computer-crime-fake (1).png


This is one member of an entire family of malware known as ransomware.  The aim of those producing and spreading this ransomware is to intimidate and blackmail users whose PCs are infected and persuade or force them to pay for having the malware removed or neutralised. As a form of cybercrime it is crude, but often effective - often enough that the authors have gone to some lengths to customise this particular variety for different countries in Europe (so far, only a few examples from outside Europe have been seen).


The basic mechanism is simple enough. A PC is infected with a Trojan dropper by visiting an infected website. The actual infection can be the result of a "drive-by", where simply going to an infected webpage is enough to download the Trojan. Once on the PC, the code inserts a registry entry to make sure that it will be run every time the PC starts up, then displays a country-specific picture and a message (completely obscuring the desktop) and apparently locks the PC.  The full details are in a paper by Trend Micro, which explains it better than I can.


Newer variants of this ransomware are said to have been modified to encrypt files and overwrite the MBR. If that is true, it confirms that the authors are actively developing it and intend to keep it going as long as  possible.


One of the first articles to draw attention to this ransomware appeared last December in Microsoft's Malware Protection Center, when most of the infections were being reported from Germany (the BundesPolizei variant) : malware-impersonates-the-police.aspx


Considering the wide distribution of scams such as this ransomware, it's clear that there's a lot of money at stake. That's why the bad guys invest in making their scams look more convincing for the unsuspecting user. This includes adapting social engineering techniques to the specifics of various countries and pretending to be the local authorities. Another point to remember is that a lot of malware is distributed nowadays through exploit kits such as Blackhole.


The note above about the Blackhole Exploit Kit is confirmed by a forum post, dated a fortnight before this article appeared, which said that


... Microsoft security essentials showed up 2 severe threats: - severe



Trojan/Win32/Reveton was the subject of another article in Malware Protection Center on April 18th : "Revenge of the Reveton". The malware infection is classed by Microsoft as Severe, and a description and removal guide can be found HERE. It is important to note that this infection is the intermediate variant that purports to be from the Metropolitan Police : later variants may require a different removal process.


Trojan:Win32/Reveton.A arrives as a DLL file with a random name. It creates a shortcut file to itself in the Windows startup folder; the shortcut file name is the same name as the DLL file but with the LNK extension.


When Windows starts, it executes the command associated with the shortcut, as follows:

rundll32.exe <path>\<file name>.dll, <random exported name>


Prevents the user from accessing the desktop

When run, Trojan:Win32/Reveton.A displays a full-screen webpage that covers all other windows, rendering the computer effectively unusable. The image is a fake warning pretending to be from a legitimate institution. It demands the payment of a supposed fine. However, even if the user pays, the computer is still left unusable.


Downloads and executes other malware

Trojan:Win32/Reveton.A downloads and executes other malware, detected as PWS:Win32/Reveton.A.


What Microsoft calls PWS:Win32/Reveton.A is a refinement apparently added to this ransomware variant :

This threat is classified as a password-stealing trojan. Typically, a password stealing trojan installs a keystroke logger (commonly referred to as a keylogger) which records keystrokes and sends the recorded information to remote attackers. Some keyloggers monitor only keystrokes involved in specific types of web-based transactions. For example, a keylogger may include a component that monitors browser activity, only recording keystrokes when certain bank or ecommerce sites are accessed. Other types of password-stealing trojans include those that capture screenshots in an attempt to bypass graphic-based security measures.


The advice to anyone who has fallen victim to this version of the ransomware is the usual :


What to do if you think you have been a victim of a scam

If you suspect that you've responded to a phishing scam with personal or financial information, take these steps to minimize any damage.

  • Change the passwords or PINs on all your online accounts that you think might be compromised.
  • Place a fraud alert on your credit reports. Check with your bank or financial advisor if you're not sure how to do this.
  • Contact the bank or the online merchant directly. Do not follow the link in the fraudulent email message.
  • If you know of any accounts that were accessed or opened fraudulently, close those accounts.
  • Routinely review your bank and credit card statements monthly for unexplained charges or inquiries that you didn't initiate.



