- Jan 24, 2011
- 9,378
Security researchers from Emsisoft have come across an interesting piece of ransomware which they’ve dubbed Linkup (Trojan-Ransom.Win32.Linkup). While other such Trojans lock up computers or encrypt the files stored on them, Linkup prevents users from accessing the Web.
When the owners of infected devices want to visit a website, they’re presented with a message that appears to come from the Council of Europe.
“Internet access is temporarily blocked,” reads the message on the screen. Victims are told to provide their personal and financial information to establish their identities.
Internauts are informed that they only have to pay €0.01 to unlock Internet usage, but experts believe that the amount that victims end up paying is much higher.
So how does this threat block Internet access?
According to researchers, when it’s first executed, Linkup disables Windows security features and the operating system’s firewall, and makes a copy of itself under the name svchost.exe. Then, the malware contacts its command and control server.
Linkup receives a command to redirect all HTTP requests to the ransomware website. It makes a number of modifications in the registries to ensure that every DNS request is redirected.
However, Linkup is not designed only to block Internet access. Once it infects a computer, the threat downloads an additional component that’s actually a Bitcoin miner.
Devices infected with the malware actually become part of a Bitcoin mining botnet.
Read more: http://news.softpedia.com/news/Coun...sers-from-Accessing-the-Internet-423760.shtml
Detailed analysis for the Trojan-Ransom.Win32.Linkup.by Emsisoft: http://blog.emsisoft.com/2014/02/03...somware-linkup-blocks-dns-and-mines-bitcoins/