The warning, delivered under an official-looking Federal Bureau of Investigation logo, goes something like this:
Warning: Your PC is blocked for one of the reasons specified below. You have been violating Copyright and Related Rights law (Video, Music, Software) and illegally using or distributing copyright content, thus infringing Article I, Section B, Clause 8, also known as the Copyright of the Criminal Code of the United States of America.
The text, which generally runs to nearly a full page, goes on to accuse the user of downloading and/or distributing illegal pornography, distributing malware, or other such abuses and specifies legal penalties including fines or imprisonment that apply. Scary stuff, made all the more compelling because, in many cases, the user has recently been on a porn or torrent site.
Then comes the punchline:
To unlock your computer, you must pay the fine through Moneypak of [$100, $200, $500, depending on the version]
along with a list of instructions explaining how to complete the transaction. MoneyPak is a newish form of money transfer supported by a number of organizations, sort of like a digital money order. Flanking the screen are the logos of the retail outlets that provide MoneyPak services.
The computer is completely blocked and unusable during all of this. Admin tools don’t work, programs won’t load, nothing. The only thing you can do is log off or shut down.
It’s all a scam, of course, playing on the fear (and guilt) of millions of Internet users across the US. I have to admit, up to the part about MoneyPak, it’s a pretty good scam, too. Most people, realizing that something doesn’t add up, eventually figure out they’ve been had. But many do not, and so they go ahead and pay the “fine.” Which, of course, does absolutely nothing.
The FBI Virus exploits security weaknesses in the Windows OS, and is typically delivered surreptitiously when the user visits an infected site or clicks on a teaser link. Some versions activate the warning and lockdown right away. Others do so after a restart. Although many infected sites are guilty of nothing more than, perhaps, a lack of vigilance, the conclusion is inescapable that some infected sites’ owners are in partnership with the malware makers for a share of the illicit profits.
This is no amateur effort. The programming is high-order, thorough, and creative. The malware is well-defended and will disable any installed anti-malware software. Early versions could be bypassed in Safe Mode, but newer variants have removed that option. Attempting a safe start will trigger a Bluescreen followed by a restart. In addition, most online removal tools, such as MalwareBytes and Combofix, will not detect the malware if they even work at all. It is, as we say in the business, a real bitch.
Unfortunately, any instructions I provide for removing this digital pest would probably be obsolete by the end of the week. New variants of the FBI virus are coming out almost weekly, and each is more robust and insidious than the one that came before. In some cases, the malware resides in a tiny hidden partition created at first infection. You would never notice it unless you looked for it. This partition is made active in place of the boot partition, and the hidden, encrypted software this partition contains modulates all of the computer’s activities. Deleting the hidden partition and making the boot partition active once again allows access to the computer in safe mode, at which point standard antimalware programs can be used to remove the remnants.
In other cases, the active ingredients are hidden inside the Appdata folder in the user profile active at the time of infection, as well as in the ProgramData folder in the root. The executables are randomly named, but each occurrence of it will bear the same randomly generated name. Executables are timestamped with the time of first infection. Supporting files (graphics and text snippets) are created with each reboot and timestamped accordingly.
The good news is, the FBI and other Federal law enforcement agencies are going to go after this with both barrels. The bad new is, the perpetrators are hiding behind layers of anonymity that will be very difficult to penetrate, and are most likely residing in places such as China, Russia, or any of a number of former Soviet satellite states, jurisdictions with weak or corrupt law enforcement and nonexistent extradition agreements with the US.
The further bad news is: We ain’t seen nuthin’ yet. the FBI Virus marks a major escalation in the evolution of Internet threats. Whereas previous generations of this type of scamware were typically more of a nuisance than a threat and, generally speaking, not especially destructive or difficult to remove with the right tools, this one goes for the jugular. I really hate to say this, but God help us if the current trend continues, and there is no reason to believe it will not.