Facebook "ImageGate" - Ransomware
New for 2017. There is an exploit happening on Facebook, LinkedIn and other social media sites where attempting to view a picture might prompt you to download it to view it. This file will end in .svg, .js or .hta. NO!!! It's not a picture! Never respond to download requests on Facebook! If you do accidentally download or save the image, DO NOT RUN IT. Clicking the Run button after the file is downloaded will execute malicious code locking you out of your personal data. Your personal photos, documents, spreadsheets, pdf files... poof. All gone.
We all download files. Most are OK and downloading things is how we get things we want onto our computers. But the unintentional downloads are where we need to be careful. How do you know you if you actually need to download something? Experience. Remember things you read like on my site. Any download coming off of Facebook should raise suspicions. To be safe, don't do it.
Here's how downloading files happen.
You click on a link and a download prompt comes up. Once the file is downloaded (usually to your Downloads folder), your browser lets you know it's downloaded and give you the option to run it: Internet Explorer will show you a "Run" option at the bottom of the screen. Firefox has the download arrow on the top left that shows you the file you just downloaded. Chrome's run command is at the bottom left.
Here's a safe test file if you wan to see what happens. This file that I'm linking to is an inert .js file that does nothing. I'm using this as an example of what to watch out for so you can see what it looks like when your computer is prompted to download a file from the Internet. Click HERE. Your browser will give an option to download the file. Once downloaded, your browser will give you the option to run it. If you bypass the option to run it by clicking Cancel, the small "x", going somewhere else or closing your browser, the file is still located in your Downloads folder which can be accessed using File Explorer. That's how downloading works. If you are prompted with this on Facebook or are on the Internet and are not expecting a file download prompt, cancel it.
But back to the malicious "image" files on FaceBook Messenger. Don't agree to download anything from Facebook. It's not worth the risk. Do not run these files if you downloaded them. In fact, you should get rid of them so they are not accidentally executed. Go to your Downloads folder and delete the contents. Use caution because the malicious file(s) will be in there and you do not want to run or open them. Delete everything in this folder unless you know what to look for and can selectively delete.
Always remember that Facebook should SHOW you things like images and embedded videos and you should not be required to agree to open an image in order to view it or download a codec in order to view a video.
Call me if in doubt.
Not malware but if you are gullible, these can cost you money. DO NOT CALL THE PHONE NUMBERS!!. This is a scam. Becoming very common, these fake warnings are typically encountered when someone clicks a link in FaceBook or similar and a full-page popup covers the screen. The design is meant to scare the user into calling a phone number to fix a critical system or security issue. This is a fake. Don't call the number or you will be inviting the devil into your computer. Sometimes these popups are persistent and can be difficult to close. Try Task Manager and close the web browser. Sometimes it's necessary to do a restart on the computer but be sure to do a proper restart and don't just hold the power button in.
Some browsers will remember the previous problem upon reopening and will ask if you want to reload the page(s) you were on last. Of course, you don't so say no.
Below are some example of these full size popups. Most resemble Blue Screens of Death (BSOD). Remember - the Internet doesn't warn us. It tries to trick us and generate revenue. Don't be fooled by these and once clear of the popup, don't go back to the place where it occurred.
See the section below called "Calls From Microsoft" for more details about the scam.
Another fake. Another attempt to trick the user into letting someone into their system who will want to charge money to "fix" it. It's a simple confidence scam where the scammer gains access to the owner's machine with their permission and once connected, they run a built-in password utility called syskey.exe and gives the machine a login password. They do it in front of your eyes but you won't know what it is because it's an unfamiliar utility even to most techs and they also do it very quickly. In less than 5 seconds they can lock a machine down:
The scam continues... once the victim suspects a scam, they hang up and the first time they restart the computer they will be locked out. Then they count on the victim hitting the redial button out of desperation and wiring over the demanded ransom money. This will probably be futile because it will be a different scammer on the line and that one won't know what the first one used as a password.
If you have been victim, do not restart or shutdown your computer, but DO disconnect it from your network by unplugging your Ethernet cable or powering down your modem and then CALL ME. The encryption can probably be reversed but if not, your data can be accessed, saved, and Windows reinstalled. Please do not pay these crooks the ransom.
This one is a recent threat with incidents showing up in my area in the fall of 2014. Symptoms include slow computer speeds, maxed-out CPU, and programs locking up. It seems to hog the local Internet gateway at the expense of other users' Internet speeds. Since regular virus and malware scanners don't detect it, many people may have this one and not know it. Reported delivery methods are by emailed attachments pretending to be a report from UPS, USPS, Fed Ex, etc. informing the potential victim of a missed delivery or late shipment.
Poweliks doesn't deposit a file, gives no false warnings, doesn't try to pose as a legitimate program and doesn't present itself in way that is common to past malware. It adds hidden code to the registry and causes existing Windows processes to surge while sending data packets to an IP address in country called Kazakhstan. What is being passed through this connection is unknown.
