Forgot your password?
typodupeerror
Security

Virus Hold Computer Files 'Hostage' for $200 488

Posted by CmdrTaco
from the it'd-be-funnier-if-it-wasn't-scary dept.
dwayner79 sent in a story about a new virus making the rounds- this one is unique because it locks your files and then demands a $200 ransom to get them back. It seems to me that this might leave some sort of tracable money trail. They don't have much information on any particular transmission mechanism, they just talk about web pages giving it up.
This discussion has been archived. No new comments can be posted.

Virus Hold Computer Files 'Hostage' for $200

Comments Filter:
  • by yotto (590067) on Tuesday May 24, 2005 @09:41AM (#12622705) Homepage
    ...Until I see a photograph of my files with today's paper.
    • by c0ldfusi0n (736058) <admin&c0ldfusi0n,org> on Tuesday May 24, 2005 @09:43AM (#12622732) Homepage
      In other news, virus writers associate with milk producers to print the output of "dir" on the back of the milk cartons.
      • by Anonymous Coward
        Will Microsoft start factoring these little occurances into the TCO of Windows?!
        • For the love of God.

          How is this in any way a Windows specific thing? The same virus could be written to run on any OS.

          I stand by my earlier statement.

          You're an idiot.
      • typo (Score:5, Funny)

        by commodoresloat (172735) on Tuesday May 24, 2005 @11:21AM (#12623718)
        you misspelled "ls"

        Oh, wait a minute, never mind...

        I forgot we were talking about viruses.

    • by MoonBuggy (611105) on Tuesday May 24, 2005 @09:58AM (#12622909) Journal
      Seriously though, the article does not show me any reason that the virus writer can be trusted on his word alone. How would you know that he really will send the key?

      I can see three possible ways this is done: the files could be encrypted with a random key which is sent back to the author - in this case I guess the key could be intercepted on its way out of your computer, but you'd have to anticipate being infected. Alternatively, the virus might always use the same key, in which case one person needs to buy/brute force it and everyone's sorted. Finally, it might use a random key which the writer has no way of knowing - secure, but he'll take the money and run because he doesn't know the key.

      In any of those three scenarios I'd think it makes sense to try to avoid giving him any money. Either that or I've missed something.
      • by HadenT (816717) on Tuesday May 24, 2005 @10:11AM (#12623017)
        Why not:
        generate random key, encrypt data with it (symmetric),
        encrypt that key with public one (stored in virus itself), destroy random key, give victim encrypted key.
        Victim sends encrypted key to author, he decrypts it using his private key and sends it back.
      • by abulafia (7826)
        The ransomware could phone home to a cracked server which provides the key. Or public key crypto could be used.
      • If it uses the same key, but a very long one, all the computers in the world would be very unlikely to break the key in a decent amount of time.

        Remember the RC5 challenge? It took 1757 days worth of massive collaboration effort to break a 64 bit key, showing that 64 bits RC5 is not enough for data that is still sensitive after several years.

        Now they are trying to break a 72 bit version of the same algorithm. It should take 2^8=256 times more computational effort or over 1000 years with current processing
    • laundering the money (Score:5, Interesting)

      by goombah99 (560566) on Tuesday May 24, 2005 @11:18AM (#12623682)
      Everyone speculates that laundering the money will be hard. Perhaps not so hard really. This happens daily on E-bay with the western union scams. Apparentyl none of those are ever traced so why not these?

      As for tracing the e-mail well that wont work either: again people do this all the time on e-bay rip offs and none of those get traced.

      besides which the attacker might very well be logging your keystrokes and simply watching for you to send any text continaing a fake address he gave you, then sending this real text somewhere else. Fat chance you would notice this in time to do anything about it. He just picks off the western union number, then pays some street urchin to go collect for him.

      or you could rig this as sort of a two part thing. One is to have the virus encrypt the files. then "coincidentally" this spam e-mail comes offer to sell you a universal decoder program for the low price of 49.99$. THe company could be legitimate in the same sense that McAffee is legit. They just sell decryption tools. Sure they might be suspect but some company IS going to crack this and when they do they are going to SELL the decoder. The evil-doer merely has to be one of many companies offer this product for sale. It would be in his interest to leak the decoding method just so those decoy compamies would appear.

      • by team99parody (880782) on Tuesday May 24, 2005 @11:53AM (#12624071) Homepage
        In fact, Symantec does this to me (at work) all the time. I bought their product once; and every 6 months or however long it takes that license to expire; they keep spamming me with more emails that say if I want to keep my computer safe from all the stuff infectig it I need to pay them more protection money.

