[sf-lug] "RANSOM VIRUS" ATACHED TO WEB SITE?

Michael Paoli Michael.Paoli at cal.berkeley.edu
Wed Jun 7 21:21:45 PDT 2017 

Ubuntu 16.04.2 isn't *that* old - I show it as released
on or around 2017-02-17
http://fridge.ubuntu.com/2017/02/17/ubuntu-16-04-2-lts-released/
... 64-bit? or 32-bit?

Curious also if I could replicate issue - fire same (16.04.2 with
no further updates/patches) up on
virtual machine, try the URL, etc.
I have some *buntu 16.04.2 ISOs, but I don't have
16.04.2 in Ubuntu flavor.  Maybe time for me to do a 'lil
zsync to get that version of ISO.

Oh, also, I tried the phone number - from a pay phone around 9:01 P.M. PDT.
I gave up waiting after the 10th ring.  I also noticed in calling,
sounded like it may first connect somewhere, then forward that by dialing
yet another number - sounded like fairly faint rapid DTMF dailing from
some automated forwarding almost immediately after the initial dialing.
Anyway, very possible the toll-free provider is just another compromised
victim hop along they way that's stuck paying for inbound and outbound
calls along they way - and adding another layer of obfuscation along the
way.  Might be possible, if someone has the right equipment, to pick up
and decode those DTMF tones - they're fairly faint and quick, but proper
equipment may suffice ... might be useful if that's actually part of
some automatic forwarding going on - might also just have been
coincidental line interference/timing - I've not repeated the experiment.

> From: Mikki <mikkimc at earthlink.net>
> Subject: Re: [sf-lug] "RANSOM VIRUS"  ATACHED TO WEB SITE?
> Date: Wed, 7 Jun 2017 20:46:03 -0700 (GMT-07:00)

Hi, All

It is the Ubunto 16.4-2 distro, loaded and received 2017-04.  The
machine is the Asus 1000 eee.  I have no Window or wine sites on the
machine.  I had just recently learned of Startpage, and it is called
up after getting firefox.  The machine was and is on ethernet,
hardwired.  I am a gui user, and will be having difficulty using
terminal.  Bobbie suggested clam-av as an antivirus antidote.  I am
still looking for it.

The website was :

\"ROAST PORK LOIN - HELPFUL COOKING TIPS & TRICKS -
PORKBEINSPIRED.COM?\"

The screen definitely was frozen, the computer also.  I had to force
the machine to turn off.  And the threat was real.  All the files of
folders :   /desktop/ and /desktop/documents were erased.  I retrieved
a backup copy of the older /Documents.

Dinner /WAS/ at 7:30, adequate and delicious.  But I used the pot
roast method.  Sorry about that.

Bless All

Mikki

-----Original Message-----
> From: John
> Sent: Jun 7, 2017 7:58 PM
> To: Michael Paoli
> Cc: Mikki , SF-LUG
> Subject: Re: [sf-lug] "RANSOM VIRUS"  ATACHED TO WEB SITE?
>
> I wanna know about the pork loin roast!  What time is dinner?
>
> John
>
> Sent from my iPhone
>
>> On Jun 7, 2017, at 7:48 PM, Michael Paoli  wrote:
>>
>> Hmmm,
>>
>> What operating system?
>>
>> It says "started the computer" ... and "Ubuntu 16 on my notebook"
>> but never sates if "the computer" and "my notebook" are
one-in-the-same.
>> If it's not Linux, else-list may be more useful.
>> If it's BSD or Unix, buug.org might be useful.
>>
>> If it's Linux (or Unix or BSD) I'd be curious about details of the
>> infection vector and how out-of-date the software was on the
>> computer, or what other actions made it possible to (presumably)
>> become infected.  Others may also be rather interested in such.
>> Good forensics analysis may be useful/informative.
>>
>> Of course, note also lots of web sites will pop up fake threat
stuff.
>> I sometimes find it slightly amusing to have some cr*p site pop up
>> some "warning" about "my computer" that is 100% irrelevant to my
>> Linux based operating system.
>>
>> Also not mentioned is what version of the start page, and what it
>> was configured to use for searching.  Also not clear from the
description
>> if the (presumed) infection occurred after clicking link in search
>> results, or may have occurred before that, and timing of
indicators
>> of infection may have been more or closer to coincidental.
>>
>> Also not mentioned is networking - e.g. *direct* Internet
connection,
>> or through NAT/SNAT (and with possible hardware and/or software
>> router/firewall), or ... well, it does say "internet ethernet
cable",
>> but isn't more specific on that.
>>
>> Hopefully, if it's Linux, we'll hear some more relevant details,
>> and the issue will get resolved, and perhaps many may learn
something
>> from it.
>>
>> Good that you reported it to FBI and gave 'em the number that you
>> got.
>>
>> Do be aware, "800" (toll free) numbers, the customer generally
>> gets ANI with that - so if one calls such a number, there's no
>> way to block your calling number.  (I'm a bit curious to call
>> the number and see what I might determine - but with a toll-free
>> number, I'd probably place call from that endangered species
>> known as a public pay phone).
>>
>> Sounds like at minimum it's "drive by" (web pop-up) scam,
>> but if it actually altered/damaged/removed/encrypted any files
>> (notably without consent, etc.), then it's likely something
>> more serious - and presumably involved some type of exploit
>> or trickery.
>>
>> http://www.catb.org/esr/faqs/smart-questions.html
>>
>>> From: Mikki
>>> Subject: [sf-lug] "RANSOM VIRUS"  ATACHED TO WEB SITE?
>>> Date: Wed, 7 Jun 2017 17:22:18 -0700 (GMT-07:00)
>>
>>> HI, ALL;
>>>
>>> Today early I started the computer, moved immediately to Firefox,
started Startpage, and typed in :  "pork loin roast."  I selected the
item at the top of the list, and immediately got a frozen screen and
computer, with vocal over-ride saying that this was a program that
froze my computer, 'because someone had illegally used my isp and such
to access a site of viruses."  The screen box said that I could get
the computer unfrozen by calling a certain number (1-866-217-8944.)
>>>
>>> I called the number of a friend who is more versed in computers
than I, and he said it was the ransom virus common in Europe, but
seemed rare in US,and on Linux distros.  I have Ubuntu 16 on my
notebook.  I asked him to call Bobbie and sak her to call me, when he
got back home.
>>>
>>> I then called the number given in the site, and they said they
could unfreeze my computer for $199.  I declined, and disconnected the
computer from the internet ethernet cable, and turned the machine off
with the manual button.
>>>
>>> Bobbie called a while later, and said that there is a filecalled
clam.av, or clamav, or something like that which I haven't yet found,
which searches and deletes Windows type viruses.
>>>
>>> When I re-actvated the machine, most of what I had on the desktop
and in the document file, (on the Desktop) were gone.  Fortunately, I
frequently back up to an external hard drive, so it has not been a
total disaster.
>>>
>>> I called the FBI 1-415-553-7400, ignored the website for internet
crime, and reported it several selections later.  The agent or clerk
said that this is becoming quite a problem, and that I had handled it
correctly, not paying and de  -activating my machine.  They will
investigate the number I was given.
>>>
>>> I have since retrieved the older Desktop/documents file, and
recovered the needed fines for rebuilding the files i could.
>>
>>
>> _______________________________________________
>> sf-lug mailing list
>> sf-lug at linuxmafia.com
>> http://linuxmafia.com/mailman/listinfo/sf-lug
>> Information about SF-LUG is at http://www.sf-lug.org/

>> Related Information

>> http://www.shallowsky.com/blog/

>> http://explainshell.com/

>

More information about the sf-lug mailing list