Security

Ransomware: Extortion via the Internet

Ransomware got its start in 1989. Back then, it was relatively ineffective. That's changing, which is bad news for us.

Ransomware got its start in 1989. Back then, it was relatively ineffective. That's changing, which is bad news for us.

--------------------------------------------------------------------------------------------------------------

One of my neighbors recently experienced ransomware first hand. Up until then, he had no idea it existed. Because of that, it seems important to revisit extortion malware, explain exactly what it is, and how to avoid it.

Ransomware made its debut with a trojan called PC Cyborg, the brainchild of Dr. Joseph Popp. The extortion begins with a vulnerable computer becoming infected. Once settled in, the malware hides all folders and encrypts file names on the C: drive. Next, a dialog box opens, proclaiming the victim needs to send PC Cyborg Corporation $189 US, because the license had expired.

Until ransom money is received and the malware's activities are reversed, the victim has a non-working computer. Thankfully, the doctor's trojan had a weakness. It encrypted the file names using symmetric cryptography. Once experts had a chance to analyze the malcode and encrypted tables, it became simple to reverse and determine who created the ransomware.

It seems the doctor felt he was doing something worthwhile (eventually declared mentally unfit). At his trial, he mentioned that the ransom money was to be used for AIDS research.

Public key and Cryptovirology

In 1996, two researchers Adam Young and Moti Yung fixed Dr. Popps oversight, explaining how in the paper: Cryptovirology: Extortion-Based Security Threats and Countermeasures (PDF). I believe it's also where the term Cryptovirology was coined.

Young and Yung figured out how to use public-key cryptography in ransomware, making reverse-engineering virtually impossible. The crypto-virus encrypts the victim's files using the malware writer's public key. The extortion comes into play when the victim is asked to pay ransom in order to obtain the private key for decrypting the files.

How it works

Young and Yung call this type of ransomware crypto-viral extortion. Giving the following definition:

"Crypto-viral extortion, which uses public key cryptography, is a denial of resources attack. It is a three-round protocol that is carried out by an attacker against a victim. The attack is carried out via a crypto-virus that uses a hybrid cryptosystem to encrypt host data while deleting or overwriting the original data in the process."

The three-round protocol is interesting. It consists of the following:

  • Crypto-virus is installed: Using any number of techniques, usually drive-by dropper platforms; the crypto-virus gets installed on vulnerable computers. When the virus activates, it creates a symmetric key and initialization vector (IV). The crypto-virus proceeds to encrypt data files using the symmetric key and IV. After which, the crypto-virus concatenates the IV with the symmetric key. Finally, the concatenated string is encrypted using the malware author's public key. With everything now in place, the crypto-virus pops open a window explaining the ransom demands to the victim.
  • Victim's response: If the victim decides to pay the ransom. There are several ways that can happen. We will look at those in a bit. The victim also has to send the encrypted concatenated string to the cybercriminal.
  • Attacker's response: The extortionist then decrypts the string using the private key, which discloses the symmetric key and IV. Finally, sending both back to the victim. Who will use them to decrypt the data files.
Covering their tracks

On their Web site, Young and Yung talk about the effort cybercriminals go through to protect themselves. They store the public and private keys on a smart card and do not personally know the bit representation of the private key:

"Ideally, the smart card will implement two-factor security: something the virus author knows (a PIN number) and something the virus writer has (the smart card that contains the private key). Also, the card will ideally be immune to differential power analysis, timing attacks, etc. to prevent the virus author from ever learning the bits of the private key."

The Web site goes on to explain why the extortionists do this:

"In the U.S. the virus author cannot be forced to bear witness against himself or herself (Fifth Amendment) and so the PIN can remain confidential. The purpose of this setup phase is to limit the effectiveness of seizing and analyzing the smart card under subpoena or warrant (competent evidence)."

Payment techniques

In the past, ransomware has not been the malware of choice. That's because cybercriminals are concerned about the money trail sending ransom funds creates. I mentioned earlier that many approaches have been tried. Here are some of them:

  • Trojan. Ransom-A declares that it will destroy one data file every 30 minutes unless $10.99 US is sent to a specified account via Western Union.
  • Trojan.Archiveus is a bit more creative. The ransom note declares the decryption password will be sent. If the victim purchases something from a specified Web site, typically in Russia.
  • Win32.Ransom uses a novel way to obtain ransom money. The crypto-virus blocks Internet access until the victim sends a premium SMS message. This approach is becoming the favored payment method.
Example

To help understand the entire process, let's look at what many consider cutting-edge ransomware. F-Secure just released information about Trojan:W32/DatCrypt. Here's how it works.