Do you have it? Open Task Manager and look at the running processes. If you see multiple high-memory occurrences of dllhost.exe *32 with the COM Surrogate description or something similar with the *32 suffix, you might have it. Since we don't know what is being passed to or from the programmed IP addresses, it would be wise to shut down the computer until the code is removed.
Also known as "ad fraud" and "click fraud". The main symptom is a very slow computer and in Internet Explorer's history you might see a list of sites that you have not visited. Look at the Processes tab in Task Manager and check the running processes. If you see explorer.exe with a number higher than 100 K up to 2,000 K or five to ten processes with the same name using 20-100K each, you may have it.
This type of malware causes your computer go to marketing web sites behind your back with the goal of creating revenue where site owners get paid by advertisers when someone visits their sites. This type of malware can use up bandwidth as well as processing power. Since it easily slips by antivirus programs, you should check your running processes often.
CryptoLocker and other data-encrypting malware are the worst ones I've seen. These actually destroy your personal data like pictures and documents and offer to restore them after you pay a high ransom (hundreds) which may or may not work. Here is a printable handout.
The user gets tricked into running the installer by way of an Internet script-based tripwire loaded from an ad or more often from an enticing email attachment pretending to have a report from FedEx, UPS, USPS, PayPal, your ISP, the IRS, etc.. The installer file is activated, the single-file launcher application is placed in a hidden directory and the single-line instruction is added to the registry. Then it runs from inside and begins to encrypt certain file types. Encryption means your files are locked. The files this one goes after are your important personal data like office documents and pictures. Sometimes the files are encrypted and then your antivirus detects and removes the program. If this happens, you won't get an announcement or a way to pay ransom.
Protection: Suspect all
attached zip files and emailed web links. A zip file
attached to your email is the danger signal. Don't fall for the
What if you already have it?
If you get CryptoLocker or CTB-Locker and your files are worth the ransom it is requesting, the malware files(s) and associated registry entries holding part of the encryption key must not be removed until after the ransom has been paid and your files are decrypted. There are people who have reportedly paid the ransom and have had at least some of their data successfully unlocked.
Again... once tricked, the only way to regain access to locked data is to pay the ransom as instructed by the malware's splash screen:
Data Protection. An important general safeguard is keeping your data backed up and protecting it with the right method. I have a section about backing up data on my Computer Tips page but unless you know how CryptoLocker works and take extra precautions, your backed up data may not be safe from it. From what I have read from IT professionals and those who have experimented with this rattlesnake, the encryption path follows drive letters and encrypts common personal data files it finds on that path. Meaning if you use an external backup drive and it is connected to your computer using an assigned a drive letter or you have manually created a network share on another computer and mapped it using a drive letter, CryptoLocker can find the drive or shared folder and encrypt the data THERE as well.
To check if your external data is vulnerable, go to Computer (My Computer) and if your backup destination sits on the same page as your C: drive and has a drive letter (e.g. E:, F:) or is mapped with a drive letter, your data is not safe.
Here's an important thing to remember... if you have an automated backup program and it runs after your local files are encrypted, those backup files can be replaced with encrypted versions. So if you get CryptoLocker, immediately remove the connected destination drive you use for backups or disable your cloud-based backup until your computer is clean.
My recommendation is to use more secure data backup and storage options which include using Network Attached Storage (NAS) instead of a USB or firewire-connected external drive. If you have mapped network shares that are on host servers, remove the drive-letter maps and use UNC shortcuts (\\%host computer%\%network share%) instead. Of course burning your data to a recordable CD or DVD is safe, albeit outdated and cumbersome, just be sure to remove the disk from the tray if it is not finalized and closed by your disk-burning software.
My personal NAS choice is a Synology DS213j which is a dual-disk unit already configured for RAID 1 (mirrored). The NAS is connected to your router by Ethernet cable and is accessible by approved computers on your network. Note that these units do not normally come with hard drives - you typically add those yourself. The total cost of a NAS storage system is the enclosure plus the drives.
If you have a USB drive you are using for backups and replacing it is not feasible, physically disconnect it from your computer when it is not being accessed during backups.
It will describe a way to stay out of prison by entering a number from a pre-paid money card which can be bought at any store. Don't do it. Money cards are basically cash. You'll lose your money and your computer will still be "locked". Don't do the MoneyPak thing. Call me to remove this.
Not as prevalent these days but in the classic malware, the user landed on a web page, a script from an ad was triggered and the user was tricked into installing it on their own computer by clicking the OK button or the X on a script-generated popup. Below are some examples of these dangerous trip-wires:
click the OK or Cancel buttons or even the "X" -
these and similar pop-ups must be closed by using Task Manager.
Right-click on the clock in your tray and choose Task Manager.
