RansomWare Disassembly Reveals Evolutionary Path

flaws writes "The guys at Secure Science Corporation have written a revealing article demonstrating the relationship with the most recent Ransom-based Trojan (known as Glamour) and some previous data stealing trojans. They include an open source decrypting utility for unlocking your files if infected, and some stats that are a bit disturbing. According to their report, in the past 8 months, 152,000 victims have been infected, and over 14.5 million records were discovered to be logged by the trojan."

My poor pornography :(

"Dear User: We are currently holding your pornography hostage. Unless you send us $300, you will never see Jenna Jameson and that beer can again."

Tag this haha and pwned

From the report: "...it was quickly apparent that the files were not really encrypted with 4096-bit RSA....This is a bit bewildering...implementing real 4096-bit RSA is simple and would have made it extremely difficult, if not impossible, to produce a working decryptor without paying $300." Silly script kiddies.

Because of who the targets are. Re:Why bother?

If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300.

No, they are going to look for a "free decoder program," ha ha ha. Oh, the joys of non free software.

Jokes aside, this trojan is aimed at corporate users. If it's easy to fix, big dumb companies will tell their sheep to bring forth their problems and fix them. If the creeps had been bright enough to use real encryption, there would be no solution and embarrassed users will try to fix the problem themselves. Of course, paying $300 to an extortionist will get you nothing more than another request for money unless they want to sell you back each file. For more evidence of this, see Vista pricing.

In a related story

. . .Trojan brand shown to BLOCK Evolutionary Path!

I keep reading about these.

Do people still really open attachments from people that do not know or were not expecting? Are people really executing unknown .exe files?

What is the infection vector for these things? Is it email, P2P networks fooling people into believing that mp3 really is an EXE file?

although I cant believe that people are stupid enough to fall for a nigerian scam wanting to deposit 30 billion dollars in their accounts overnight either.

Re:I keep reading about these.

Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?

If you've used any common p2p apps like eDonkey or the like, you'll notice that when you search for something, even if you type some arbitrary crap like "huoshgahgauoiwhrgoaghnaj" you'll also get "huoshgahgauoiwhrgoaghnaj.mp3.exe" and "huoshgahgauoiwhrgoaghnaj pics xxx mpeg avi.exe" or similar shit. So someone searching for a keygen is going to get "exactly the keygen they wanted.exe" .... and so on and so forth. You can imagine how quickly someone will eagerly download and run a keygen they've been looking for for ages that they couldn't find anywhere else.... ;)

off topic, but

Can anyone explain what "Beware of geeks bearing graft" means? (QOTD)

You can prevent encryption by creating a reg key

The entry should be a REG_DWORD named WinCode in the HKLM\SOFTWARE\Microsft\Windows NT\CurrentVersion location, and should have the value 31337

Mod parent INFORMATIVE

Read the report: http://ip.securescience.net/advisories/Glamour-Ran somWare.pdf [securescience.net] page 15.
There is in fact a check for a value of "31337" in a "WinCode" registry key.

Don't be fooled!

Microsoft has been doing this for years now. They call it an "operating system" and also "office suite". Those are just code names though, don't let it fool you!

Evolutionary Path?

Evolution is nonsense. Surely this trojan was intelligently designed.

Yeah, but...

does it run on Linux?

Re:Noddleware.

The first trojan was created 6000 years ago and left the garden some years after that. The garden was invaded by Greeks in a wooden horse, or something...

Re:speaking of trojans

I just bought 72 condoms.

I just bought 144 condoms, and now I'm grossly [google.com] oversexed.