems with quickly
changing DNS entries pointing users to a large number of IP addresses.
It's not clear what the executable pushed on these sites does,
although it clearly does not let you read other people's SMS messages
because it can't do that. Probably just another Trojan downloader.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.