Click the Application tab and "End Task" the pop-up and the web pages
that appear in this list.
Computer viruses are so named because they operate similarly to the viruses that invade our own bodies. A computer virus is caught by exposure and then replicates itself. It spreads internally within the system, spreads to other computers, and it even mutates. Viruses are usually created with the goals of random malicious damage and also maybe to give its creator some satisfaction and notoriety among his peers. Most viruses are written to spread automatically and take on lives of their own.
But malware as discussed here refers to programs that were written to cause specific changes to a computer's software and settings. This type of malicious software installs behind the user's anti-virus, takes advantage of the way Windows operates and alters critical key areas that greatly reduce a computer's functionality to the point of being unusable.
The end-goal of most of today's common malware seems to be to force the user to a web site that promises a removal tool in exchange for a fee. For this reason, these types of malicious programs have also been called ransom-ware.
Once the initial trip-wire has been clicked on, an animated pop-up window posing as a virus scanner loads onto the screen. Examples:
The type of pop-ups above are meant to trick the user into believing that an official virus scan is taking place and that the scan is detecting a large list of viruses, Trojans, and other nasties. These pop-up scanners are fakes as well as the list of infections that it shows that it has found. Common names that these things use includes Antivirus 2010, Antivirus 2011, SecurityTool, Win 7 Security 2012, AV Security 2012, XP Home Security 2012, etc..
Once infected with this type of malware, the user's Internet connection is sometimes cut off or altered where only certain sites can be accessed - it might open your web browser to strange-looking search sites or blank pages but it usually makes a site available where a credit card or bank account number can be entered to pay for a "cure". The desktop wallpaper might be changed to have a scary message and as long as the malware is on the user's system, the random pop-up warnings and fake scans will continue.
Other damages brought forth in a full-blown infection causes programs to not open, prevents the user's real anti-virus from loading, sprinkles distasteful icons on the desktop, and the system will slow to a crawl as random pop-ups repeat themselves. With a certain malware family, the fake scanner and its message load immediately at boot-up and Windows fails to load.
Recent infections cause the disappearance of the Windows Security Center service and will hijack web searches to land on other rigged and potentially dangerous "search sites".
There are a few malware types that hide files and shortcuts. Your Desktop, the Programs list and User Documents directories will seem to be empty. Careful with this one.
My malware removal technique is unique and was developed and perfected during countless and successful removals for customers. It begins with identifying the family of the active malware and proceeds from there where I take actions in a certain order based on the malware type and damages present. After my manual removal/repair, I perform system scans to be sure all remnants, hidden and dormant files from the present and past infections are gone and obscure settings are restored.
Removal attempts by random methods can make the problem worse. As long as no one has tried to remove an infection with the wrong method, my expert removal and damage reversal technique never fails - I know how malware enters, where it goes, how it operates, where its trigger files reside, how to remove it, and how to reverse its damages.
Kitchen-sink approaches using random automated cleaners to remove malware can be destructive and will rarely detect and repair all the varied damages/changes that malware can do to Windows systems. The Windows utility called System Restore should not be used against malware. Invasive cures like ComboFix and SmitFraud Removal are rarely necessary - their use has unnecessary risks and they are not often successful on today's modern malware.
Again - removal attempts performed by the inexperienced can make the problem much worse and can make the repair process more difficult, time-consuming, and sometimes even prohibitive.
If you take your computer to most repair centers for malware/virus removal, the common solution is to reinstall Windows. This will be a costly service and will definitely remove the infection but it will also remove everything else - you will needlessly lose your user-installed programs and customization settings. They will also charge extra to back up your irreplaceable user data.
Reinstalling Windows is
rarely necessary as a solution for viruses and malware. My removal
method is effective, safe, thorough and complete. After I remove
the malware and reverse the damages, I then check, tweak and tune the system to make it run
faster than it did before the infection.
The price I charge for malware removal is included in the house call or drop-off rate. On a reasonably-fast machine, the removal, damage detection/reversal, 2nd opinion scanning procedure and system tune-up will last about 1-1½ hours and if scheduled and brought to my shop, it can usually be done for the basic drop-off fee usually while you wait. Of course malware can be removed onsite at your residence or business for the applicable one-hour house-call rate.
machines when stacked with CPU-taxing applications run painfully slow -
thus slowing down the repair/scanning process considerably. An
additional fee of $30 per half hour may apply to onsite malware repair
on very slow machines. If your machine was really slow before the
infection, the removal process will be slow as well. You'll
already know if you own such a machine and you may want to consider a
Windows reinstall as the best solution.
Since I am very familiar with the mechanics of malware and know how these things operate, I also know how they are best prevented. After my malware removal process, I will explain how the malware got on your system, uninstall the anti-virus that didn't work, and will install my favorite user-friendly, lean-running anti-virus application at no additional charge.
© Copyright 2016 A-Tec Computer