Trojan Cryzip extorts decryption fee

By Dawn Kawamoto, News.com
Posted on ZDNet News: Mar 14, 2006 5:15:00 PM

A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group.

This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.

Lurhq researchers noted Tuesday that the appearance within a year of two encryption Trojans may indicate they are part an emerging trend in malicious software.

"Last year, we saw the PGPcoder, and anything that shows itself to be a viable way to make money, usually people start jumping on the bandwagon after that," said Joe Stewart, senior security researcher for Lurhq.

The Cryzip Trojan will search for files, such as source code or database files, on infected systems. It then uses a commercial zip library to store the encrypted files. Security researchers, however, have yet to determine how the Trojan is distributed, noting it could come from a number of sources, including malicious Web sites, or enter through a previously created backdoor on a virus-infested computer.

The Trojan will overwrite the victims' text and then delete it, leaving only encrypted material that contains the original file name and _CRYPT_.ZIP.

"Unlike the PGPcoder that used a trivial encryption scheme, the zip encryption is stronger. It's harder to go through a list of possible (encryption) keys to get the information back," Stewart said. "But a brute-force attack is still possible, if a user has a copy of the original file. It can be reversed-engineered with a copy of the Trojan."

Cryzip has yet to become a widespread problem. Lurhq said it is aware of only about two dozen infection cases. Increasingly, malicious software writers are becoming more interested in launching low-level attacks in the hopes that it will take longer for security companies to notice their presence and develop a defense.

Users may also be less willing to seek help if it involves disclosing where they might have come across the threat.

The Cryzip writer, who uses an E-Gold account for collecting ransom payments, tells the victims: "Your computer catched our software while browsing illegal porn pages, all your documents, text files, databases was archived with long enough password. You cannot guess the password for your archived files--password length is more than 10 symbols that makes all password recovery programs fail to bruteforce it."

The Trojan writer then goes on to demand that a $300 payment be sent electronically to the E-Gold account.

Stewart advises users to frequently back up their important files, not only to minimize the damage if their system crashes but to reduce damage from an encryption attack.

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 113 Talkback(s)

Thread View
Flat View

Hey, Weekly World News rocks!: After all, they broke the story about Satan's face in the David Koresh stronghold's fire. I believe even the New York Times missed that one. And the esteemed New York publication also keeps missing all of those alien appearances!... (Read the rest); Posted by: bbbaldie_z Posted on: 04/07/06 You are currently: Logged In | Log out

