Who is to blame and / or what to do for Dummies (about the “winlockers”)
Having accumulated some experience in helping “careless” and summarizing it, I decided to write a short review article on the problem of various SMS ransomware aka informers. An experienced IT employee is unlikely to find anything new in it, but most ordinary users are likely to find something useful or simply interesting for themselves in it.
We call it "Who is to blame and / or what to do for Dummies."
Pens playful ...
As practice shows, for most ordinary users, the fact that the system is infected does not cause any particular fears - everything seems to work somehow, the system slows down a little, and errors pop up from time to time, but on the whole it does not interfere with satisfying your modest everyday needs - communicate in social networks, listen to music and watch a movie. So taking care of some kind of protection does not seem so important. And at that time, a computer infected for days on end works for the benefit of DiDosers, spammers and other no less dishonorable comrades ...
Then, at some point, the attitude changes dramatically when the system is blocked, and even your relatives ask for unlocking. This is where the search for the guilty begins. And go find it - who admits to installing a “special codec” to watch a particular video or to visit another entertainment portal?
Viewing the history of visits helps to determine approximate sources of infection, but you will not expose the culprit before everyone's eyes. Alas, only a few are directly recognized. Although there are simply enough curious ones ...
Based on my experience of helping to get rid of the infection, I can say that approximately the next historical way of becoming blockers is being seen.
Not so long ago, when the banners (“winlocks” in the future) were quite simple and were just an add-on (BHO) for IE, the whole struggle with them was to disable this add-on. In principle, the problem was solved elementarily - a three-minute telephone consultation - and everyone is happy.
After a while, ransomware began to appear, blocking not only IE, but also other browsers, using, say, the same JS. The first trojans began to appear, which without an antivirus program, it was already almost impossible for an ordinary user to overcome, which was confirmed by a sad mumbling of the victims to the receiver.
And at that time, almost all programs still allowed themselves to be removed by means of code received via SMS. Moreover, SMSs were an order of magnitude less than at present.
But the phenomenon still did not lead users into indescribable horror, because only the browser was blocked. Closing it, you could forget about the "trouble" and continue to do what you love.
Later, the informers evolved and turned first from an annoying and interfering window hanging in the middle of the desktop into a real ogtung (the translation from it is nasty garbage extorting money), which blocked the entire desktop when the OS boots up, an attempt to start the task manager does nothing except for the appearance of a sad face on the user's face, and a blocked registry and "safe mode" finally put an end to an attempt to solve the problem on their own. And although tricks sometimes helped, such as repeatedly pressing the “shift”, or using “win + u” and then launching the required software through a browser, over time this trick also lost its relevance.
The blockers have grown from the category of “sticker” to the category of “super-limited account”. Soon, the developers of the informers became completely brutalized, and even the tricks with changing the extension in com, pif, cmd, bat types ceased to help to launch the software - livecd was no longer needed.
The climax was the informer, which received the widest distribution in December last year - uFast Download Manager.
How?
If the standard launch of the antivirus for some reason did not help (the pest is either not detected or the AV does not start at all), you have to use additional utilities.
The standard set for restoring a user’s system from under the most infected system is standard - here everyone knows AVZ, and no less popular HiJackThis, some programs from SysInternals that allow you to track the activity of various subsystems, as well as, of course, the anti-virus scanners like CureIt, AntiViral Toolkit , NOD32 and other lesser known.
It should be noted that to unlock the system, sometimes code generators (such as keygens for viruses) from manufacturers of antivirus software that create services that allow you to select codes to unlock the system can be useful, but recently they have lost their relevance in view of the fact that blockers cease to contain unlock function itself based on the received SMS code - they simply are not designed for this.
A couple of useful links are given below, they may come in handy:
The penultimate page even had a futuristic flash design to emphasize the importance and uniqueness of the project, I think.
It should also be noted that, sometimes on the forums there are algorithms for manual selection of code. Sometimes it helps, sometimes not. You have to try.
Some of the victims turn to their operator, who gives unlock codes, again, if the informer supports such a function.
Starting to search for a pest, first of all (after an unsuccessful scan by antivirus utilities, which I will not describe because of its simplicity), it is worth taking Oleg Zaitsev's AVZ. The program has truly wide capabilities. You can download it from the author’s website z-oleg.com .
AVZ allows you to detect malicious files and remove them from the system by analyzing the operation of files, and a large number of heuristic microprograms, a large signature database, neuroanalysers, troubleshooting programs, a large number of auxiliary routines are supported. Moreover, if the system has an advanced pest that does not allow you to run the program, then you can use the launch from the console with the key ag = y.
