ID: IRCNE2013051853
Date: 2013-05-22
The developers of the Reveton ransom malware could have added a new module that uses keylogging as a backup tactic in case the victim refuses to pay up, Microsoft has found.
Distributed using the Blackhole Exploit Kit, the malware starts out by throwing up a localised lock screen demanding money on bogus pretences, usually a standard police fine warning for a non-existent computer offence.
In the background, however, Reveton downloads a separate password-stealing component stitched in from an older piece of malware, which scours the system for a wide range of logins; FTP, gaming, email, IM, storage and any passwords stored using the browser are all targeted.
It’s a not a hugely unexpected development but it has one important implication; even if the user finds a way of de-installing the ransom segment of the malware that might not stop the keylogger, which will continue to work.
The innovation could be part opportunistic and part reaction to the increasing success of counter-measures against ransom malware as security vendors finally offer better protection and recovery.
What Microsoft’s research does reveal is that this particular variant of Blackhole was proving hugely effective in January 2013, around the time it started hitting the CVE-2013-0422 Java vulnerability, infecting hundreds of thousands of PCs.
- 2