The trojan makes its way onto the victim's computer. After which, it gives the illusion data files such as Office documents, music, audio, and video are corrupt. As shown in the following slide (courtesy of F-Secure):

In reality, the files have been encrypted by the trojan. The next message opened by DatCrypt informs the victim to download specified file repair software. Notice how the window created by the malware appears to be a message from the Security Center (courtesy of F-Secure):

What is actually downloaded is Rogue:W32/DatDoc. Malware that gives the appearance of fixing the problem. But, only one file can be fixed with the free version (courtesy of F-Secure):

The attackers are trying to lull the victim into thinking the software actually works. They hope the victim will spend $89.95 US for the registered version. In reality, victims are paying ransom to get their own files back.

Solution

There is no magic formula to avoid crypto-viral extortion. It's just malware looking for vulnerable computers to exploit. Keeping operating system and application software up-to-date, along with a decent anti-virus application will offer protection. Also, having current backups of all important data is a good idea, just in case.

Final thoughts

Ransomware is making a resurgence. Hard-to-trace Internet payment methods are emboldening cybercriminals.

Two thoughts immediately come to mind. Once the extortionist has the money, why send back the decryption information? Also, what proof does the victim have that the whole process won't start over again?

About

Information is my field...Writing is my passion...Coupling the two is my mission.

205 comments
cbellur
cbellur

It may be the the Mac is too small of a market, but as a recent Mac user, I also notice they are constantly pushing security fixes and updates -- far more often than on PCs. In either event, these ransom viruses seem to affect PC losers, uh, I mean users anyway.

Ocie3
Ocie3

Quote: [i]"Once the extortionist has the money, why send back the decryption information? Also, what proof does the victim have that the whole process won't start over again?" (italicization added)[/i] Two good questions. The ransomware is the most vicious of the two types (those that encrypt data files and those that don't, but masquerade as anti-malware). There is no particular reason for the perpetrator(s) to send the key that is needed to decrypt the files. Doing that probably increases the risk that they can be traced. OTOH, the key is probably obtained from a web site that is created by the criminal(s). It is easy and not that expensive to register new domains, and as easy to remove web sites as it is to create a simple one that serves the purpose. When the victim visits the web site to obtain the key, then their computer can be compromised by other malware while the ransomware is removed to lessen the likelihood that a copy of it will be given to a malware researcher. When extortionware infects a "consumer" computer, it usually masquerades as anti-malware while it searches all storage media available for PII and credit-card numbers, bank account numbers, etc. The malware also often installs a "backdoor" and perhaps a keylogger. Then it enlists the computer in a botnet. If and when someone does pay the ransom, sometimes by using a credit card (yes, some people really do believe what the anti-malware "rogue" or "fake" is telling them), then the malware goes away until the "license" expires. .... I think that answers the second question. :-( Thank-you, Michael, for an interesting and informative article, with some interesting links. The criminals just keep on redeveloping their malware to be yet more effective, don't they?

Deadly Ernest
Deadly Ernest

Since this is the sort of attack that will push people to accepting something like the MS proposed Trusted Computing set up, I wonder if these people are MS fronts or, at the least, encouraged by MS. edit to add -- NB: For those who don't get this message, even if it is just a touch 'tongue in cheek' with a mild humour slant, check out -- http://en.wikipedia.org/wiki/Trusted_Computing and start worrying about privacy etc.