        At home, I don't have the problem; since more honorable vendors that distribute their software via apt-get don't run these kinds of protection rackets.

  • before the perpotrators find out that to get get, you follow the money!
  • by a_greer2005 (863926) on Tuesday May 24, 2005 @09:42AM (#12622723)
    IF it takes spyware hostage
    • Do you really think a virus is going to take spyware hostage and then demand $200 for the key to unencrypt it? I don't know about you, but even if it did, I sure wouldn't be happy with this kind of virus on my computer.

      Plus the article mentions this paritcular infection affected only "at least fifteen types of data," most of which were presumably important to the user, like spreadsheets and the like. But again, even if it did encrypt malware ... I don't see how it could be a good thing. Let's introduce the

  • a fix (Score:5, Insightful)

    by MankyD (567984) on Tuesday May 24, 2005 @09:42AM (#12622725) Homepage
    Assuming this virus is telling the truth (and I highly highly highly doubt it is), doesn't that mean that there's a simple command you can send to it to fix the problem? What's to prevent anti-virus companies from figuring this out and providing a quick fix?
    • Re:a fix (Score:3, Insightful)

      by pentalive (449155)
      A simple command to fix this? try
      "restore backup"
    • Re:a fix (Score:3, Informative)

      by keshto (553762)
      Because if the hacker has encrypted the files with a random passphrase and assuming this passphrase isn't the same for all the computers he attacks, it is highly unlikely a security company will be able to easily decrypt the files.

      That is what is particularly scary about this. What if the hacker went offline-- even if you are willing to pay the money, you can't get to the files. They are as good as deleted
      • That works for the attacker. If you target one big company and get good penetration, you can point out that if there are any signs of trouble you'll disappear and they'll never get their files back.

        I am surprised we've never seen this as a targeted attack before, or maybe no one has reported it.
    • Re:a fix (Score:2, Insightful)

      by squiggleslash (241428)
      What makes you think that?

      If I were the extortionist, I'd write the code to obtain a key from some source (perhaps be pre-loaded with several thousand precalculated RSA "public" keys), encrypt the files, and then release a decrypter with the relevent private key for that particular system.

      This works because RSA encryption involves keys that have a public and private portion. The public key is used to encrypt but once encrypted, the data can't be decrypted without the private key. It is immensely diffic

      • See my post below, there's no reason to have thousands of public/private key pairs. Combining public/private with a random symmetric key is a time tested alternative. PGP uses IDEA for encryption and public/private key crypto to protect the random IDEA key.

      • I encountered a virus just 2 years ago, although it had been written in the 1990s, that encrypted files on a hard drive using a randomly generated and locally stored key. If you removed the virus, you'd lose the key, and access to all files that had so far been encrypted. I don't recall the name of the virus right now, but I spent about an hour looking for a fix to this old virus, and fortunately found an old removal utility on a website that was still hosting it, and it retrieved the simple encryption k
    • Re:a fix (Score:3, Interesting)

      by wren337 (182018)
      Since they recovered the files without the key, it looks like the guy wrote his own crypto. Score one for the good guys. Next time maybe the guy uses a well written public key library. Encrypt the local files with a random symmetric key, encrypt the key with a public key and present it to the user. The user has to email the encrypted symmetric key to the virus writer for decryption.

      There's no reason to think there would be a single interceptable "key" value that would unlock everyone's files. It depen
    • Re:a fix (Score:3, Informative)

      by httptech (5553)
      It's not a command in the trojan that decrypts the files, it's a program the trojan author sends you after you send him $200. However, the encryption is trivial and just about any reverse-engineer could write a decryptor for you.

      -Joe

      Joe Stewart, GCIH
      Senior Security Researcher
      LURHQ http://www.lurhq.com/ [lurhq.com]
  • Finally! (Score:4, Insightful)

    by Apreche (239272) on Tuesday May 24, 2005 @09:42AM (#12622728) Homepage Journal
    What the hell took so long for this to happen? There are thousands of viruses all around and most of them are so benign. They just eat system resources, send spam, show ads and other bs. It took way too long for someone to make a virus that actually compromises data. I hope soon someone makes one that takes important data files and uploads them to a web server for public view. And another one that overwrites the hard drives 3 or 4 times to prevent data recovery.

