Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    2,378
    Thanks
    14
    Thanked 238 Times in 190 Posts

    Chameleon Ransomware on Google Chrome

    A friend called me for help yesterday. His wife's laptop (Windows 8) was misbehaving while trying to access the web using Google Chrome. Launching it brought with it a tab with words to the effect that internet access had been frozen, and all computer files were encrypted.

    I opened File Explorer (which opened without difficulty) and tried a few .docx and .xlsx files. They opened without issue. However, Google Chrome would not access any web site, only the ransomware tab, nor would Google Chrome close normally. I used Task Manager to close it, then opened Internet Explorer, and was able to navigate the web freely.

    I opened Google Chrome again, the ransomware tab opened again, and I looked for a BHO that might be causing the trouble, but could not find a suspect. Using Task Manager again, I closed Google Chrome, then used Revo Uninstaller to get rid of it. After a reboot, there were no further issues. I ran a couple of AV/AM scans that were clean.

    This was evidently picked up from the web somewhere, but I didn't try to go into it that far. It evidently used an exploit in Google Chrome, because it had no other adverse effects on the laptop, and no effect on Internet Explorer. It just disabled browsing with Google Chrome.
    Create a new drive image before making system changes, in case you need to start over!

    "Let them that don't want it have memories of not gettin' any." "Gratitude is riches and complaint is poverty and the worst I ever had was wonderful." Brother Dave Gardner "Experience is what you get when you're looking for something else." Sir Thomas Robert Deware. "The problem is not the problem. The problem is your attitude about the problem. Do you understand?" Captain Jack Sparrow.
    Unleash Windows

  2. Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. #2
    Silver Lounger
    Join Date
    Aug 2012
    Location
    UK
    Posts
    1,868
    Thanks
    30
    Thanked 252 Times in 246 Posts
    Nice one and fortunately a poor copycat.

    Put Crypto Prevent onto your friend's and perhaps your computer to help to prevent the real thing.

  4. #3
    3 Star Lounger
    Join Date
    Sep 2001
    Location
    Jakarta, Indonesia
    Posts
    272
    Thanks
    3
    Thanked 9 Times in 9 Posts
    CryptoPrevent looks good, but how can one be sure that such free software on the web is not a scam? Apart perhaps from Googling it and checking who recommends it - is even that safe?

    Chris

  5. #4
    Silver Lounger
    Join Date
    Aug 2012
    Location
    UK
    Posts
    1,868
    Thanks
    30
    Thanked 252 Times in 246 Posts
    Quote Originally Posted by wartaaids View Post
    CryptoPrevent looks good, but how can one be sure that such free software on the web is not a scam? Apart perhaps from Googling it and checking who recommends it - is even that safe?

    Chris
    I have it on mine and occasionally double click the desktop icon to test, but prevention on your part will also help by not clicking on links in e-mails even from those that you know without confirming they sent them - but it's up to you whether to install it or not.

  6. #5
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    2,378
    Thanks
    14
    Thanked 238 Times in 190 Posts
    This guide from Bleepingcomputer.com explains how the malware works, and how to prevent it from running by manually setting up software restriction policies (if you have Pro versions of Windows with Group Policy Editor).

    I rely on drive images and common sense.
    Create a new drive image before making system changes, in case you need to start over!

    "Let them that don't want it have memories of not gettin' any." "Gratitude is riches and complaint is poverty and the worst I ever had was wonderful." Brother Dave Gardner "Experience is what you get when you're looking for something else." Sir Thomas Robert Deware. "The problem is not the problem. The problem is your attitude about the problem. Do you understand?" Captain Jack Sparrow.
    Unleash Windows

  7. #6
    Star Lounger AlanWade's Avatar
    Join Date
    Dec 2009
    Location
    Sweden
    Posts
    77
    Thanks
    9
    Thanked 1 Time in 1 Post
    Quote Originally Posted by wartaaids View Post
    CryptoPrevent looks good, but how can one be sure that such free software on the web is not a scam? Apart perhaps from Googling it and checking who recommends it - is even that safe?

    Chris
    Is it not the reason you posted a question about it, to gain the benefit of other members knowledge in how to and what they use to deal with problems like this?

  8. #7
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,108
    Thanks
    12
    Thanked 241 Times in 234 Posts
    Is there any evidence that Chrome essentially sacrificed itself to protect the system despite the user's best attempt or was this just very poorly written malware perhaps?