Photogenic Memory
Photogenic Memory

Hello Michael, I had a similar experience in the home this week! My mother infected herself with a bad piece of software called Malware Defense. She's not very computer savvy and has a hard time telling what suspicious internet sites look like. It's not the first time she's gotten herself into hot water with stuff like this. What can I say? She's your typical user. They just want things to work and when they don't they click everything to try to make it happen. Suffice to say; a nagging pop-up came up and she clicked yes to get off the screen. Bad move. It dropped it's payload. Anyways, to stay on track, the program was called Malware Defence. You can google for it or see it here: http://www.2-spyware.com/remove-malware-defense.html The mentioned article removal instruction were not helpful in the least. The program must have evolved. Some of the files were not visible or have been changed with the times. Malware Defense turned off her McCaffee internet suite and totally disabled Malware Bytes malware and rootkit remover. All links even at the executable level were seemingly inoperative. It kept asking to purchase it online over and over and over again! Annoying. The PC also ran slowly. I felt totally stuck. To make matters worse; she doesn't have a backup. Its bad timing. I was going to purchase her a solution that week. Anyways, the program kept spewing balloons that kept saying she was infected with all these different trojans such as: ackdoor.Win32.Agent.ich, Rootkit.Win32.Agent.pp Trojan.Dropper Virus.Win32.Gpcode.ak Email-Worm.Win32.NetSky.q Net-Worm.Win32.Mytob.t and others. At first I got caught up in chasing these trojans and viruses through directories and registry entries realizing the hard way I was being led in the wrong direction. I then decided to attack the program directly to see if there was a remover for itself. There had to be one right? Right! I found this: http://www.myantispyware.com/2009/12/20/how-to-remove-malware-defense-uninstall-instructions/ I found the above site that recommended I use it to remove it. The program ran very quickly then required a reboot. Her PC came up normally and McCaffee and malware bytes were now usable. I launched MBAM and this is what it found: Malwarebytes' Anti-Malware 1.44 Database version: 3540 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/11/2010 8:41:38 AM mbam-log-2010-01-11 (08-41-38).txt Scan type: Quick Scan Objects scanned: 117027 Time elapsed: 7 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 2 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\settdebugx.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Margot\Local Settings\Temp\settdebugx.exe (Rogue.Installer) -> Delete on reboot. C:\WINDOWS\system32\H8SRTljltnnrrsa.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\H8SRTqparggwykt.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\H8SRTumuwntfmxr.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\H8SRTyxjixjcmtu.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Margot\Local Settings\Temp\H8SRT5329.tmp (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Margot\Local Settings\Temp\Installer.exe (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Margot\Local Settings\Temp\wscsvc32.exe (Trojan.FakeAlert) -> Delete on reboot. C:\Documents and Settings\Margot\Local Settings\Temporary Internet Files\pse_350_enu.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully. C:\WINDOWS\system32\H8SRTodchriqtom.dat (Rootkit.TDSS) -> Quarantined and deleted successfully. It removed these files and needed a reboot to remove the rest out of memory. Afterwards, I updated her virus scanner and the PC came up clean. Whew! I even ran Ccleaner just in case to prune her registry for anything left over. I was lucky but felt so dumb. It took me an hour and 45 minutes to figure it out. Working that night and coming home that morning to do this didn't help either. I hope this will help you. Thank you for your articles. I had used your advice from before and had renamed mbam's installation files to throw off any rootkits. I think it helped. Thank you and have a good morning. P.S. You can learn more on the TDDSKiller application here: http://support.kaspersky.com/viruses/solutions?qid=208280684

dayen
dayen

I am with Deadly Ernest kill them if they cause enough economic harm or corrupted data there by causing death of one or more person, can I affored to lose my data NO do I backup yes do I check my backup yes do I find bad ones too often. Thank you for helping us with info that we need. I work at GM in the day when even the Tech didn't know what a virus was we were down 3 days at $6000.oo a min it not just getting the systems up it getting everthing rolling again it can be huge downtime some plants were down 2 weeks.

andiestwo5
andiestwo5

I will copy this and send and give to all my customers,,Thank you very much,,love your site Andrew

denny1960
denny1960

What about Steady State? Will it be able to restore your computer if this crap encrypts your files?

aikimark
aikimark

I think the Russian mob should consider offering their services to extract the necessary information from the attacker and then kill them. Sure, this would cost more, but it would be a real deterrent for anyone considering this. Fighting crime with criminals.

ben.rattigan
ben.rattigan

What is great about this is as I read this article the sponsored links to the right are all very similar offerings which are likely to be ransomware. Is it paranoid to wonder where all these viruses come from in the first place? Don't the likes of ESET, Symantec, McAfee an so on make a lot of money from selling AV products?

dcmccunn
dcmccunn

A friend called me yesterday with his computer locked-up with a request to pay $89 for software called "Antivirus Live". So watch out for this one...very difficult to remove.

windowsmt60
windowsmt60

This may be redundant to other posts, so forgive me for not reading through all of them. But is seems to me that flavors of this are more prevalent without encryption techniques. There are many Malware applications that are designed to deny access to the internet unless you click on their links to purchase the software (such as the dreaded PC Doctor). I have worked on many PCs that have become infected with various trojans that claim "You have 29 infections, click here to remove" or some nonsense that wants you to spend $20 to $90 on something that simply removes the trojan to begin with.

