Reveton Malware Revs Up Its Game

Credit: Lightspring/Shutterstock

(Image credit: Lightspring/Shutterstock)

One of the most infamous types of malware has learned a new trick. One strain of the Reveton ransomware family can now steal passwords and other credentials stored on an infected computer — and also turn that computer into a botnet zombie.

Prague-based security company Avast detected a version of Reveton that contained two well-known pieces of password-stealing software. These add password-stealing capabilities to Reveton's already-existing ability to hold computers it infects for ransom by locking their screens and then demanding users pay fees or "police fines" to regain control of their devices. (Unlike the better-known Cryptolocker ransomware, Reveton does not encrypt the victim's files.)

MORE: 7 Scariest Security Threats Headed Your Way

The first and more powerful password-stealer is called Pony Stealer. It searches through the recent history stored by major Web browsers including Chrome, Firefox, Internet Explorer, Opera and Safari (presumably the PC version, as Reveton doesn't infect Macs). Pony Stealer uses reverse-engineering techniques to decrypt passwords stored in an encrypted form.

Pony Stealer can also hunt through the Windows operating system to find locally stored passwords, such as the screensaver password and other local Windows passwords and certificates.

That's not all. Pony Stealer can also steal bitcoins or other types of digital currencies stored on infected computers. It does this by imitating the "wallet" software in which the currency is stored: When users next try to open their digital wallets, Pony Stealer replaces the actual login popup with a fake popup. Unsuspecting users enter their passwords into the fake popup, thus giving Pony Stealer access to their money. 

But wait, there's more! Pony Stealer also hunts through email clients such as Gmail, Windows Mail, Outlook and Eudora; instant-messaging clients AIM, Yahoo, Pidgin and Trillian; more than 30 different FTP clients; and even virtual private networks (VPNs) designed to protect users' personal data such as CiscoVPN, FreeCall and WinVNC. 

Just for fun, Pony Stealer also pokes through online poker clients including AbsolutePoker, PokerStars and TitanPoker.

A second type of password stealer was also found inside the Reveton strain Avast analyzed. This stealer, from the Papras family of malware, isn't as good as stealing passwords as Pony is, but it does contribute the ability to disable antivirus programs that might detect and block Reveton from infecting computers in the first place. 

Finally, this strain of the Reveton ransomware seems to use geolocation to determine which banks are local to the infected computer, and then search for information relating to those banks. The sample that Avast analyzed was geolocated to Germany and programmed to search through targets' browser history and cookie files for information relating to 17 different German banks.

Reveton is still primarily a "police Trojan" that locks up an infected computer's screen with a message, purportedly from local law enforcement, that uses flashy logos and harsh words to scare victims into thinking they've broken the law. The ransomware demands that victims pay a "fine" in order to acquit themselves of the charges. 

The new features that Avast identified have only been found in a single strain of Reveton -- something of a Renaissance man of malware, able to give victims just about every kind of malware-related headache that exists.

If you think you might have been infected by this variant of Reveton, Avast has removal instructions in its blog post on the subject.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.