New Malware Simulates Hard Drive Failure

← Back to Stories (view on slashdot.org)

New Malware Simulates Hard Drive Failure

Posted by timothy on Friday May 20, 2011 @12:13PM from the just-a-healthy-reminder dept.

An anonymous reader writes "A nasty strain of malware goes beyond mere sensational alerts, it makes it seem the user's hard drive is failing. It moves files from All Users and the current Windows user's profile into a temporary location, making it appear as though problems with the hard drive are causing files to disappear. It also disables a user's ability to change wallpaper images and sets registry keys to hide certain icons — giving the impression that programs are going missing as well. Of course, it's all done in an attempt to get people to buy the software that will fix it."

39 of 294 comments (clear)

Min score:

Reason:

Sort:

Hey buddy! by MrEricSir · 2011-05-20 12:19 · Score: 4, Funny

Nice computer you got there. Would be a shame if anything were to happen to it. My buddy Vinny here, he sells "protection" against these kinds of problems. You pay every week, and there ain't gonna be no problems, capiche?

--
There's no -1 for "I don't get it."
1. Re:Hey buddy! by R3d+M3rcury · 2011-05-20 13:13 · Score: 2
  
  This reminds me of a funny trick to play on somebody from back in my mainframe days...
  Create a directory with the same name as the home directory inside the user's home directory. Set a login script to place the user into that directory.
  So they try to get to their files and there's nothing there. Everything looks normal. Usually, someone with half-a-clue can figure it out pretty quickly, but it does provide that brief moment of terror that gets the blood pumping in the morning.
2. Re:Hey buddy! by ozmanjusri · 2011-05-20 13:50 · Score: 5, Funny
  
  what do you mean "Windows"?
  "Windows" is a computer operating system used by many people, most often without the owner's permission.
  
  --
  "I've got more toys than Teruhisa Kitahara."
3. Re:Hey buddy! by Anonymous Coward · 2011-05-20 13:50 · Score: 3, Funny
  
  that reminds me of a trick I used to play back in my mainframe days too. I'd just delete everything a user had in their directory. Man you should have seen the look on their faces. I'll never forget the feeling over power I experienced either....
4. Re:Hey buddy! by PCM2 · 2011-05-20 13:54 · Score: 3, Interesting
  
  Actually I think the word you both are looking for is "straw man."
  
  --
  Breakfast served all day!
5. Re:Hey buddy! by MstrFool · 2011-05-20 14:25 · Score: 2
  
  There was a prank going around the Gateway 2000 tech centers that I found quite amusing. Do a screen-shot of the desk top, set it as the background, then move the icons to a folder. I found it really showed the clued from the clueless. Quite a few techs called for some one to fix their system. And no, i wasn't the one doing it, though I was the one to fix it many times.
  
  --
  Question reality.
6. Re:Hey buddy! by Oligonicella · 2011-05-21 03:19 · Score: 2
  
  I never understood nor looked on with anything other than raw hate, fucking around with another person's work or personal machine. You're deciding for your personal, shallow jollies that someone else's property and time have no value other than to amuse you. Do that to mine and there will be definite and unavoidable physical violence. I will even get fired to do it.
The Game of Catchup by MightyMartian · 2011-05-20 12:20 · Score: 4, Insightful

Had this one get on one the computers I administer. Managed to poison the profile and for a brief while I thought the files had been deleted. Of course, I got the inevitable "isn't your AV and anti-malware software up to date", to which I responded "As much as can be, the user is relied upon not to be a simpering moron who clicks on every possible link."
Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.

--
The world's burning. Moped Jesus spotted on I50. Details at 11.
1. Re:The Game of Catchup by The+Dawn+Of+Time · 2011-05-20 12:40 · Score: 3, Insightful
  
  "it's like a computer, only useless."
2. Re:The Game of Catchup by gad_zuki! · 2011-05-20 12:58 · Score: 3, Insightful
  
  >Oh, and by the way, Microsoft, your fucking browser still sucks and is still atrociously insecure. Shape up, Redmond.
  Really? Care to point to some statistics showing me big holes in IE9 that are actively used by malware?
  Not much out there. Oh, there's no shortage of Java, Flash, and Adobe Reader holes, and according to stats lifted from crimepacks those are the ones used.
  I just looked at that stats on my website. 90% of those users have Java installed. How many of those are the latest version? Maybe 50% Most of the flash installs are not the latest version. Who knows what version of Reader they have.
  Plugin security is a nightmare right now. Blame Sun and Adobe for not having autoupdaters like Chrome does for Flash. Joe User has no idea what he's doing with a computer. Blaming MS isn't really helping him.
3. Re:The Game of Catchup by mrnobo1024 · 2011-05-20 13:10 · Score: 3, Informative
  
  That's all well and good in a corporate environment, but do you really expect every home user to have his own personal IT department?
4. Re:The Game of Catchup by 19thNervousBreakdown · 2011-05-20 13:12 · Score: 2
  
  Anything I want to use less than two weeks from now.
  
