BKA trojan goes on an international holiday
The family of malware known as the BKA trojan has increasingly established an international presence. In Germany, where the malware is also known as the Ukash or Paysafe trojan after its preferred methods of payment, the ransomware blocks a user's computer with a message purporting to be from the Federal Police and demands a payment to unlock it again. Variants in the UK have been rebranding essentially the same threat with the logo of the Metropolitan Police. Now the trojan has surfaced in the US, pretending to be a message from the FBI, and in Portugal with fake branding of the Polícia de Segurança Pública Portuguesa.
The French web site botnets.fr has collected screenshots of the different versions of the malware, which it calls Reveton. The FBI has also issued a warning about the threat, saying that the government's Internet Crime Complaint Center (IC3) has received a large number of complaints about the malware. According to the FBI, many victims actually pay up and only call for help when the trojan does not unlock their computer.
The trojan extorts money by telling victims that illegal pornography or material that violates copyright has been detected on their computer and that they must pay a fine to the local police authority or face prosecution. The displayed page usually copies the local police authority's branding well enough to fool many users. In some cases, the trojan also shows the user images from their own webcam, pretending to monitor them. Apparently, these images are only scare tactics and are never actually streamed over the internet. The trojan is usually customised to use payment methods that are hard to trace, which will vary from country to country. In Germany Ukash and Paysafe are used, the US versions accept payment via MoneyPak and Paysafecard.
Removal of the trojan is difficult at best. The German Anti-Botnet Beratungszentrum summarises helpful information on how to clean the trojan off affected systems on their web site. Some versions of the trojan even encrypt files on the system. In most cases, the Reveton trojan is not the only malware on affected systems – it is often found in conjunction with other malware that steals personal data and banking credentials. The trojan is usually introduced to the system through unpatched security holes in browser plugins such as Flash, Java or Adobe Reader.
It is currently not known whether the different versions of the trojan all originate from one source or if more than one group is behind the scam.