Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

RansomWare Disassembly Reveals Evolutionary Path

Posted by CowboyNeal on Thu Jul 26, 2007 08:25 PM
from the trojan-family-trees dept.
Security Programming IT Technology
flaws writes "The guys at Secure Science Corporation have written a revealing article demonstrating the relationship with the most recent Ransom-based Trojan (known as Glamour) and some previous data stealing trojans. They include an open source decrypting utility for unlocking your files if infected, and some stats that are a bit disturbing. According to their report, in the past 8 months, 152,000 victims have been infected, and over 14.5 million records were discovered to be logged by the trojan."
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

RansomWare Disassembly Reveals Evolutionary Path 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • My poor pornography :( (Score:5, Funny)

    by Token_Internet_Girl (1131287) on Thursday July 26 2007, @08:30PM (#20004787)
    "Dear User: We are currently holding your pornography hostage. Unless you send us $300, you will never see Jenna Jameson and that beer can again."
    • It was a beer bottle.

      I never did get that picture back...
    • "Dear Sheeple,

      Remember that night you and your wife got drunk and took all those nasty photos? $500 to sugarinyourgastankwhilstanallyrapingyourmom@quicky lube.com or your neighborhood gets to critique them, too...

      ...and have a nice day.

      Kudos,
      Howie Feltersnatch"

      I'd bet 10-to-1 odds some unscrupulous f**k will try/has tried it, too...

  • In a related story (Score:5, Funny)

    by Anonymous Coward on Thursday July 26 2007, @08:47PM (#20004935)
    . . .Trojan brand shown to BLOCK Evolutionary Path!
  • Do people still really open attachments from people that do not know or were not expecting? Are people really executing unknown .exe files?

    What is the infection vector for these things? Is it email, P2P networks fooling people into believing that mp3 really is an EXE file?

    although I cant believe that people are stupid enough to fall for a nigerian scam wanting to deposit 30 billion dollars in their accounts overnight either.

    • Re:I keep reading about these. (Score:5, Informative)

      by necro2607 (771790) on Thursday July 26 2007, @09:03PM (#20005055)
      Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?

      If you've used any common p2p apps like eDonkey or the like, you'll notice that when you search for something, even if you type some arbitrary crap like "huoshgahgauoiwhrgoaghnaj" you'll also get "huoshgahgauoiwhrgoaghnaj.mp3.exe" and "huoshgahgauoiwhrgoaghnaj pics xxx mpeg avi.exe" or similar shit. So someone searching for a keygen is going to get "exactly the keygen they wanted.exe" .... and so on and so forth. You can imagine how quickly someone will eagerly download and run a keygen they've been looking for for ages that they couldn't find anywhere else.... ;)

      • "Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?

        Which is why I've been telling people for years the first thing they should do after installing Windows (immediately after selecting the "Show hidden files and folders" option and unchecking (clearing) the "Hide extensions for known file types" and "Hide protected operating system files" options in Control Panel -> Folder Options, View tab) is to run REGEDIT and do a 'Find' for all occurrences of "NeverShowExt" and delete every single one found. All of them (spare none).

        Yes, it is admittedly unappe

    • That "only from people you know" is bollocks. Your bozo friends are likely to get infected and the result of the infection is sending you infected files.

      Who's going to suspect a PDF from their friend contains an unscanned virus payload.

      Javascript in PDF, great idea!

    • Re: (Score:2, Interesting)

      by Aellus (949929)
      I'm living at my parents house for the next month while I'm in transition between two places. Conveniently, my fathers machine has gone haywire and I'm still trying to figure out what happened to it (OS install crashes every time, and _yes_ that includes various forms of linux). Anyway, I've come back to my computer from time to time and discovered he has been checking his email on it. Twice I've noticed that the firefox download window still had random .pdf and .exe files. He once left an email page open t

    • Re: (Score:2, Interesting)

      by Lavene (1025400)

      Do people still really open attachments from people that do not know or were not expecting? Are people really executing unknown .exe files?

      A fun experiment: Write a small, harmless program that when executed send a single ping to your home machine/ server and an equally simple program to count the incoming pings on said system.

      Write a short message saying something like "The well known virus 'YouAreTooStupid' is again spreading across the Internet. Please run the attached program to clean and/ or immunize your PC", attach your little program and send it to twenty people. Then sit back and watch your counter...

      It will keep counting for da

      • Why use a virus? That sounds official enough to get them to fill out the attached form with their social and just sell that info for identity theft purposes. Damn russians, not even a little capitalistic! Or heck, they could be doing both!

        Yes, I know it doesn't sound official, have you ever seen a person desperate for work? They'll take any response and run with it.

  • You can prevent encryption by creating a reg key (Score:5, Funny)

    by jpetts (208163) on Thursday July 26 2007, @10:47PM (#20005723)
    The entry should be a REG_DWORD named WinCode in the HKLM\SOFTWARE\Microsft\Windows NT\CurrentVersion location, and should have the value 31337
    • The first trojan was created 6000 years ago and left the garden some years after that. The garden was invaded by Greeks in a wooden horse, or something...
      • The first trojan was created 6000 years ago and left the garden some years after that. The garden was invaded by Greeks in a wooden horse, or something...

              And now you can find trojans littering many urban gardens, parks, playgrounds...
    • This is a bit bewildering...implementing real 4096-bit RSA is simple and would have made it extremely difficult, if not impossible, to produce a working decryptor without paying $300." Silly script kiddies.

      If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300. How many are going to find out about this open source decryptor? I betcha 80% of IT consultants won't even know about it, and h

      • Because of who the targets are. Re:Why bother? (Score:5, Interesting)

        by twitter (104583) on Thursday July 26 2007, @09:39PM (#20005279) Homepage Journal

        If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300.

        No, they are going to look for a "free decoder program," ha ha ha. Oh, the joys of non free software.

        Jokes aside, this trojan is aimed at corporate users. If it's easy to fix, big dumb companies will tell their sheep to bring forth their problems and fix them. If the creeps had been bright enough to use real encryption, there would be no solution and embarrassed users will try to fix the problem themselves. Of course, paying $300 to an extortionist will get you nothing more than another request for money unless they want to sell you back each file. For more evidence of this, see Vista pricing.

      • Vs lbh jnag gb ernq vg V fryy n qrpelcgbe sbe $300 abj fraq zr zl zbarl!
        • I hope this was comprehensible it's pretty late here and very sleepy.

          Yes, you illustrate the corporate ethos adeptly.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.