  --
  <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
5. Re:The Game of Catchup by MobileTatsu-NJG · 2011-05-20 13:16 · Score: 3, Informative
  
  This is why the only solution is a GNU/Linux solution..
  I'd love to see your MRI scan while you tell people this.
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
6. Re:The Game of Catchup by Attila+Dimedici · 2011-05-20 13:57 · Score: 3, Insightful
  
  Except that Windows does not have anything like the Ubuntu Software center, or whatever the repository is called in other distributions.
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
7. Re:The Game of Catchup by Bacon+Bits · 2011-05-20 14:16 · Score: 4, Funny
  
  My relatives certainly seem to think they do.
  
  --
  The road to tyranny has always been paved with claims of necessity.
8. Re:The Game of Catchup by Attila+Dimedici · 2011-05-20 14:40 · Score: 2
  
  That is certainly a possibility. However, the repository model does certainly provide for much greater security, especially when it contains such a large range of free software as most current Linux distributions. Considering that the Apple IOS app store model is the same sort of distribution model it seems likely that it scales.
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
9. Re:The Game of Catchup by hairyfeet · 2011-05-20 14:52 · Score: 4, Insightful
  
  You forgot the third part...spend endless hours on the forums cursing because "update foo broke my (insert device) drivers!". Seriously someone needs to hunt down Torvalds and give that sucker a good ass kicking.
  It is 2011 and he still acts like it is 1992 and the kernel is his personal playtoy. Every single decent OS, OSX, Windows, Solaris, BSD, hell even OS/2, has had driver level ABIs for a decade or more, yet Torvalds still refuses to allow this simple fix to keep from borking everything when he gets an itch to fuck with shit.
  So I'm sorry but as a retailer that step three makes it so I'm unable to sell machines with your OS, or support your OS after the sale. The annual forum hunts just suck too much of my already limited time. Fix that and the whole "software tied to which kernel your using" mess and then I'll be happy to help your OS grow in numbers, but as it is now it is better to stick with Windows, even if the occasional user stupidity manages to get through the AV (usually because they tell the AV to allow it because the malware promises them some reward for doing so) than to have the guaranteed breakdown every six damned months for the life of the machine thanks to Torvalds and his kernel fucking.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
10. Re:The Game of Catchup by Ihmhi · 2011-05-20 15:13 · Score: 2
  
  Here's what works for me. "If I were a plumber, I sure as hell wouldn't unplug your toilet for free. That's my livelihood, and the only person who gets a blank check in my business is my mom."
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
11. Re:The Game of Catchup by inflex · 2011-05-20 16:40 · Score: 2
  
  Agreed. Even if the ABI over time supports less and less of the available functionality at least it's -something- that's stable. The fact that linux does have as many drivers as it does is testament to the persistence of the masochists out there. I appreciate what Linus is trying to avoid but at the same time we're getting to the point where the kernel needs to offer an olive branch to people who have more to do in their lives than just update their driver code every time the kernel twists and turns.
12. Re:The Game of Catchup by RobbieThe1st · 2011-05-20 17:29 · Score: 2
  
  Ah, but there's a few problems with that:
  1. No universal package. So, you can guess deb and be right for that 50 percent(at best) of the Linux using population, but still... You've halved the number of potentially infectable systems.
  2. Some distributions don't have such a GUI method; Debian for example. Which limits your malware's influence even further.
  3. Gdebi, at least, comes up with a big red warning if you try to install an unverified package, which should provide /some/ security.
  4. Any multi-user system, corporate install or geek-installed system will probably not allow sudo or root access to our luser's account, meaning that such an install won't work. The previous idea of a downloaded excecutable is more likely, as it could run using user permission.
  I just think it'd be a lot harder than it would be on Windows or Mac, because on Linux everyone's used to using the repos for installing everything - Install by doubleclick isn't going to be done by accident.
13. Re:The Game of Catchup by hairyfeet · 2011-05-20 21:31 · Score: 3, Insightful
  