DMambo
DMambo

It's a great idea to position your malware as an MS Windows solution to someone else's malware. The first time a user called me with this one, I really assumed that it was an XP warning. It took a little bit of research to clear it up. The whole time I was working on it I was cursing the bast@rds who developed it, and simultaneously admiring their imaginative work. Fortunately, I found MalwareBytes AntiMalware to fix it. A great free product IMO.

Neon Samurai
Neon Samurai

It's on of those little things that grates on me at times. An Apple *is* a Personal Computer just like any other PC class hardware platform. I do also like that Apple pushes out patches when ready rather than when a day a month comes around. My grief is with the vulnerabilities they claim don't exist (for PR reasons) and frequency with which some updates come out to push new marketing features rather than improve the software as iTunes is a great example of. MS is also guilty of the PR need to pretend vulnerabilities don't exist though so I'm not suggesting either is an angel. Debian puts them both to shame in terms of updates. OpenBSD puts all of them to shame though too. For me it's not about the number of attempts invited by market share. It's about the success rate of those attempts against each platform and rate at which updates for discovered vulnerabilities become available.

RU_Trustified
RU_Trustified

They are better financed than defenders and they some say they pay 6 figure salaries to top programmers who they recruit. They run like a business. But some say they are saving their most insideous attacks. Why would they expose them when there are so many easy ways in right now?

Michael Kassner
Michael Kassner

Glad you got it back. One thing you may want to try if it happens again. Rename MBAM, it's so popular the bad guys search for it on computers.

Michael Kassner
Michael Kassner

Let me know if there is anything else that TechRepublic can help with.

Michael Kassner
Michael Kassner

I am not following you. Are you referring to MS SteadyState?

Ocie3
Ocie3

don't post comments after you have drank too much vodka!! :-)

coderancher
coderancher

However, when it infected a non-administator user account, it did not seem to affect the administrator account. So logging on as administrator, I was able to update MBAM and run a full scan and remove it. You must use the full scan. The quick scan did not catch it.

Michael Kassner
Michael Kassner

A special greet to another MN type. It's now on my list.

ezrydr84
ezrydr84

AV 2009, AV2010,etc etc, are IMO, all ransomware...

Michael Kassner
Michael Kassner

My point was that this approach is becoming more prevalent, because experts are more successful at fixing the malware you describe. Cybercriminals as usual then take it to the next level, which is ransomware.

d_g_l_s
d_g_l_s

Malwarebytes first I would think so as to stop the actual program from running. But this is good news for some who want their crucial data back.

d_g_l_s
d_g_l_s

Malwarebytes gets this one out. On one occasion I had only one recourse to get a foothold on the PC. I had to use an external program, Sysinternals' Process Explorer, to first be shut down as a running process (could not even bring up Task Manager). Then I was able to run Malwarebytes. Sometimes ya have to be a bit creative and keep it simple fighting back with more intelligence than the beast you're fighting!

Michael Kassner
Michael Kassner

Something I wonder about. Still, the flip side is why wait? Why miss an opportunity if it will afford more profit?

denny1960
denny1960

MS SteadyState is supposed to restore the computer to a saved state when it's rebooted. Would this work if the hard drive had been encrypted by any of these ransomware programs?

d_g_l_s
d_g_l_s

One client called me after they had already paid for AV2010 and was going to try to get the credit card company to refund him.

Viperfriends12
Viperfriends12

all my geek techies need to remember, we are fairly smart at knowing our computers, like a car, we can spot something not quite right and investigate (except my wife) I have been battling this crap for years and its getting worse, remember malware and ransomeware is targeted to the under average user. case in point go to yahoo.com do a search for "tigerdirect" on the first page torwards the bottom look at the header and then look at the address, "buy a computer" the address is igerdirect.com. I will leave it up for 5 more minutes then erradicate it. sometimes I wish I could reach through the routers and hops to the one behind the computer on this mess and choke it. surf safe..... Viper12

Ocie3
Ocie3

Sysinternals Process Explorer does not always succeed when it attempts to shut-down a process (such as Firefox when, for some unknown reason it was consuming 100% of the CPU until I finally used the hardware reboot button, for the first time in about five years, I think).

bernalillo
bernalillo

I like Malwarebytes but it does not catch everything. No scanner I have found does. I have a standard stash of four, Malwarebytes (usually run 1st as it is fastest), spybot, adaware and superantispyware. I run each one untill they do not detect any more problems then I uninstall them before I install the next. This is a slow process but its the only way I have found where I can reliably clean all the malware off a machine. Occasionally I have even had to run others live MS Live.

ezrydr84
ezrydr84

should have listened to my mother and been a plumber...

