[sf-lug] "RANSOM VIRUS" ATACHED TO WEB SITE?

Michael Paoli Michael.Paoli at cal.berkeley.edu
Wed Jun 7 19:48:03 PDT 2017 

Hmmm,

What operating system?

It says "started the computer" ... and "Ubuntu 16 on my notebook"
but never sates if "the computer" and "my notebook" are one-in-the-same.
If it's not Linux, else-list may be more useful.
If it's BSD or Unix, buug.org might be useful.

If it's Linux (or Unix or BSD) I'd be curious about details of the
infection vector and how out-of-date the software was on the
computer, or what other actions made it possible to (presumably)
become infected.  Others may also be rather interested in such.
Good forensics analysis may be useful/informative.

Of course, note also lots of web sites will pop up fake threat stuff.
I sometimes find it slightly amusing to have some cr*p site pop up
some "warning" about "my computer" that is 100% irrelevant to my
Linux based operating system.

Also not mentioned is what version of the start page, and what it
was configured to use for searching.  Also not clear from the description
if the (presumed) infection occurred after clicking link in search
results, or may have occurred before that, and timing of indicators
of infection may have been more or closer to coincidental.

Also not mentioned is networking - e.g. *direct* Internet connection,
or through NAT/SNAT (and with possible hardware and/or software
router/firewall), or ... well, it does say "internet ethernet cable",
but isn't more specific on that.

Hopefully, if it's Linux, we'll hear some more relevant details,
and the issue will get resolved, and perhaps many may learn something
from it.

Good that you reported it to FBI and gave 'em the number that you
got.

Do be aware, "800" (toll free) numbers, the customer generally
gets ANI with that - so if one calls such a number, there's no
way to block your calling number.  (I'm a bit curious to call
the number and see what I might determine - but with a toll-free
number, I'd probably place call from that endangered species
known as a public pay phone).

Sounds like at minimum it's "drive by" (web pop-up) scam,
but if it actually altered/damaged/removed/encrypted any files
(notably without consent, etc.), then it's likely something
more serious - and presumably involved some type of exploit
or trickery.

http://www.catb.org/esr/faqs/smart-questions.html

> From: Mikki <mikkimc at earthlink.net>
> Subject: [sf-lug] "RANSOM VIRUS"  ATACHED TO WEB SITE?
> Date: Wed, 7 Jun 2017 17:22:18 -0700 (GMT-07:00)

> HI, ALL;
>
> Today early I started the computer, moved immediately to Firefox,  
> started Startpage, and typed in :  "pork loin roast."  I selected  
> the item at the top of the list, and immediately got a frozen screen  
> and computer, with vocal over-ride saying that this was a program  
> that froze my computer, 'because someone had illegally used my isp  
> and such to access a site of viruses."  The screen box said that I  
> could get the computer unfrozen by calling a certain number  
> (1-866-217-8944.)
>
> I called the number of a friend who is more versed in computers than  
> I, and he said it was the ransom virus common in Europe, but seemed  
> rare in US,and on Linux distros.  I have Ubuntu 16 on my notebook.   
> I asked him to call Bobbie and sak her to call me, when he got back  
> home.
>
> I then called the number given in the site, and they said they could  
> unfreeze my computer for $199.  I declined, and disconnected the  
> computer from the internet ethernet cable, and turned the machine  
> off with the manual button.
>
> Bobbie called a while later, and said that there is a filecalled  
> clam.av, or clamav, or something like that which I haven't yet  
> found, which searches and deletes Windows type viruses.
>
> When I re-actvated the machine, most of what I had on the desktop  
> and in the document file, (on the Desktop) were gone.  Fortunately,  
> I frequently back up to an external hard drive, so it has not been a  
> total disaster.
>
> I called the FBI 1-415-553-7400, ignored the website for internet  
> crime, and reported it several selections later.  The agent or clerk  
> said that this is becoming quite a problem, and that I had handled  
> it correctly, not paying and de  -activating my machine.  They will  
> investigate the number I was given.
>
> I have since retrieved the older Desktop/documents file, and  
> recovered the needed fines for rebuilding the files i could.

More information about the sf-lug mailing list