  Thank you! You are the FIRST one that hasn't screamed and reached for the pitchfork, even though as I pointed out every single other OS with any numbers at all has had this "feature" (which I wouldn't call a feature, just common sense design) for over a decade. The only answer you usually get is a link to the religious rant against ABIs, where the writer goes so far as to call those that don't hand the developers ALL of their code "leeches" and hopes that Torvalds breaks their drivers often even when that bones the very users Linux so desperately needs.
  Look Linux guys, I'm a small town computer retailer the kind of guy you want on your side because MSFT doesn't give us any breaks (I use System Builders and OEM) and I actually care about my customers and want them to have a safe and happy computing experience. Linux would mean less costs, so I would be able to sell for lower prices or offer better hardware, it would be a win for me AND my customers!
  But I simply cannot in good conscience offer your OS, when even with 20+ years of computing experience I often bash my head against the wall fighting the damned thing! An update should never break drivers okay? And certainly not when you are cranking out said updates on a 6 month schedule. At that pace just as you get the thing finally running stable here it comes! yet another week or two spent scouring the web looking for "fixes" that involve huge messes of CLI that must be typed PERFECTLY or they cause havoc. Do you HONESTLY think I can offer that to my customers? People who just want to use a PC, not get an education in Linux forums and Bash commands?
  And before anybody says LTS let me say that LTS is a really bad joke, because as long as software is tied to which kernel you are using LTS is simply a codeword for "can't use any new software" and the fact that software is actually tied to which kernel you have just shows the madness that is the kernel situation!
  I want Linux to succeed, I really really do. I have written articles pointing out what needs to change for small businesses and retailers to embrace Linux, and I remember the days of OS/2 and GEM and Commodore and how nice it was to actually have plenty of choice. But the current situation in Linux on the desktop is like a bad joke, with broken drivers, constantly shifting internals, user programs tied to which kernel you are using, dependency hell like the old days of Win9X, and to top it all Torlvalds constantly making major changes which breaks programs and drivers left and right without a care in the world, like the kernel is his personal plaything and not the center of a multibillion dollar OS with millions depending on it.
  So please Linux users, demand change. Demand Torvalds give a functional ABI or step down so someone else can give you what everyone else has had for over a decade, demand that while CLI still be optional that all software be usable without it, demand stability and the ability to keep software past an update, and demand that the 6 month update insanity be replaced with a more reasonable 3 or 5 year schedule, with plenty of beta testing before being handed to the masses. Because there are plenty of guys like me that would be happy to line our shelves with your OS, but as it is now just keeping the machines functional past updates would be a full time job. It is 2011, not 1991, and this is simply inexcusable.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
14. Re:The Game of Catchup by snemarch · 2011-05-20 22:23 · Score: 2
  
  People are quick to slam IE, but in fact most malware goes in through Flash, Java or Acrobat Reader. Internet Explorer certainly isn't perfect, but security-wise it's come a long way; IE8 or IE9 combined with Vista/Win7 on proper UAC'ed accounts is actually pretty decent these days, and the sandboxing helps a fair amount against exploits for the aforementioned three pieces of crapware.
  That said, I run FireFox even though it's technically less secure - I prefer the higher HTML standards compliance and addons.
  
  --
  Coffee-driven development.
15. Re:The Game of Catchup by Attila+Dimedici · 2011-05-20 22:46 · Score: 2
  
  No, MS Update is nothing like the Ubuntu Software center (or the software repositories on other distros). You cannot get software from Windows Update.
  You apparently misunderstand my point. I am not saying that Ubuntu (or Linux in any form) is the end all and be all. My point is that the original poster had a point. The Linux model of software repositories of safe, free software for just about every conceivable purpose means that if I want software to do something that isn't important enough to spend money on it I don't have to search the web and risk that the software I find is malware (or contains malware).
  
  --
  The truth is that all men having power ought to be mistrusted. James Madison
16. Re:The Game of Catchup by h4rr4r · 2011-05-21 02:32 · Score: 3, Interesting
  
  Which drivers?
  Name some specifics you troll.
  Also 1 in 14 downloads on windows is malware, that is sure going to be breaking machines more than every 6 months.
  Windows will be usable when it has lsof, can replace in use files, and in general starts acting like a multi-user OS.
17. Re:The Game of Catchup by h4rr4r · 2011-05-21 02:37 · Score: 2
  
  My IT dept is happy to do such a thing. You just have to sign a little form that lets you know under that setup no troubleshooting nor assistance can be given and the only support in case of issues is to reimage the machine. In reality support is given, but not to the degree a regular user gets and if you lose data TFB.
18. Re:The Game of Catchup by jimicus · 2011-05-21 02:46 · Score: 2
  
