virus ownage? ive never seen a virus do this before :p
03-15-2006, 12:41 AM
#1
3.0 BAR
Thread Starter
Join Date: Oct 2005
Posts: 9,282
virus ownage? ive never seen a virus do this before :p
http://www.eweek.com/print_article2/...=173408,00.asp
Cryzip Trojan Encrypts Files, Demands Ransom
March 13, 2006
By Ryan Naraine
Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password.
:1The Trojan, identified as Cryzip, uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files.
It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar.
While this type of attack, known as "ransomware," is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab.
The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom.
According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images.
Once commandeered, the files are zipped and overwritten the text: "Erased by Zippo! GO OUT!!!"
The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the "_CRYPT.ZIP" extension.
A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments.
The instructions, which are marked by misspellings and poor grammar, contain the following text: "Your computer catched our software while browsing illigal **** pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)."
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.
The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn't exist on the hard drive.
"If you really care about documents and information in encrypted files you can pay using electonic currency $300," the note says. "Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back."
Ziff Davis Media eSeminars invite: Learn how to proactively shield your organizations against threats at all tiers of the network, Symantec will show you how, live on March 21 at 4 p.m. ET. Sponsored by Symantec.
The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory.
Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment.
"Infection reports are not wide------, so it is not believed this is a mass threat by any means," LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections.
"[M]ore attention means the likely closing of the accounts used for the anonymous money transfer," LURHQ said.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor
Cryzip Trojan Encrypts Files, Demands Ransom
March 13, 2006
By Ryan Naraine
Virus hunters have discovered a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a decryption password.
:1The Trojan, identified as Cryzip, uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files.
It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar.
While this type of attack, known as "ransomware," is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware, said Shane Coursen, senior technical consultant at Moscow-based anti-virus vendor Kaspersky Lab.
The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom.
According to a LURHQ advisory, Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images.
Once commandeered, the files are zipped and overwritten the text: "Erased by Zippo! GO OUT!!!"
The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the "_CRYPT.ZIP" extension.
A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments.
The instructions, which are marked by misspellings and poor grammar, contain the following text: "Your computer catched our software while browsing illigal **** pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)."
For advice on how to secure your network and applications, as well as the latest security news, visit Ziff Davis Internet's Security IT Hub.
The owner of the infected machine is warned not to search for the program that encrypted the data, claiming that it simply doesn't exist on the hard drive.
"If you really care about documents and information in encrypted files you can pay using electonic currency $300," the note says. "Reporting to police about a case will not help you, they do not know password. Reporting somewhere about our E-Gold account will not help you to restore files. This is your only way to get yours files back."
Ziff Davis Media eSeminars invite: Learn how to proactively shield your organizations against threats at all tiers of the network, Symantec will show you how, live on March 21 at 4 p.m. ET. Sponsored by Symantec.
The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in the advisory.
Officials from E-Gold, which operates out of the Caribbean island of Nevis, were not available for comment.
"Infection reports are not wide------, so it is not believed this is a mass threat by any means," LURHQ said. However, the company said social engineering malware is typically more successful when it is delivered in low volume to get around anti-virus detections.
"[M]ore attention means the likely closing of the accounts used for the anonymous money transfer," LURHQ said.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor
03-15-2006, 08:46 AM
#4
3.0 BAR
Join Date: Aug 2004
Posts: 3,732
Re: virus ownage? ive never seen a virus do this before :p
thats fucked up! theres gotta be some computer nerd out there that will crack that ---- or some company that will get aorund it. if not, that author of that virus is damn cleaver and damn smart.
Thread
Thread Starter
Forum
Replies
Last Post