In this case, first the system starts AVZGuard (a driver that restricts the access of running applications to the system), which does not allow you to close the program (if the console does not start, you can try to create a bat-file). And then add the programs you need to trusted applications and continue to clean the system. Moreover, if a reboot is necessary to prevent re-infection, it is recommended not to unload AVZGuard, but to reboot with it. This technique helps to get rid of a lot of problems. And resetting various system locks helps get rid of the effects of pests. For example, a frequent victim is a network stack, the damage of which leads to disruption of the network. Using this utility, you can restore the integrity of the stack. (It should be noted that often you can restore it yourself, using the netsh winsock reset command. More details can be found here.support.microsoft.com/kb/817571 and here support.microsoft.com/kb/811259 ).
Under AVZ, there are already ready-made scripts (which the user can write himself) that help get rid of certain types of pests. By the way, on the virusinfo.info website, experts can also help with solving the problem after you provide them with a log collected after analyzing the system.
It should be noted a number of small, but extremely useful utilities from the company SysInternals, now purchased by Microsoft, without which it is extremely difficult to do, using the "manual" method of searching for pests.
Using the ProcessMonitor utility, you can use the convenient “Include Process from window” function, specify the element of interest on the screen (for example, a banner) and find the process on which it hangs. Then it can be analyzed using the secure AVZ file database and a potential intruder can be identified.
It also allows you to track changes in the file system and registry in real time.
Processes that affect network activity are also visible in real time.
With Autoruns and Sigcheck, you can verify digital signatures of files and sort them as safe.
An excellent scanner from Dr.Web in the beta version has acquired a special interface to counter programs that block the launch of anti-virus scanners themselves. First, it activates protected mode, then loads all other services. This is sometimes the most effective option.
Another well-known program HiJackThis allows you to find suspicious objects in startup, keys in the registry, and then delete them.
In addition, you can use a service such as www.hijackthis.de/en , where by downloading the log, you can get a beautiful report on the probable danger of a particular file or record.
And in order to finally make sure that the file is “unclean on hand”, the file can be downloaded at www.virustotal.com, where you will learn about the fame of the subject in especially "narrow" circles.
In any case, always after treatment / reinstalling, change the passwords stored on the computer. For they steal.
What to do?
When ensuring security, you always need to maintain a balance - to provide more or less reliable protection and at the same time not put the user in a straitjacket (although it would be necessary).
The safest option is to change the OS to a less traditional one. However, not everyone will be satisfied for a number of well-known reasons.
An effective antivirus with up-to-date databases, coupled with an updated OS - greatly increases the chances of not picking up anything, but as practice shows, this is not enough for users with long arms. They climb where necessary and not necessary, and at the same time they do not confess.
Various firewalls did not find the love of an ordinary user due to the need for constant monitoring. And since sometimes there is not enough knowledge to make decisions, even a user who uses a firewall either blocks the desired process, which often leads to network failure and disruption of programs, or vice versa - it allows malicious code. My favorite thing is to block everything and remove the program as “interfering" ...
Alas, most often it happens.
Of course, it is recommended to use a non-standard browser due to its inferiority and binding to the kernel of the system.
The weakest link is the gasket between the chair and the PC. That means to strengthen the link - the hands must be shortened (c) Popular wisdom.
One of the most effective measures is to restrict user rights in the system itself, but most often users are too lazy to spend time creating a separate account. And a number of programs refuse to install, configure, and just run under limited profiles.
In this case, the well-known utility DropMyRights will be useful, limiting the rights of the launched application.
It supports 3 access levels. The lower the rights, the lower the program’s capabilities. Say, for the same IE at the lowest, functions such as active-x are not available.
This method has proven itself in clients from the "high risk" group. And although some sites are not displayed correctly, but for the sake of security, this point can be neglected.
Alternatively, you can also use programs that make the system roll back after the session ends, but, as practice shows, they are not very suitable for home use.
And although in recent years there has been a sharp decline in the activity of winlockers, probably in the near future we should still expect new various modifications of various types of ransomware, and hence new epidemics. It is impossible to ensure complete security without pulling the user's hands behind his back, and until the user, taught by bitter experience, hears the advice of more experienced colleagues and treats his security with great attention, millions of infected computers will work to the detriment, and hundreds of millions of rubles will go into the pocket of virus writers.
Yes, and the problem must be solved, most likely, comprehensively:
Well, on your part, I am glad to listen to your wishes, criticism and just share your experience.
We call it "Who is to blame and / or what to do for Dummies."
Pens playful ...