  9. #8
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    2,378
    Thanks
    14
    Thanked 238 Times in 190 Posts
    Quote Originally Posted by F.U.N. downtown View Post
    Is there any evidence that Chrome essentially sacrificed itself to protect the system despite the user's best attempt or was this just very poorly written malware perhaps?
    Chrome itself was frozen. I could not close it with the X, and I could not open any additional tabs. I had to use Task Manager to close it.

    I couldn't find any other damage or problems with the laptop apart from Chrome. Even before I uninstalled Chrome, IE worked just fine. My friend just wanted the laptop working, but was afraid to do anything, which is why I was called. So I didn't do any forensic work on it, just checked to see if files were in fact encrypted, and none were. I uninstalled Chrome, and that proved to be the cure.
    Create a new drive image before making system changes, in case you need to start over!

    "Let them that don't want it have memories of not gettin' any." "Gratitude is riches and complaint is poverty and the worst I ever had was wonderful." Brother Dave Gardner "Experience is what you get when you're looking for something else." Sir Thomas Robert Deware. "The problem is not the problem. The problem is your attitude about the problem. Do you understand?" Captain Jack Sparrow.
    Unleash Windows

  10. #9
    Silver Lounger
    Join Date
    Aug 2012
    Location
    UK
    Posts
    1,868
    Thanks
    30
    Thanked 252 Times in 246 Posts
    Have you ensured that your friend has created a Repair disk and will create system images to fall back on should it be more serious if there's a next time ?

    BTW - How do you change the font size on this forum ?

  11. #10
    Silver Lounger
    Join Date
    Oct 2012
    Posts
    2,108
    Thanks
    12
    Thanked 241 Times in 234 Posts
    In the replies/posts or overall?

    For Chrome I was even more interested in the social extent since if Chrome identifies something wrong with a web page it will warn before going there and if it KNOWS there is malware ahead it stops everything dead and won't allow the person to go to that page; in fact I think it throws up a malware ahead error page and it takes some concerted effort to get to that page after that. Sounds like it may be more the "stupid" variety of malware though that only succeeds in messing up the browser because one or more functions are not allowed. Subsequently if the continue where I left off option is active in the browser restart, it makes for an inescapable malfunction loop unless one finds those presets and deletes them.

  12. #11
    Silver Lounger
    Join Date
    Aug 2012
    Location
    UK
    Posts
    1,868
    Thanks
    30
    Thanked 252 Times in 246 Posts
    Both for info.

  13. #12
    5 Star Lounger
    Join Date
    Dec 2009
    Location
    Rochdale, UK
    Posts
    852
    Thanks
    13
    Thanked 56 Times in 56 Posts
    I've seen this on a few forums



    That's from Help4Mobiles over here in the UK that uses Prophpbb as their forum software, perhaps it depends on the forum software used by individual forums?
    Last edited by Browni; 2014-03-24 at 18:23.

  14. #13
    Silver Lounger
    Join Date
    Aug 2012
    Location
    UK
    Posts
    1,868
    Thanks
    30
    Thanked 252 Times in 246 Posts
    Thanks, I'd found it and knew I'd seen it somewhere
    Last edited by Sudo15; 2014-03-24 at 18:42.

  15. #14
    Super Moderator bbearren's Avatar
    Join Date
    Dec 2009
    Location
    Polk County, Florida
    Posts
    2,378
    Thanks
    14
    Thanked 238 Times in 190 Posts
    Quote Originally Posted by Sudo15 View Post
    Have you ensured that your friend has created a Repair disk and will create system images to fall back on should it be more serious if there's a next time ?
    I've made that attempt several times, to no avail. I have a repair disk, and I have the laptop setup fairly securely. Important data goes on a thumb drive or to the cloud.
    Create a new drive image before making system changes, in case you need to start over!

    "Let them that don't want it have memories of not gettin' any." "Gratitude is riches and complaint is poverty and the worst I ever had was wonderful." Brother Dave Gardner "Experience is what you get when you're looking for something else." Sir Thomas Robert Deware. "The problem is not the problem. The problem is your attitude about the problem. Do you understand?" Captain Jack Sparrow.
    Unleash Windows

  16. #15
    Silver Lounger
    Join Date
    Aug 2012
    Location
    UK
    Posts
    1,868
    Thanks
    30
    Thanked 252 Times in 246 Posts
    Quote Originally Posted by bbearren View Post
    I've made that attempt several times, to no avail. I have a repair disk, and I have the laptop setup fairly securely. Important data goes on a thumb drive or to the cloud.
    Well at least you are there as a safety net

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •