Trojan Cryzip extorts decryption fee

Discussion in 'General Conversation' started by Tellico00, Mar 14, 2006.

  1. Tellico00

    Tellico00 New Member

    Messages:
    378
    State:
    Collierville, T
    The following is from ZDNet:


    Trojan Cryzip extorts decryption fee

    By Dawn Kawamoto
    URL: http://news.zdnet.com/2100-1009_22-6049449.html
    A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group. This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.
    Lurhq researchers noted Tuesday that the appearance within a year of two encryption Trojans may indicate they are part an emerging trend in malicious software.
    "Last year, we saw the PGPcoder, and anything that shows itself to be a viable way to make money, usually people start jumping on the bandwagon after that," said Joe Stewart, senior security researcher for Lurhq.
    The Cryzip Trojan will search for files, such as source code or database files, on infected systems. It then uses a commercial zip library to store the encrypted files. Security researchers, however, have yet to determine how the Trojan is distributed, noting it could come from a number of sources, including malicious Web sites, or enter through a previously created backdoor on a virus-infested computer.
    http://i.i.com.com/cnwk.1d/i/ne/p/2006/dash_click_170x110.jpg The Trojan will overwrite the victims' text and then delete it, leaving only encrypted material that contains the original file name and _CRYPT_.ZIP.
    "Unlike the PGPcoder that used a trivial encryption scheme, the zip encryption is stronger. It's harder to go through a list of possible (encryption) keys to get the information back," Stewart said. "But a brute-force attack is still possible, if a user has a copy of the original file. It can be reversed-engineered with a copy of the Trojan."
    Cryzip has yet to become a widespread problem. Lurhq said it is aware of only about two dozen infection cases. Increasingly, malicious software writers are becoming more interested in launching low-level attacks in the hopes that it will take longer for security companies to notice their presence and develop a defense.
    Users may also be less willing to seek help if it involves disclosing where they might have come across the threat.
    The Cryzip writer, who uses an E-Gold account for collecting ransom payments, tells the victims: "Your computer catched our software while browsing illegal porn pages, all your documents, text files, databases was archived with long enough password. You cannot guess the password for your archived files--password length is more than 10 symbols that makes all password recovery programs fail to bruteforce it."
    The Trojan writer then goes on to demand that a $300 payment be sent electronically to the E-Gold account.
    Stewart advises users to frequently back up their important files, not only to minimize the damage if their system crashes but to reduce damage from an encryption attack.
     
  2. maddcatter

    maddcatter New Member

    Messages:
    614
    State:
    Newark, Oh
    Well, that sounds like fun! NOT!!!!
     

  3. rodpod

    rodpod New Member

    Messages:
    518
    State:
    Evansville, Ind
    Well people who have made viruses without a link back to them have been caught and arrested. So they are just going to follow the money trail if this thing ever spreads. And we all know that the government has the power to freeze assets of people who do real life ransoms. And if you do get it, just go back to your last nights backups. Its not hard to make a backup, windows comes with all the tools to do it nightly for free.

    I think a few people will fall victim to this, and there will be alot of variants over time but once the filejackers see the repercussions it wont be so bad.
     
  4. Tellico00

    Tellico00 New Member

    Messages:
    378
    State:
    Collierville, T
    Thanks Brent,

    That is good news