As practice shows, for most ordinary users, the fact that the system is infected does not cause any particular fears - everything seems to work somehow, the system slows down a little, and errors pop up from time to time, but on the whole it does not interfere with satisfying your modest everyday needs - communicate in social networks, listen to music and watch a movie. So taking care of some kind of protection does not seem so important. And at that time, a computer infected for days on end works for the benefit of DiDosers, spammers and other no less dishonorable comrades ...
Then, at some point, the attitude changes dramatically when the system is blocked, and even your relatives ask for unlocking. This is where the search for the guilty begins. And go find it - who admits to installing a “special codec” to watch a particular video or to visit another entertainment portal?
Viewing the history of visits helps to determine approximate sources of infection, but you will not expose the culprit before everyone's eyes. Alas, only a few are directly recognized. Although there are simply enough curious ones ...
Based on my experience of helping to get rid of the infection, I can say that approximately the next historical way of becoming blockers is being seen.
Not so long ago, when the banners (“winlocks” in the future) were quite simple and were just an add-on (BHO) for IE, the whole struggle with them was to disable this add-on. In principle, the problem was solved elementarily - a three-minute telephone consultation - and everyone is happy.
After a while, ransomware began to appear, blocking not only IE, but also other browsers, using, say, the same JS. The first trojans began to appear, which without an antivirus program, it was already almost impossible for an ordinary user to overcome, which was confirmed by a sad mumbling of the victims to the receiver.
And at that time, almost all programs still allowed themselves to be removed by means of code received via SMS. Moreover, SMSs were an order of magnitude less than at present.
But the phenomenon still did not lead users into indescribable horror, because only the browser was blocked. Closing it, you could forget about the "trouble" and continue to do what you love.
Later, the informers evolved and turned first from an annoying and interfering window hanging in the middle of the desktop into a real ogtung (the translation from it is nasty garbage extorting money), which blocked the entire desktop when the OS boots up, an attempt to start the task manager does nothing except for the appearance of a sad face on the user's face, and a blocked registry and "safe mode" finally put an end to an attempt to solve the problem on their own. And although tricks sometimes helped, such as repeatedly pressing the “shift”, or using “win + u” and then launching the required software through a browser, over time this trick also lost its relevance.
The blockers have grown from the category of “sticker” to the category of “super-limited account”. Soon, the developers of the informers became completely brutalized, and even the tricks with changing the extension in com, pif, cmd, bat types ceased to help to launch the software - livecd was no longer needed.
The climax was the informer, which received the widest distribution in December last year - uFast Download Manager.
How?
If the standard launch of the antivirus for some reason did not help (the pest is either not detected or the AV does not start at all), you have to use additional utilities.
The standard set for restoring a user’s system from under the most infected system is standard - here everyone knows AVZ, and no less popular HiJackThis, some programs from SysInternals that allow you to track the activity of various subsystems, as well as, of course, the anti-virus scanners like CureIt, AntiViral Toolkit , NOD32 and other lesser known.
It should be noted that to unlock the system, sometimes code generators (such as keygens for viruses) from manufacturers of antivirus software that create services that allow you to select codes to unlock the system can be useful, but recently they have lost their relevance in view of the fact that blockers cease to contain unlock function itself based on the received SMS code - they simply are not designed for this.
A couple of useful links are given below, they may come in handy:
- support.kaspersky.ru/viruses/deblocker - a release from Kaspersky.
- esetnod32.ru/support/winlock.php - Nod32
- www.drweb.com/unlocker - the same from Dr. Web.
- www.drweb.com/unlocker/mobile - and a mobile version of the service.
- virusinfo.info/deblocker - deactivation from Virusinfo.
The penultimate page even had a futuristic flash design to emphasize the importance and uniqueness of the project, I think.
It should also be noted that, sometimes on the forums there are algorithms for manual selection of code. Sometimes it helps, sometimes not. You have to try.
Some of the victims turn to their operator, who gives unlock codes, again, if the informer supports such a function.
Starting to search for a pest, first of all (after an unsuccessful scan by antivirus utilities, which I will not describe because of its simplicity), it is worth taking Oleg Zaitsev's AVZ. The program has truly wide capabilities. You can download it from the author’s website z-oleg.com .
AVZ allows you to detect malicious files and remove them from the system by analyzing the operation of files, and a large number of heuristic microprograms, a large signature database, neuroanalysers, troubleshooting programs, a large number of auxiliary routines are supported. Moreover, if the system has an advanced pest that does not allow you to run the program, then you can use the launch from the console with the key ag = y.