Ocie3
Ocie3

Here and there I have read allegations that the "botnet herders" often endeavor to seize control of the botnet controlled by another "herder". In practice, the attack and seizure is actually carried out by a "gang" (team) that is created for the purpose. After they succeed, the newly-seized botnet is either turned over to the control of a herder who manages one or more other botnets, or sometimes the newly-seized botnet can be merged with another existing botnet. It may be true that "up and coming scam artists" might be threatening insofar as they might be potentially disruptive of the operations of existing organizations. But they are not necessarily attacked, and may be recruited to join an existing gang instead. The truly "awesomely destructive programs" are probably reserved for the biggest and most profitable targets. When they succeed, you and I are not likely to hear about it unless the organization that has been victimized cannot prevent, sooner or later, the "heist" from being publicized.

Neon Samurai
Neon Samurai

Malware that detected and removed competitive malware then re-enabled the AV while updating it with the latest signatures less the malware's own seems to have started long ago. Destroying the host system isn't beneficial to the business but protecting that host from competitive malware will be. ;)

Photogenic Memory
Photogenic Memory

This type of crime is sophisticated and takes lots of work, planning, and time to implement successfully. An impulsive criminal goes for the goodies right then and there. There's minimal thought about the covering tracks and getting away. And also there's virtually no thought about NOT "shitting where you eat". These types tend to get caught easily for the most obvious reasons like showing off about it or bragging. I think those with long term goals see it for what it is and move on to the next sophisticated scam they can pull off. They base their previous success analytically and improve upon it. They're in it for the long haul. Just like legitimate services; the product doesn't have to be perfect but has to be self sustaining with as minimal over-head if possible. I guess it's on par with creating a portfolio of investment options. As long as the profits continue to come in which ever way they do; it's all good?! I'm sure in their own universe; they see up and coming scam artists as threatening and attack each other by doing what they do best. Sabotaging each others software. It might be the reason why you don't see as many awesomely destructive programs unleashed on the majority of the net. It's bad for business and brings too much attention. This is my opinion.

JCitizen
JCitizen

The steady state would blow the operating system attempts at modification away, but the data files on another drive might still be encrypted! It would make an interesting experiment, but there are still questions on just how far the reach is, by these malware, off the root system partition/boot drive. I do know that with Faronics Deepfreeze, there has never been a problem on the boot drive, however, you can't save files on that drive either. Newer versions may have file space, I don't know.

Michael Kassner
Michael Kassner

But, I think SteadyState is focused on the OS files and will not deal with data files.

Michael Kassner
Michael Kassner

Do you use Firefox? If so check out my article: http://blogs.techrepublic.com.com/10things/?p=1160 There are add-ons that check Web-site black lists and warn users about them. Your example may have have been flagged. In fact, you should visit those sites out and tell them what you found. They will add it to the list if it's not there. Thanks for pointing it out.

specialfx63
specialfx63

Just checked it out, myself...It just goes to show that none of us can simply surf without due caution, and a keen eye for any possible trickery.

Ocie3
Ocie3

both Sunbelt VIPRE and Malwarebyte's Antimalware. Of course, I never run one while the other is also loaded. I use Malwarebyte's about once a week, and/or sometimes use F-Secure Online Scanner or Panda Online Scanner, but VIPRE is the one that ordinarily guards and scans my computer system. Since you mention it: in my opinion, the name "VIPRE Antivirus + Antispyware" is unfortunate, because it also scans for some rootkits that it can detect and identify, and it can remove many "rogue anti-malware" programs that are extortionware. That is why I personally refer to it, and to many other programs like it, as "anti-malware", because they are not just "anti-virus" and/or "anti-spyware". However, hardly any one of them attempts to find and identify absolutely all kinds of the "malware" that has been discovered. Note that some anti-malware programs do not scan e-mail packets and attachments. Very few attempt to find and identify keystroke loggers. Nonetheless, there are [i]plenty[/i] of "one package security solutions" but, whatever their merits, they are ordinarily licensed only to enterprises and are too expensive for most individuals. That said, our discussion is beginning to wander off-topic, and I would rather not attempt to discuss and compare the features of any particular anti-malware programs in this venue. Doing that is not the same thing as suggesting or recommending a particular program (or a blog) as a source of aid and/or of information when someone is confronted with a [i]specific[/i] extortionware intruder or with a [i]specific[/i] ransomware program.

