Security Advisor

Popular Ransomware Adds Ability To Steal Victims' Passwords

The infamous Trojan that's rolled up into widely used exploit kits is getting a new trick.

Microsoft is warning that the Reveton Trojan, a nasty ransomware that locks users out of their computer until they pay the hackers to remove it, now has added the ability to scan and snag all your passwords.

According to Microsoft, this new trick was added so that even if an antivirus does its job and removes the Trojan without you falling to the extortion racket, the attackers' time and effort weren't wasted -- they at least have your passwords (and one that could be used to drain funds from you in a different way).

"Once an exploit kit installs Reveton on a system, the ransomware will start contacting its command and control (C&C) server," wrote Microsoft's Stefan Sellmer in a TechNet blog post.  It downloads information about the system's external IP address, for example the Internet provider, city, and country.

While the Trojan goes to work shipping off your information, it's simultaneously installing and running the DLL that locks your screen until payment is received. And it's also running the password-stealing component that is hidden in memory.

The password grabber goes to work in the background, stealing personal information from file downloader lists, e-mail clients, chat logs, remote applications and even accesses where saved browser passwords are in protected storage.

Even from behind bars, the original creator's Trojan is finding new ways to terrorize infected victims thanks to additions like this and the fact that it's rolled up into popular exploit kits like Blacole and Cool Exploit Kit.

Microsoft points out that earlier this year, once a popular Java exploit was dropped into the kits that also included Reveton, more than 100,000 systems were being infected daily. Since then, the infection rate has dropped, but it's still able to snare thousands of new victims on a daily basis.

To avoid infection, Microsoft prescribes the usual dosage of smart Internet browsing and software updating.

"Our advice is, before you become a victim of the Reveton infection, spend a few minutes to eliminate possible infection vectors by updating software components which are targeted by drive-by-downloads," said Sellmer. "You should install all the relevant Microsoft security updates and update browser plug-ins like Java and Flash Player."

And if you feel like you've been infected, the first point of action (before even trying to remove the Trojan) is to change all your passwords.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

    IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

  • Populating a SharePoint Document Library by E-Mail, Part 1

    While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

  • Microsoft Previews New App Reporting and Consent Tools in Azure AD

    Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

  • Free Software Foundation Asks Microsoft To Release Windows 7 Code

    The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.