Dorifel/Quervar: the support scammer’s secret weapon

David HarleyThe malware that some people are calling Dorifel or XDocCrypt (ESET detects it as Win32/Quervar.C and has a cleaner for it here) is having enormous impact right now, mostly in the Netherlands. It has some very interesting characteristics – it infects documents (and true executables) by appending them RC4-encrypted to the body of a new executable – and there’ll be a technical analysis by Róbert Lipovský here shortly.

However, apart from its intrinsic technical interest, it seems that it’s being used for scamming purposes that even its authors may not have anticipated. Martijn Grooten, of Virus Bulletin, tells me that it has attracted the attention of telephone support scammers, who are using it to convince potential victims in the Netherlands that they need to let the scammer ‘clean’ or ‘protect’ their systems. For a price, as always…

There’s no indication that these scammers have any connection at all with the gang behind Quervar. In fact, I’ve seen no evidence to date of a direct link with fake AV/scareware either: while they sometimes deliberately trash a victim’s system (see, for instance, The Tech Support Scammer’s Revenge), I’ve no reports of unequivocally malicious software being installed, though there may be attempts to leave some sort of backdoor access – see Misusing VERIFY (and other support scam tricks). What I think we’re probably seeing here is more akin to the gambit blogged here in July by Righard Zwienenberg – Scareware on the Piggy-Back of ACAD/Medre.A – where the threat (rather than the actuality) of real malware is used to sell an ineffective solution. (I won’t revisit the use by certain security vendors of spurious claims about spurious malware to sell legitimate AV by somewhat unethical means, infuriating though I find it: see Scareware and Legitimate Marketing.)

More often than not, support scammers install legitimate software that has, however, little to do with the problem that it’s claimed to resolve. (There is an exception: when I first became aware of support scammers, some of them were actually installing cracked or free-but-limited-lifetime anti-virus software, though I haven’t seen that reported recently: see Hanging on the Telephone, a comprehensive white paper on the subject.

Nevertheless, this is a significant development. Not only because it has occurred to the scammers to use the threat of a current and high-profile threat as a means of conning the victim. Not only because other current events might be used as leverage for executing the scam – that’s true of many kinds of scam. But also because it suggests very specific geographical targeting, mapping the prospective victims to the region where the impact of the malware is (at present, anyway) likely to be greatest.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow

Ready for the right solutions?

It’s time to offload your technology troubles and security stress.

"*" indicates required fields