The whole subject of these "Police Trojans" has been investigated in depth by Trend Micro, who published their findings in a White Paper. The blog entry where the White Paper is discussed asserts that the same people are likely to be behind this as were responsible for a DNSChanger Trojan that had been sponsored by Rove Digital. That particular group was taken down last November when 8 Estonians were arrested, but the Police Trojans continue to be modified, enhanced and released - so there are others involved. There are clues within the source code, apparently, that point to Russian-speakers as being the authors of this malware (although such "clues" could be deliberately planted in order to mislead the investigators).


The Trend Micro blog is at ojan/


The DNSChanger Trojan is the same one that has recently been in the news : the FBI's Operation Ghost Click, which was the subject of a recent post in Security Awareness ("Did the FBI say we should check to see if computer is infected?")


The story of the takedown of Rove Digital and its criminal operations - spam, fake pharmaceuticals and malware - can be found at history


The White Paper

( rs/wp_police_trojan.pdf)

This analyses the operation and external communications of the Police Trojans in some detail. It also provides an explanation for the patchy detection rate by anti-virus programs, and the difficulty in keeping track of changes to the Trojans :

... there must be an affiliate download site where partners can download a ready-made Trojan using their own user names and the C&C server of the day already embedded. This also explains the very low detection rates across the board. Each Trojan is custom compiled with different configurations and applies two layers of packing and obfuscation on top. Given the rate at which the attackers are changing C&C servers, this recompilation must be happening very often that is why security companies are having a difficult time obtaining good detections.


The cybercrime activities of the authors of this ransomware are identified, showing that these are professional (or at least semi-professional) cybercrooks -

The gang spreading the ransomware discussed in this research paper does not seem to be a novice in committing cybercrime. In fact, we can relate the ransomware Trojan to several data-stealing campaigns involving ZeuS and CARBERP Trojans, TDSS rootkits, and FAKEAV malware dating back to 2010 and 2011. We can also relate the Police Trojan gang to a ZeuS Trojan campaign launched in mid-March of this year and a Gamarue worm.


.... The TDSS samples we have seen in Police Trojan attacks were also the DNS changers Rove Digital’s affiliate program used. As such, we believe that one or some of the gang members spreading the Police Trojans may also have been members of Rove Digital’s affiliate program in the past. This shows that the gang is certainly not new to cybercrime.


The probable source(s) of infection are set out at the end of the White Paper. The authors' conclusions about the websites that cause the infection should come as no surprise.


These malware programs tend to exploit known vulnerabilities in programs such as Java and Flash, for which updates are available but may not have been downloaded and applied. Some can exploit security weaknesses in Windows (most often XP); if the fixes for these issues by Microsoft are in the Optional download section (unlikely, but possible) then some users may not be aware of them.


To check whether your PC is missing any Windows or other Microsoft updates you should go to the Microsoft Update website (for which you must be using Internet Explorer; go to the Microsoft Download Center if you are using another browser such as Chrome or Firefox) or run Microsoft's MBSA, which scans for a number of security vulnerabilities in your OS and browser. For Adobe Flash, you can check whether you have the latest version here (different versions must be downloaded for IE and Firefox; Chrome should update its own sandboxed version automatically).


West Yorkshire Police virus.jpg


As a footnote to this piece, I note that there is a recent ransomware variant - purporting to be from West Yorkshire Police here in the UK - which has some extra features missing from earlier variants. Many files are encrypted - including .doc and .pdf - and are given a prefix of 'Locked' and a random 4-character suffix. A Russian AV vendor (Dr.Web) classifies this variant of the ransomware as "Trojan.Matsnu.1" and can decrypt the files, provided that they receive both an encrypted file and its unencrypted (pre-infection) version. This implies that the file has been backed up and so is available for comparison - which reinforces the message that files should be backed up  regularly.