  Windows actually has most of the features necessary to make it a lot more secure. The problem is that very few people use them (hell, many people don't even know they exist) because of the inconvenience such features would incur. To make life easier, Microsoft even released a tool for XP and Vista called SteadyState.
  Windows 7 has most of the same features baked in but I reckon it's a step back because SteadyState provided a nice, unified, idiotproof GUI for setting the system up in this fashion that didn't require you to step through several hundred irrelevant options. That aspect of SteadyState hasn't been baked into Windows 7.
  I don't think Linux is the solution it's sometimes painted as for a number of reasons:
  1. Many pieces of malware don't depend on OS behaviour to spread, they depend on human behaviour. Which you can't patch by upgrading the OS their PC runs.
  2. As Linux distributions mature, they're appealing to people who don't understand (and don't wish to understand) any of the underlying technology. Case in point: the number of people in any Linux discussion who say "I don't like SuSE because it didn't set up (whatever), but Ubuntu did". Even though the (whatever) in question invariably has more to do with underlying tools common to any Linux distribution, and it's just that Ubuntu ships with a configuration that suits the user better. It would have been considerably less upheaval to learn how to configure the underlying tool than to wipe and rebuild, but that would require learning beyond what the GUI provides.
  It's only a matter of time before someone puts together a Linux distribution that uses something like an SQLite database to store configuration and includes an application that automagically generates appropriate config files at boot - and therefore such config files must be treated as readonly because they'll be wiped at boot. I already know of one embedded product that does almost exactly this.
19. Re:The Game of Catchup by jimicus · 2011-05-21 03:10 · Score: 3, Insightful
  The problem you describe isn't exclusive to the Linux kernel by any means. I have seen more-or-less the same sequence appear in all sorts of places - OpenLDAP's done it with multimaster replication (and still is doing it with server-side sorts), FreeBSD has done it with journalled filesystems, The Gimp is doing it with CMYK support and I don't doubt there are other pieces of software doing the same thing.
  The sequence of events generally goes something like this:
  A specific F/OSS product is missing a particular feature. It may or may not be particularly important, but it's missing for whatever reason.
  That feature starts to appear in other software. Maybe commercial software, maybe other free software. In any case, it starts to appear. The person(s) behind the product being discussed don't think it's particularly important and make the conscious decision to ignore it.
  It becomes apparent that the feature in question is actually quite useful. But it still doesn't get implemented because that would mean the person who made the original decision not to would have to admit they were wrong - something that many people find very difficult. Anyone questioning this is told "submit a patch" - but it's far more likely they'll just use something else, something that does meet their needs.
  It becomes apparent that the feature in question is not useful, it's essential. Still it doesn't get implemented - if anything, the person who decided not to implement it will become ever more vocal in their criticism of the feature. I have actually seen people put together stonking great essays on how the feature is unnecessary - maybe even harmful - to back up this view. It's far too late, of course - by this time it's crystal clear to any impartial observer that the original decision was poor, and anyone still defending it is deluded.
  A patch to implement the feature is accepted and the feature is announced with much fanfare at the next major release. No mention of the previous view is made.
  (WTF slashdot? No ordered lists?)
False alert by lucm · 2011-05-20 12:26 · Score: 3, Funny

A little while ago I was sure I had this malware on my computer. However the actual problem was worse: I had a Seagate hard drive.
There is an upside with Seagate products: they taught me the importance of using RAID and/or backups.

--
lucm, indeed.
1. Re:False alert by LurkerXXX · 2011-05-20 12:51 · Score: 4, Insightful
  
  AND BACKUPS! *AND BACKUPS*!!!
  RAID is *NOT* a substitution for backups. Delete a file on the RAID and it's gone. Someone takes the machine, and it's gone.
  Backup your computer to offline media, and make sure to keep a (hopefully encrypted) copy of it at some remote location (like a family members house, work, wherever)
  RAID IS NOT A SUBSTITUTION FOR BACKUPS!
When web apps... by 3vi1 · 2011-05-20 12:31 · Score: 2

When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.
1. Re:When web apps... by pz · 2011-05-20 14:01 · Score: 2
  
  When web apps pop up a realistic looking XP or Win7 windows claiming virus infection... or the need to run an 'exe' to install a missing codec, it's a good day to be running Linux or OS X. Nothing tells you fraud so much as something that's been polished to a fine point to fool the Windows users.
  Good reason to not have the default color scheme on your windows box. Makes it easy to spot the fake popups.
  
