Malware Using SMS as a Tool and a Lure

A new “ransomware” threat described by Symantec uses SMS as part of the scheme. Meanwhile, according to F-Secure, the Waledac botnet is pushing fake programs that supposedly let you monitor other people’s SMS messages.

The ransomware threat is in Russian and identified by Symantec as Trojan.Ransomlock. The software locks up the system and demands a code from the user in order to unlock it. The window in which it presents this demand resembles vaguely the Windows activation screens, perhaps attempting to look legitimate in that way.

The demand states (the numbers here are just examples):

“To unlock you need to send an SMS with the text 4113558385 to the number 3649Enter the resulting code:Any attempt to reinstall the system may lead to loss of important information and computer damage“

Symantec did not test the actual SMS sequence. Probably the attackers receive money for each SMS sent to that number.

Instead, Symantec reverse-engineered the code generator and created a tool to generate codes. It should also be possible to remove Trojan.Ransomlock by booting off a separate operating system and removing the relevant files and registry keys.

After you enter the unlock code, the message goes away, but Windows could still be locked up. At this point you can use Ctrl-Alt-Del (which doesn’t work before you enter the code), log off and the log back in. The Trojan is gone at this point.

Symantec doesn’t say how the Trojan spreads; it may be that it was not found in the wild.

The second threat is new activity by the Waledac botnet, which has been around for some time and is thought to be related to the Storm worm. Recent reports indicate that Waledac is being spread, among other methods, by the Conficker botnet.

Waledac-pushing Websites (a list of many of which may be found in the F-Secure writeup) are now pushing a “30-day free trial” of a program that supposedly lets you monitor other people’s SMS messages. “Do you want to test your partner or just to read somebody’s SMS? This program is exactly what you need then!”

The Websites are in a classic “fast flux” network, meaning that they are actually hosted on zombie consumer ISP systems with quickly changing DNS entries pointing users to a large number of IP addresses.

It’s not clear what the executable pushed on these sites does, although it clearly does not let you read other people’s SMS messages because it can’t do that. Probably just another Trojan downloader.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.