In this case, first the system starts AVZGuard (a driver that restricts the access of running applications to the system), which does not allow you to close the program (if the console does not start, you can try to create a bat-file). And then add the programs you need to trusted applications and continue to clean the system. Moreover, if a reboot is necessary to prevent re-infection, it is recommended not to unload AVZGuard, but to reboot with it. This technique helps to get rid of a lot of problems. And resetting various system locks helps get rid of the effects of pests. For example, a frequent victim is a network stack, the damage of which leads to disruption of the network. Using this utility, you can restore the integrity of the stack. (It should be noted that often you can restore it yourself, using the netsh winsock reset command. More details can be found here.support.microsoft.com/kb/817571 and here support.microsoft.com/kb/811259 ).
Under AVZ, there are already ready-made scripts (which the user can write himself) that help get rid of certain types of pests. By the way, on the virusinfo.info website, experts can also help with solving the problem after you provide them with a log collected after analyzing the system.
It should be noted a number of small, but extremely useful utilities from the company SysInternals, now purchased by Microsoft, without which it is extremely difficult to do, using the "manual" method of searching for pests.
Using the ProcessMonitor utility, you can use the convenient “Include Process from window” function, specify the element of interest on the screen (for example, a banner) and find the process on which it hangs. Then it can be analyzed using the secure AVZ file database and a potential intruder can be identified.
It also allows you to track changes in the file system and registry in real time.
Processes that affect network activity are also visible in real time.
With Autoruns and Sigcheck, you can verify digital signatures of files and sort them as safe.
An excellent scanner from Dr.Web in the beta version has acquired a special interface to counter programs that block the launch of anti-virus scanners themselves. First, it activates protected mode, then loads all other services. This is sometimes the most effective option.
Another well-known program HiJackThis allows you to find suspicious objects in startup, keys in the registry, and then delete them.
In addition, you can use a service such as www.hijackthis.de/en , where by downloading the log, you can get a beautiful report on the probable danger of a particular file or record.
And in order to finally make sure that the file is “unclean on hand”, the file can be downloaded at www.virustotal.com, where you will learn about the fame of the subject in especially "narrow" circles.
In any case, always after treatment / reinstalling, change the passwords stored on the computer. For they steal.
What to do?
When ensuring security, you always need to maintain a balance - to provide more or less reliable protection and at the same time not put the user in a straitjacket (although it would be necessary).
The safest option is to change the OS to a less traditional one. However, not everyone will be satisfied for a number of well-known reasons.
An effective antivirus with up-to-date databases, coupled with an updated OS - greatly increases the chances of not picking up anything, but as practice shows, this is not enough for users with long arms. They climb where necessary and not necessary, and at the same time they do not confess.
Various firewalls did not find the love of an ordinary user due to the need for constant monitoring. And since sometimes there is not enough knowledge to make decisions, even a user who uses a firewall either blocks the desired process, which often leads to network failure and disruption of programs, or vice versa - it allows malicious code. My favorite thing is to block everything and remove the program as “interfering" ...
Alas, most often it happens.
Of course, it is recommended to use a non-standard browser due to its inferiority and binding to the kernel of the system.
The weakest link is the gasket between the chair and the PC. That means to strengthen the link - the hands must be shortened (c) Popular wisdom.
One of the most effective measures is to restrict user rights in the system itself, but most often users are too lazy to spend time creating a separate account. And a number of programs refuse to install, configure, and just run under limited profiles.
In this case, the well-known utility DropMyRights will be useful, limiting the rights of the launched application.
It supports 3 access levels. The lower the rights, the lower the program’s capabilities. Say, for the same IE at the lowest, functions such as active-x are not available.
This method has proven itself in clients from the "high risk" group. And although some sites are not displayed correctly, but for the sake of security, this point can be neglected.
Alternatively, you can also use programs that make the system roll back after the session ends, but, as practice shows, they are not very suitable for home use.
And although in recent years there has been a sharp decline in the activity of winlockers, probably in the near future we should still expect new various modifications of various types of ransomware, and hence new epidemics. It is impossible to ensure complete security without pulling the user's hands behind his back, and until the user, taught by bitter experience, hears the advice of more experienced colleagues and treats his security with great attention, millions of infected computers will work to the detriment, and hundreds of millions of rubles will go into the pocket of virus writers.
Yes, and the problem must be solved, most likely, comprehensively:
- AV software developers to improve their products;
- Users to be more educated and less "curious";
- Providers to deploy services to make the network more secure;
- Aggregators complicate the procedure for registering numbers for all kinds of crooks;
- And the security authorities should take more concrete measures for fraudsters and conduct explanatory moral and cultural conversations with them, so that they change their minds and no longer repair undesirable matters ...
Well, on your part, I am glad to listen to your wishes, criticism and just share your experience.