Dorifel/Quervar: a support scammer’s tip weapon
The malware that some people are job Dorifel or XDocCrypt (ESET detects it as Win32/Quervar.C and has a cleaner for it here) is carrying huge impact right now, mostly in a Netherlands. It has some really engaging characteristics – it infects papers (and loyal executables) by appending them RC4-encrypted to a physique of a new executable – and there’ll be a technical research by Róbert Lipovský here shortly.
However, detached from a unique technical interest, it seems that it’s being used for scamming functions that even a authors competence not have anticipated. Martijn Grooten, of Virus Bulletin, tells me that it has captivated a courtesy of write support scammers, who are regulating it to remonstrate intensity victims in a Netherlands that they need to let a scammer ‘clean’ or ‘protect’ their systems. For a price, as always…
There’s no denote that these scammers have any tie during all with a squad behind Quervar. In fact, I’ve seen no justification to date of a approach couple with feign AV/scareware either: while they infrequently deliberately rabble a victim’s complement (see, for instance, The Tech Support Scammer’s Revenge), I’ve no reports of unquestionably antagonistic program being installed, yet there competence be attempts to leave some arrange of backdoor entrance – see Misusing VERIFY (and other support fraud tricks). What we consider we’re substantially saying here is some-more same to a gambit blogged here in Jul by Righard Zwienenberg – Scareware on a Piggy-Back of ACAD/Medre.A – where a hazard (rather than a actuality) of genuine malware is used to sell an ineffectual solution. (I won’t revisit a use by certain confidence vendors of forged claims about forged malware to sell legitimate AV by rather reprobate means, annoying yet we find it: see Scareware and Legitimate Marketing.)
More mostly than not, support scammers implement legitimate program that has, however, small to do with a problem that it’s claimed to resolve. (There is an exception: when we initial became wakeful of support scammers, some of them were indeed installing burst or free-but-limited-lifetime anti-virus software, yet we haven’t seen that reported recently: see Hanging on a Telephone, a extensive white paper on a subject.
Nevertheless, this is a poignant development. Not usually since it has occurred to a scammers to use a hazard of a stream and high-profile hazard as a means of conning a victim. Not usually since other stream events competence be used as precedence for executing a fraud – that’s loyal of many kinds of scam. But also since it suggests really specific geographical targeting, mapping a impending victims to a segment where a impact of a malware is (at present, anyway) expected to be greatest.
David Harley CITP FBCS CISSP
ESET Senior Research Fellow