Malware Using SMS as a Tool and a Lure

By Larry Seltzer  |  Posted 2009-04-17 Print this article Print

Two threats prey on SMS users, one as blackmail and the other as a trick to install malware.

A new "ransomware" threat described by Symantec uses SMS as part of the scheme. Meanwhile, according to F-Secure, the Waledac botnet is pushing fake programs that supposedly let you monitor other people's SMS messages.

The ransomware threat is in Russian and identified by Symantec as Trojan.Ransomlock. The software locks up the system and demands a code from the user in order to unlock it. The window in which it presents this demand resembles vaguely the Windows activation screens, perhaps attempting to look legitimate in that way.

The demand states (the numbers here are just examples):

To unlock you need to send an SMS with the text 4113558385 to the number 3649

Enter the resulting code:

Any attempt to reinstall the system may lead to loss of important information and computer damage
Symantec did not test the actual SMS sequence. Probably the attackers receive money for each SMS sent to that number.

Instead, Symantec reverse-engineered the code generator and created a tool to generate codes. It should also be possible to remove Trojan.Ransomlock by booting off a separate operating system and removing the relevant files and registry keys.

After you enter the unlock code, the message goes away, but Windows could still be locked up. At this point you can use Ctrl-Alt-Del (which doesn't work before you enter the code), log off and the log back in. The Trojan is gone at this point.

Symantec doesn't say how the Trojan spreads; it may be that it was not found in the wild.

The second threat is new activity by the Waledac botnet, which has been around for some time and is thought to be related to the Storm worm. Recent reports indicate that Waledac is being spread, among other methods, by the Conficker botnet.

Waledac-pushing Websites (a list of many of which may be found in the F-Secure writeup) are now pushing a "30-day free trial" of a program that supposedly lets you monitor other people's SMS messages. "Do you want to test your partner or just to read somebody's SMS? This program is exactly what you need then!"

The Websites are in a classic "fast flux" network, meaning that they are actually hosted on zombie consumer ISP systems with quickly changing DNS entries pointing users to a large number of IP addresses.

It's not clear what the executable pushed on these sites does, although it clearly does not let you read other people's SMS messages because it can't do that. Probably just another Trojan downloader.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel