0 Replies Latest reply on May 10, 2012 10:21 PM by Hayton

    Ransomware/Police Trojan - latest US/Canadian variant steals login data

    Hayton

      US Police Trojan picture.bmp

       

      Canadian SIS.jpg

       

      The Police Trojan continues to evolve, and the latest variant is now showing up in the US and Canada, complete with a suitable picture blocking the screen. Whether it encrypts files (as did the West Yorkshire Police variant) I don't yet know, but it has something new - the ransom demand is just the icing on the cake as far as the perpetrators are concerned. Even if you manage to get rid of that annoyance without paying them $100 your PC is likely to have been infected with the Citadel Trojan, a development/offshoot of the infamous Zeus banking trojan.

       

      If you've got the Citadel trojan, you have more than a slight problem. For a start, it's been modified to block your access to the places you need to go to to get the AV updates needed to remove it - McAfee, Microsoft, Malwarebytes and all the rest, presumably. I haven't seen the full list yet but it has over 650 URLs on it. You will be redirected or blocked if you try to access a site on that list. And this is done without modifying the Hosts file, which has long been a method favoured by redirection malware.

       

      More than that, you are now part of a bot network.

       

      Brian Krebs has found a small botnet, only 3400 strong, infected by the Citadel trojan, and among that number are several hundred McAfee customers (as well as hundreds from Norton, Microsoft et al - McAfee's not alone in missing the infection vector). If the bot controllers decide they want you to take part in, for instance, a DDOS attack or a spam-mailing campaign, you will take part - like it or not.

       

      And in addition, the Trojan will have installed a keylogger on your system, so your login names, passwords, bank and credit card details are being passed back to the bot controllers.

       

      If you are infected, and your current version of McAfee doesn't pick it up in a normal scan, and you can't get DAT updates or connect to anywhere on the web to download something to get uninfected, your best bet would be to get hold of one of the AV tools that allow you to boot from a CD or USB device that has the program preloaded on it. McAfee will let you have one of these if you call Support and ask them for it, and Microsoft has something called Windows Defender Offline (which I haven't tested yet). Either of those should allow you to get rid of Citadel. Once you've done so, you may need to run multiple scans with McAfee and other AV tools just to be sure all the traces of infection are gone; and then you will need to change all your account passwords, notify your bank (if you do online banking) and credit card provider(s), just in case; and hope that your identity has not been stolen and used to open accounts, order goods, run up debts, or anything else.

       

       

      Links to this story :

       

      http://blog.trendmicro.com/police-trojan-crosses-the-atlantic-now-targets-usa-an d-canada/

       

      http://www.trusteer.com/blog/fake-g-men-attack-hijacks-computers-ransom


      http://news.softpedia.com/news/Reveton-Ransomware-Poses-as-US-Department-of-Just ice-267230.shtml

       

      http://news.techworld.com/security/3355085/ransom-malware-merged-with-bank-troja n-in-new-attack/

       

      http://blogs.rsa.com/rsafarl/by-hook-and-by-crook-citadel-trojan-isolates-bots-f rom-av-and-security/

       

      http://krebsonsecurity.com/2012/05/at-the-crossroads-of-ethieves-and-cyberspies/


       

      Message was edited by: Hayton - new picture, more links - on 11/05/12 04:21:01 IST