  --
  
  Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
2. Re:When web apps... by amliebsch · 2011-05-20 16:22 · Score: 2
  
  Most infections START that way. Pop up a browser window with fake widgets and a virus scanner, animate the scrollbar and scare the user with a fake virus alert. The user doesn't realize this is just a browser window and everything in it is faked. Then the scared user clicks the "Clean now" button, voluntarily runs the software, and it's game over. NOW the software can do whatever it wants.
  
  --
  If you don't know where you are going, you will wind up somewhere else.
Re:Sounds Like System/Windows Recovery by adolf · 2011-05-20 12:44 · Score: 4, Informative

I just cleaned this off of a computer two days ago.
It set some registry entries values meant for maximum fuckery, marked every file on the disk that it could access as being hidden (thus even "dir" from a command line would result in "File not found,") and nuked the contents of the start menu, and did some other mean stuff.
Malwarebytes removed it but left the registry broken (which is arguably correct behavior). I changed the registry entries by hand, and I restored the start menu from an earlier copy.
After that, things were happy...except for a lingering, and possibly unrelated, issue with links from Google being redirected to spam. This turned out to be an infected Windows DLL, which "sfc /scannow" couldn't/didn't bother to fix. I was just about to give up on the machine for a happy time of nuke/reinstall, and another half-dozen hours of putting the machine back how it was... but then I tried combofix and the redirect problem went away, too.
All said: While I am a little richer having fixed these problems, money is poor compensation for this sort of pain.
I welcome the day when an affordable online service* can do incremental backups that can be used for a simple, bare-metal restore. Bandwidth isn't the issue anymore, and spinning storage is cheap; where is it?
*: Yes, online. If it's offline, that means that folks will have to think about it on a regular basis, and it won't be done.

--
Kid-proof tablet..
Re:Sounds Like System/Windows Recovery by amliebsch · 2011-05-20 13:30 · Score: 2

If this is Win7, it doesn't have to be online. Just attach an external USB disk and tell it to back up there. It will automatically do an image+incrementals, auto-delete the oldest images when the disk is getting full, and can be bare-metal restored booting from the Windows DVD. It's actually pretty sweet.
Also: if the registry is hosed, system restore should be able to help you out.

--
If you don't know where you are going, you will wind up somewhere else.
Re:My end users say it was coming from MSNBC.com by Mashiki · 2011-05-20 13:58 · Score: 4, Insightful

And sites complain when people block ads. This is of course why anyone with a brain blocks ads.

--
Om, nomnomnom...
Re:Sounds Like System/Windows Recovery by adolf · 2011-05-20 14:07 · Score: 2

If the malware takes control of the PC (which it does, in the context of the FA), then having a single, locally-attached backup disk isn't necessarily a good answer: It can destroy/disrupt the backup just as easily as it can anything else on that PC.
A well-thought-out rotation of backup media would help, but that's no good because it involves humans who simply won't do it.
This wouldn't be a problem, so much, with good online storage: Even Dropbox does a good job of keeping old copies of your data intact for a period of time. I simply want the concept extended to an entire disk, with metadata intact, to enable a bare metal recovery.
This, combined with extra, out-of-band human verification (SMS?) for when you Really, Really want to destroy backup data, would work well against malware.
(And, yeah: I did use System Restore eventually. I consider it to be a last resort, though, simply because I am ignorant as to the extent of its workings and I am prejudiced against system-level programs which do not provide meaningful feedback as to what they're doing.)

--
Kid-proof tablet..
Legal action? by morikahnx · 2011-05-20 14:45 · Score: 2

If the company in question is linked to the trojan, can we take legal action taken against them? It looks like an open and shut case.
Administrative Access? by theamarand · 2011-05-20 16:08 · Score: 2

Operating systems are still running user applications as an administrative user? I sign into my systems as a regular user, and I execute applications as a regular user. Administrative privileges should be for approved installation and removal of applications. On the other hand, It's silly to think that in this day and age, malicious behavior isn't automatically detected by the operating system and squashed - and I don't mean by an anti-virus or anti-malware application that one needs to purchase. Operating systems should have security built-in, not tacked-on later.
What a scam! by CrazyJim1 · 2011-05-20 16:19 · Score: 2

If your hardrive is failing, software won't fix it. This could be as funny as creating a virus to say your computer's flux capacitor is overheating and you'll need to buy a replacement through exmechanicgoneonlinescammer.com

--
God spoke to me.