d_g_l_s
d_g_l_s

this one but how does it compare to Malwarebytes for overall effect? Just wondering why it is billed as an antimalware program when it is actually called Vipre Antivirus Antispyware? Have not used it. It's not free and I'm not sure if I'm willing to use it until I know for sure it works well in the broad sense, especially when ones such as Malwarebytes work and have a proven track record. Want to know your thoughts and experience on this.

Ocie3
Ocie3

the TechNibble web site is an interesting place. I might register for the forum(s), especially since I prefer to install or remove hardware -- and configure it, etc. -- myself. Other "non-vendor" forums that can help you out especially when you're looking for malware or trying to get rid of it: Major Geeks Spyware Beware Bleeping Computer GMER My Netwatchman Audit My PC (good info, but be careful)

d_g_l_s
d_g_l_s

has just informed me that they support a program called rkill to stop the malware and allow programs to remove the malware. It comes in .exe, .com, .scr and .pif extensions in case the malware blocks any one of these kinds. Have not yet tried this but they highly recommend it so will be looking into this.

Ocie3
Ocie3

has a lot of useful utilities, and I did not mean to imply that Process Explorer should not be used to attack malware -- just to say that it might not work as we would like. Sysinternals Autoruns and Rootkit Revealer can be useful, too, as well as Hijack This. In my experience, Hijack This and CCleaner are useful mainly for removing "unnecessary" software such as "too many toolbars" and what-have-you so that you can determine whether the problems that you are observing are actually caused by the ordinary software that your computer is running, or perhaps by malware instead. But, of course, I am assuming that the malware wants to be undiscovered and you have to find out what is causing the incidents that you encounter. Ransomware and other extortionware wants to be able to do its nasty work before, of course, revealing itself by demanding payment of money or other acts that will benefit the malefactor. At that point, you have to figure out how to get rid of the intruder and remedy its effects, irrespective of whether you pay the ransom. I must admit that I have not personally encountered that situation, only an unidentifiable rootkit.

d_g_l_s
d_g_l_s

on this as I would not necessarily advise that Sysinternals Process Explorer should be the tool to use. I guess I should have added more to my thots as I meant that since it worked this approach should be considered as another tool in the attempt to get stubborn malware. Other such programs such as Ccleaner could be used to do this operation. The problem arose when Task Manager could not be called to action. Any further thoughts on this would be great!

JCitizen
JCitizen

I'm not so sure it is just Intel tech that makes that possible; AMD CPUs should work just as well. The feature you talk about was mostly a feature of the x64 operating system, the way I understood it; however I still have some to learn about Win 7. My Vista system seems literally invulnerable to 32 bit malware. However, just in case, I now have 64 bit capable AV. Awill is ahead of the curve on this. Oh! And did I say? Avast uses GMER tech for rootkit detection.

Ocie3
Ocie3

will almost certainly be 64-bit. Reportedly, the Intel CPU, in conjunction with Windows 7, will not allow a kernel-mode driver to be installed. So there will not be an "invisible" file or process, unless it is entirely outside of any formatted partition. Even there, though, some software can find it.

bernalillo
bernalillo

I haven't used it much as it takes more work but it certainly has it's place. Especially with rootkits being hard for the others to find or remove.

bernalillo
bernalillo

Just because one isn't doesn't mean the next wont be.

Ocie3
Ocie3

just looks for rootkits, as far as I can see from examining the web site. Extortionware or ransomware is not in their purview.

Michael Kassner
Michael Kassner

If you get a really bad one, you may want to try GMER.

fransoph
fransoph

Dr. Rich-and-Powerful has a clogged drain and calls a plumber. The plumber comes out and announces it will cost $1000 to fix it, and it will take an hour. The doc exclaims, "wait -- I'm a very famous brain surgeon, and I don't make $1000 an hour". Plumber thinks a second and says, "you know, come to think of it, I didn't make that much when I was a brain surgeon either".

Editor's Picks