On TechRepublic: Windows 7: Slower to boot than Vista?
BNET Business Network:
BNET
TechRepublic
ZDNet
113 TalkBacks

By Dawn Kawamoto
Posted on ZDNet News: Mar 14, 2006 5:15:00 PM

A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group.

This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.

Lurhq researchers noted Tuesday that the appearance within a year of two encryption Trojans may indicate they are part an emerging trend in malicious software.

"Last year, we saw the PGPcoder, and anything that shows itself to be a viable way to make money, usually people start jumping on the bandwagon after that," said Joe Stewart, senior security researcher for Lurhq.

The Cryzip Trojan will search for files, such as source code or database files, on infected systems. It then uses a commercial zip library to store the encrypted files. Security researchers, however, have yet to determine how the Trojan is distributed, noting it could come from a number of sources, including malicious Web sites, or enter through a previously created backdoor on a virus-infested computer.

The Trojan will overwrite the victims' text and then delete it, leaving only encrypted material that contains the original file name and _CRYPT_.ZIP.

"Unlike the PGPcoder that used a trivial encryption scheme, the zip encryption is stronger. It's harder to go through a list of possible (encryption) keys to get the information back," Stewart said. "But a brute-force attack is still possible, if a user has a copy of the original file. It can be reversed-engineered with a copy of the Trojan."

Cryzip has yet to become a widespread problem. Lurhq said it is aware of only about two dozen infection cases. Increasingly, malicious software writers are becoming more interested in launching low-level attacks in the hopes that it will take longer for security companies to notice their presence and develop a defense.

Users may also be less willing to seek help if it involves disclosing where they might have come across the threat.

The Cryzip writer, who uses an E-Gold account for collecting ransom payments, tells the victims: "Your computer catched our software while browsing illegal porn pages, all your documents, text files, databases was archived with long enough password. You cannot guess the password for your archived files--password length is more than 10 symbols that makes all password recovery programs fail to bruteforce it."

The Trojan writer then goes on to demand that a $300 payment be sent electronically to the E-Gold account.