LOL Maverick Hunter | 03/14/06

Maverick, You are too violent, BXLE | 03/14/06

thats what my probation officer keeps telling me Maverick Hunter | 03/14/06

No, that's turn the other CHECK...nt clifflee | 03/14/06

Too Violent? stan@... | 03/14/06

Message has been deleted. jrbeaman | 03/14/06

Message has been deleted. Wolfie2K3 | 03/14/06

Always backup your work. osreinstall | 03/14/06

Could be just wiring the money to an offshore account voska | 03/14/06

Offshore, yes... Orpheline | 03/14/06

If it is... cashaww | 03/14/06

That kind of crap is frowned on internationally. osreinstall | 03/14/06

Yes that is why it is still Linux User 147560 | 03/15/06

This business model is not a money maker. osreinstall | 03/15/06

But their criminals wouldn't Linux User 147560 | 03/15/06

Their police agencies will nail them also. osreinstall | 03/15/06

This is a good thing yyuko@... | 03/14/06

Surely you jest...(?) Stinking Kevin | 03/14/06

You're absolutely right yyuko@... | 03/14/06

To an extent.. cashaww | 03/14/06

Trail Back to the Authort lamp299 | 03/14/06

Yes, It Is Good cyberscan | 03/16/06

Nothin' in life is for free aheishman@... | 03/14/06

Would this stop it? schneb | 03/14/06

Yeah, but... tiedyeguy64 | 03/14/06

You misread the description NeverLift | 03/14/06

That won't do it! codeman2925 | 03/14/06

or... inertman@... | 03/15/06

Didya ever think timpin1@... | 03/16/06

Brilliant! s_gamgee | 03/14/06

even if you wired the money EvilDemonic | 03/14/06

Encryted Files Bio_nuclear | 03/14/06

rouge files c-o-b | 03/15/06

Not to mention!!! Ha! Cayble | 03/14/06

Two-part key jj4th | 03/14/06

To name a few crazies... No name specified | 03/14/06

Any money transfer is traceable danformen@... | 03/14/06

Depending on the country gardoglee | 03/14/06

Crypt_zip trojan stargate1121 | 03/14/06

Re: System Restore yyuko@... | 03/14/06

Crypt_zip trojan Courlanders | 03/14/06

Never put stuff on your PC you can't afford to lose! codeman2925 | 03/14/06

tar/gzip/scp sabayer | 03/14/06

you are missing the point wageearner | 03/14/06

At least he had the right idea... bladehawke | 03/14/06

Umm, wait a sec. [text inside] BlazeEagle | 03/14/06

That isn't reality george_ou | 03/14/06

That's right, but... bladehawke | 03/14/06

Now THAT sounds like a real workaround s_gamgee | 03/14/06

FBI? timpin1@... | 03/16/06

Some people actually use PSs for business stan@... | 03/14/06

I assume you mean PCs ... jrbeaman | 03/14/06

Yes. Just a stupid typo stan@... | 03/14/06

Business and PC's bladehawke | 03/14/06

Threats are dynamic, too Mank_80 | 03/15/06

French Perspective robapacl@... | 03/14/06

Re: French Perspective GUI_Hopper | 03/14/06

French? mck22 | 03/14/06

Isn't John Kerry French? reynos | 03/14/06

French? - I thought they were banned from here. jrbeaman | 03/14/06

French?? pris_z | 03/15/06

This is only news because ZDNet is anti-MS NonZealot | 03/14/06

doesn't always have to be a flame war corticus | 03/14/06

Definitions of news must vary bladehawke | 03/14/06

Windows? timpin1@... | 03/16/06

Actually... bladehawke | 03/14/06

Hey, Weekly World News rocks! bbbaldie_z | 04/07/06

say whaaaa?! psimpsongore | 03/14/06

Either you posted to wrong story... Monkey_MCSE | 03/14/06

You missed the point. jrbeaman | 03/14/06

Windows Virus Attacks and Extorts Money! MacGeek2121 | 03/15/06

Go legit: form an anti-virus company deepee912 | 03/14/06

Yep ... preacherx | 03/14/06

fix roncat@... | 03/14/06

Thanks, but no thanks. jrbeaman | 03/14/06

Funny Shelendrea | 03/14/06

Good luck spending the cash! An_Axe_to_Grind | 03/14/06

heh... NT reynos | 03/14/06

If we find the writer, can we execute him/her ? NotRichandFamous | 03/14/06

Fraid so... ArtMac | 03/14/06

I doubt it, but... fanjet@... | 03/14/06

Well well well... ArtMac | 03/14/06

Who are "they"? michael_t | 03/14/06

Ummm... ArtMac | 03/14/06

wow... ArtMac | 03/14/06

And this is another exclusive "feature" of MSwindows..... michael_t | 03/14/06

Why? dragonsrightwing | 03/14/06

No need (nt) s_gamgee | 03/14/06

Don't always have to try and shoot the messenger. Xbeing | 03/14/06

But zdnet does consistenly fail to mention explicitly the inept OS that was michael_t | 03/15/06

dumb criminals livefree | 03/14/06

10-20 years? yyuko@... | 03/14/06

NOT sad! s_gamgee | 03/14/06

get spellcheck jrbeaman | 03/14/06

Why don't _you_ learn _his_ language? Hugh Jass | 03/14/06

on the flip side of that Shelendrea | 03/15/06

Yeah, Rent-Free on our money. jrbeaman | 03/14/06

Convictions mkm558 | 03/15/06

How can a dump criminal then so easily infiltrate an OS michael_t | 03/14/06

No infiltration? bladehawke | 03/14/06

Red and Black Alert! ikisawak has a steamroller! Pop 3 | 03/14/06

WHUTT?? (NT) s_gamgee | 03/15/06

Re:Trojan Cryzip Extorts Ronspruell | 03/15/06

We'll all be paying this ransom soon enough... sheng.long@... | 03/15/06

Huh?? SP's are free[text] BlazeEagle | 03/17/06

Nothing New, Look at just1vet | 03/15/06

Why pay when you are backed up. Tundra Gregg | 03/15/06

who would call police anyway xcrmnl | 03/16/06

NO!!!! I'd simply reformat... Betelgeuse58 | 03/16/06

Reading many of these posts is great for humor! Linux User 147560 | 03/16/06

The virus author must have got the idea from MS DRM. JonathonDoe | 03/16/06

why not! prdigalkid@... | 03/20/06

This story is still cracking me up .... another unique michael_t | 03/23/06

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry