![\"Ransomware](\"http:\/\/www.goodjobsucking.com\/wp-content\/uploads\/2012\/10\/extortionware.jpg\" "\\"FBI")
<\/a>This ransomware screen appeared over pretty much everything<\/p><\/div>\n
Recently, I stayed in a hotel where the first thing I did was poke through some of my history, looking for an article I’d been reading before — which I located, and about a paragraph in, my screen was entirely replaced with a (fake) FBI warning and a demand to pay a “release fee” of $200 to regain control of my computer.\u00a0 This was accompanied by the hotel’s IP address, and a display window that was apparently supposed to turn on the PC’s camera and show me in my underwear.<\/p>\n
This is known as the “FBI Green Dot Moneypak” scam, or the “FBI Moneypak Virus,” which actually covers a large family of extortionware — which is essentially a monetizing payload, like this scam, plus a way to deliver it to your computer.\u00a0 In my case, the delivery mechanism appears to be a Java exploit, triggered by either a malicious ad from a site I’d visited before (at home we use a proxy that strips out suspicious ads, so it’s possible it had been there before, but my PC wasn’t actually infected until I visited the same site from the hotel.)<\/p>\n
In my case, the infection was completely missed by malware scanners, which seemed to think that my PC was perfectly fine, and even ad hoc scanners proved relatively useless — even a few which claimed to be able to detect and remove this (detection is free, removal requires payment) were blissfully unaware that the infection had taken place.\u00a0 Googling wasn’t a lot of help either, since I was either directed to sites with generic instructions to run whatever scanner they were hocking (none of which worked) or long lists of registry keys to check, none of which appeared to exist on my system.\u00a0 So it was either hiding itself well, or too recent to be picked up by scan-based systems.<\/p>\n
At any rate, since it was Windows 7, I was able to “switch user” to an Administrator account, and I since I hadn’t received a request to escalate permissions, chances were relatively good it hadn’t inserted itself too deeply into my OS.\u00a0 I found two suspicious binaries — suspicious, because they weren’t where binaries typically go:\u00a0 in c:\\ProgramData was “lsass.exe” and in c:\\Users\\username\\AppData\\Local\\Temp was “ctfmon.exe.”\u00a0 Both of these are legitimate Windows binaries that would be run — lsass.exe, for example, is the Local Security Authority Subsystem Service, a legitimate version pretty much needs to be running or the system will restart, and ctfmon.exe activates the language bar.\u00a0 Since I generally have that turned off, this is pretty suspicious, but even more suspicious is the location<\/em> of these files.\u00a0 Deleting them in safe mode (from an alternative account) cleared the infection, returning control of my PC.\u00a0 The PC complained about not being able to find a few files it wanted to run on startup, but I considered that a good sign.<\/p>\n Meanwhile, I went back to my browser to examine the source of the infection, and surely enough, a Java plugin was enabled — and since it’s the only<\/em> thing enabled, it’s pretty obvious that this was the source of the problem.<\/p>\n If you haven’t done so already, I’d recommend disabling your Java plugins (virtually no Internet site uses it any more) and any other plugins which you don’t actually need.\u00a0 If you do use Flash, which is relatively hard to avoid, at least make sure it’s up to date.\u00a0 Note that updating the version of Flash doesn’t necessarily update the plugin version, so check from within your browser, not just by looking at versions in the Control Panel.<\/p>\n Mozilla has a handy URL that actually works across browsers:<\/p>\n https:\/\/www.mozilla.org\/en-US\/plugincheck\/<\/a><\/p>\n <\/p>\n","protected":false},"excerpt":{"rendered":" Safety on the internet — that is, protecting your computer from malware — used to be as simple as not downloading and running dodgy executable code.\u00a0 Sure, some people were tricked, either via emails from “friends” or popups trying really hard to convince them to run a local binary. Websites \u2026 Continue reading