Friday, October 19, 2012

Grandpa would not be impressed…

My late maternal grandfather was an F.B.I. Special Agent back from the ‘40’s to late 1960’s.

So I was bemused when a gentleman from the church brought me his wife’s XP laptop that when booted displayed an “official” looking lock screen from the “FBI” (complete with FBI seal) saying computer violations were found and locked by the FBI unless the user paid them a fine via a legitimate “MoneyPak” service.

Really?

No.

It was just a run-of-the-mill Trojan drive-by infection crafted by scummy scammers.

It took the better part of a Monday night NFL football game to clean, but I was able to get things restored and back in service.

…and then updated all the third-party browser apps (Java, Flash, Shockwave, etc.) as well as the latest version of the installed AV/AM software.

Related: SOPA reincarnates to hold your computer hostage - ZDNet.

--Claus V.

2 comments:

FF Extension Guru said...

I have heard references to this 'ransomware' but this is the first I have heard of a specific one.

Claus said...

# FF Guru - yeah, likewise. It was interesting but this version wasn't particularly sophisticated. I didn't feel like adding the details of the takedown/cleanup this time as the links are pretty good. Basically I just off-line booted it with one of my WinPE sticks, tossed a few "off-line" AV/AM scanner tools at it. Let them deal with the bulk of the cleaning, then after it was in a usable state on the user's normal desktop account finished out with some minor cleanups with AutoRuns/ProcessExplorer and updated Java/Flash/etc.

Not hard work but the user was really freaked out and frustrated with it. I had earlier installed Firefox and Chrome on it for them when I last saw it, but they weren't keeping those browsers current and were just using IE with the way-old-and-vulnerable versions of Java/Flash that plugged into it.

A drive-by/click-jack nightmare waiting to happen.

Sigh....

-Claus V.