Stewart advises users to frequently back up their important files, not only to minimize the damage if their system crashes but to reduce damage from an encryption attack.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 113 Talkback(s)
Hey, Weekly World News rocks!
After all, they broke the story about Satan's face in the David Koresh stronghold's fire. I believe even the New York Times missed that one. And the esteemed New York publication also keeps missing all of those alien appearances!... (Read the rest)
Posted by: bbbaldie_z Posted on: 04/07/06 You are currently: a Guest | | Terms of Use
LOL  Maverick Hunter | 03/14/06
Maverick, You are too violent,  BXLE | 03/14/06
thats what my probation officer keeps telling me  Maverick Hunter | 03/14/06
No, that's turn the other CHECK...nt  clifflee | 03/14/06
Too Violent?  stan@... | 03/14/06
Message has been deleted.  jrbeaman | 03/14/06
Message has been deleted.  Wolfie2K3 | 03/14/06
Always backup your work.  osreinstall | 03/14/06
Could be just wiring the money to an offshore account  voska | 03/14/06
Offshore, yes...  Orpheline | 03/14/06
If it is...  cashaww | 03/14/06
That kind of crap is frowned on internationally.  osreinstall | 03/14/06
Yes that is why it is still  Linux User 147560 | 03/15/06
This business model is not a money maker.  osreinstall | 03/15/06
But their criminals wouldn't  Linux User 147560 | 03/15/06
Their police agencies will nail them also.  osreinstall | 03/15/06
This is a good thing  yyuko@... | 03/14/06
Surely you jest...(?)  Stinking Kevin | 03/14/06
You're absolutely right  yyuko@... | 03/14/06
To an extent..  cashaww | 03/14/06
Trail Back to the Authort  lamp299 | 03/14/06
Yes, It Is Good  cyberscan | 03/16/06
Nothin' in life is for free  aheishman@... | 03/14/06
Would this stop it?  schneb | 03/14/06
Yeah, but...  tiedyeguy64 | 03/14/06
You misread the description  NeverLift | 03/14/06
That won't do it!  codeman2925 | 03/14/06
or...  inertman@... | 03/15/06
Didya ever think  timpin1@... | 03/16/06
Brilliant!  s_gamgee | 03/14/06
even if you wired the money  EvilDemonic | 03/14/06
Encryted Files  Bio_nuclear | 03/14/06
rouge files  c-o-b | 03/15/06
Not to mention!!! Ha!  Cayble | 03/14/06
Two-part key  jj4th | 03/14/06
To name a few crazies...  No name specified | 03/14/06
Any money transfer is traceable  danformen@... | 03/14/06
Depending on the country  gardoglee | 03/14/06
Crypt_zip trojan  stargate1121 | 03/14/06
Re: System Restore  yyuko@... | 03/14/06
Crypt_zip trojan  Courlanders | 03/14/06
Never put stuff on your PC you can't afford to lose!  codeman2925 | 03/14/06
tar/gzip/scp  sabayer | 03/14/06
you are missing the point  wageearner | 03/14/06
At least he had the right idea...  bladehawke | 03/14/06
Umm, wait a sec. [text inside]  BlazeEagle | 03/14/06
That isn't reality  george_ou | 03/14/06
That's right, but...  bladehawke | 03/14/06
Now THAT sounds like a real workaround  s_gamgee | 03/14/06
FBI?  timpin1@... | 03/16/06
Some people actually use PSs for business  stan@... | 03/14/06
I assume you mean PCs ...  jrbeaman | 03/14/06
Yes. Just a stupid typo  stan@... | 03/14/06
Business and PC's  bladehawke | 03/14/06
Threats are dynamic, too  Mank_80 | 03/15/06
French Perspective  robapacl@... | 03/14/06
Re: French Perspective  GUI_Hopper | 03/14/06
French?  mck22 | 03/14/06
Isn't John Kerry French?  reynos | 03/14/06
French? - I thought they were banned from here.  jrbeaman | 03/14/06
French??  pris_z | 03/15/06
This is only news because ZDNet is anti-MS  NonZealot | 03/14/06
doesn't always have to be a flame war  corticus | 03/14/06
Definitions of news must vary  bladehawke | 03/14/06
Windows?  timpin1@... | 03/16/06
Actually...  bladehawke | 03/14/06
Hey, Weekly World News rocks!  bbbaldie_z | 04/07/06
say whaaaa?!  psimpsongore | 03/14/06
Either you posted to wrong story...  Monkey_MCSE | 03/14/06
You missed the point.  jrbeaman | 03/14/06
Windows Virus Attacks and Extorts Money!  MacGeek2121 | 03/15/06
Go legit: form an anti-virus company  deepee912 | 03/14/06
Yep ...  preacherx | 03/14/06
fix  roncat@... | 03/14/06
Thanks, but no thanks.  jrbeaman | 03/14/06
Funny  Shelendrea | 03/14/06
Good luck spending the cash!  An_Axe_to_Grind | 03/14/06
heh... NT  reynos | 03/14/06
If we find the writer, can we execute him/her ?  NotRichandFamous | 03/14/06
Fraid so...  ArtMac | 03/14/06
I doubt it, but...  fanjet@... | 03/14/06
Well well well...  ArtMac | 03/14/06
Who are "they"?  michael_t | 03/14/06
Ummm...  ArtMac | 03/14/06
wow...  ArtMac | 03/14/06
And this is another exclusive "feature" of MSwindows.....  michael_t | 03/14/06
Why?  dragonsrightwing | 03/14/06
No need (nt)  s_gamgee | 03/14/06
Don't always have to try and shoot the messenger.  Xbeing | 03/14/06
But zdnet does consistenly fail to mention explicitly the inept OS that was  michael_t | 03/15/06
dumb criminals  livefree | 03/14/06
10-20 years?  yyuko@... | 03/14/06
NOT sad!  s_gamgee | 03/14/06
get spellcheck  jrbeaman | 03/14/06
Why don't _you_ learn _his_ language?  Hugh Jass | 03/14/06
on the flip side of that  Shelendrea | 03/15/06
Yeah, Rent-Free on our money.  jrbeaman | 03/14/06
Convictions  mkm558 | 03/15/06
How can a dump criminal then so easily infiltrate an OS  michael_t | 03/14/06
No infiltration?  bladehawke | 03/14/06
Red and Black Alert! ikisawak has a steamroller!  Pop 3 | 03/14/06
WHUTT?? (NT)  s_gamgee | 03/15/06
Re:Trojan Cryzip Extorts  Ronspruell | 03/15/06
We'll all be paying this ransom soon enough...  sheng.long@... | 03/15/06
Huh?? SP's are free[text]  BlazeEagle | 03/17/06
Nothing New, Look at  just1vet | 03/15/06
Why pay when you are backed up.  Tundra Gregg | 03/15/06
who would call police anyway  xcrmnl | 03/16/06
NO!!!! I'd simply reformat...  Betelgeuse58 | 03/16/06
Reading many of these posts is great for humor!  Linux User 147560 | 03/16/06
The virus author must have got the idea from MS DRM.  JonathonDoe | 03/16/06
why not!  prdigalkid@... | 03/20/06
This story is still cracking me up .... another unique  michael_t | 03/23/06

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here