Security Protection – Harry Waldron MVP Rotating Header Image

Ransomware – Shadowlock Trojan requires users to fill out survey

Almost all Ransomware attacks require users to pay money to unlock their computer (unless preferably a removal tool is used from an AV Vendor).   With the new Shadowlock Trojan horse, users must fill out a survey to “unlock” their computer.  The author also created an Easter Egg at the end of the process that plays the musical tones from the movie Close Encounters of the 3rd kind and opens the CD/DVD tray at end of process.   Shadowlock uses the advanced “dot Net” Framework services and could evolve to a more malicious attack in the future.

http://www.symantec.com/connect/blogs/close-encounters-shadowlock-kind

http://www.symantec.com/security_response/writeup.jsp?docid=2013-070822-5627-99

QUOTE: In the vein of fake computer lockers everywhere, such as the Trojan.Ransomlock, Trojan.Fakeavlock, and Trojan.Winlock families, comes Trojan.Shadowlock. Unlike any of its predecessors however, this malware “encourages” users to fill out an online survey instead of outright demanding an online payoff. Online surveys in general return very little money, but they do eventually add up in the long run. In this case, it turns out the malware author has a sense of humor and left in a certain Easter egg for reverse engineers to find. The Easter egg is a sound bite of the famous five-tone motif from the movie Close Encounters of the Third Kind

After some time, Shadowlock finally reveals some of its capabilities. The threat can do several things, such as killing popular browsers (Firefox, Chrome, Internet Explorer, Safari, and Opera) and disabling certain system tools. It can also eat up any available disk space and disable the Windows firewall. It can even redirect users to websites with shocking content through the default Web browser. On a more playful note, the threat can also swap mouse buttons, open the CD tray, or launch basic OS apps like Calculator or MS Paint.

Interestingly enough, a vast majority of these functions are never called in the code. Two possibilities come to mind. One is that the author may have found some code and added the survey scam on top of it. The other possibility is that the author may be testing the waters, so to speak. These functions (as well as others) may find themselves being used in a future variant. At Symantec, we protect our customers by detecting this threat as Trojan.Dropper, Trojan Horse, or Trojan.Shadowlock. According to our telemetry, this threat is not widespread. Be advised however, if you see your CD tray opening and hear eerie theme music, you may be experiencing a close encounter of the Shadowlock kind.

Comments are closed.