    Maybe when this happens people will actually pay more attention to computer security, instead of just putting up with the inconvenience.
    • Re:Finally! (Score:5, Insightful)

      by i.r.id10t (595143) on Tuesday May 24, 2005 @09:47AM (#12622803)
      You've not been around computers for long have you? We used to have all these nasty viruses, before Visual Basic and script kiddies, back when AOL wasn't on the Internet and dial up was mostly BBSes. Boot sector viruses, trashing hard drive controllers, etc.
      • I remember them... (Score:3, Interesting)

        by aug24 (38229)
        I lost my third year project (Physics) to one in 1992. Eight months work chewed to bits, but a very nice chap named Jules reconstructed most of it from the actual sectors, with me guessing where-abouts it came from.

        Those were, emphatically, NOT the days.

        Justin.
      • Re:Finally! (Score:4, Interesting)

        by srleffler (721400) on Tuesday May 24, 2005 @10:50AM (#12623404)
        There was even at least one that could wipe the BIOS eproms, leaving the computer completely inoperable and difficult to repair if not outright irreparable.
      • Re:Finally! (Score:3, Interesting)

        by imr (106517)
        It reminds me of DaHalf.
        This one was a perverse bastard. It slowly encrypted your hd track by track at every reboot but decrypted them, so the datas were perfectly safe as long as the virus was there.
        If you removed the virus, you lost the datas since the encryption key was in the virus.

        Do not remove virii before reading what they are about.
        If a virus is on your hd and you want to have it checked, cut the power, remove it from the pc and do not boot it until it is between the hands of a professional.
        Conside
    • Re:Finally! (Score:5, Insightful)

      by meringuoid (568297) on Tuesday May 24, 2005 @09:48AM (#12622816)
      Maybe when this happens people will actually pay more attention to computer security, instead of just putting up with the inconvenience.

      What will do that is a virus that replaces all .jpg files found with goatse, tubgirl and lemonparty.

      So many people have stored their digital camera photos on vulnerable Windows PCs. The only thing that will get them to secure those boxes is the threat that little Sophie's birthday photos, or the last time they went on holiday with Grandma before the illness, might be replaced with hideous porn by some virus...

    • by mgkimsal2 (200677) on Tuesday May 24, 2005 @10:11AM (#12623018) Homepage
      I've written about this before, but I'm *so* waiting for a virus to do one or more of the following:

      * alter scheduled appointments in outlook/exchange
      * alter contact information in outlook/exchange
      * alter information in ms word and ms excel documents

      The key to all this is to do it in small doses - change a 3 to a 4, alter appointments by 1 hour, etc, introduce a few wrong spellings into ms word documents, etc.

      People have this view that viruses are horribly destructive, and it decreases the estimation of Windows in some. Others stick by Windows, content to use anti-virus stuff because a virus just generally uses up resources indiscriminately or 'steals' data.

      If viruses started attacking the integrity of core MS Office products, not 'just' the operating system itself, more damage would be done to MS' hold on corporate america than any attack on the 'operating system' level by viruses.

      Put more simply, most people really don't understand the ins and outs of operating systems, nor the potential damage than can be done to them. Everyone can understand the damage that could be done by having your spreadsheets altered without your knowledge.

      Well, at least I *think* everyone could understand that.
      • Hmm... Subtle damage could indeed be more crippling than overt damage.

        Deleting a file will cause staff to notice, and after the virus is removed, the file will be restored.

        Changing a few random values in a spreadsheet will likely not be noticed as quickly, and when it is, there may not be any way to work out which daily backup to restore from.

        Then there's the effect.

        Deleting a file causes irritation, but has no lasting effect.

        Altering the file subtly will potentially damage a forecast, change the meani
  • However, people have been installing and paying spyware removal fees of less than $200, so I won't be surprised when people pay off viruses like this.
  • I call hoax (Score:5, Interesting)

    by Short Circuit (52384) * <mikemol@gmail.com> on Tuesday May 24, 2005 @09:42AM (#12622731) Homepage Journal
    If it were real, we would have heard it from Symantec or McAffee long before a third-world news website.
  • by BunnyClaws (753889) on Tuesday May 24, 2005 @09:44AM (#12622742) Homepage
    Do they accept PayPal?

  • interesting attack (Score:5, Insightful)

    by rayde (738949) on Tuesday May 24, 2005 @09:44AM (#12622747) Homepage
    this is interesting. if a virus did this on a large scale, there would be loads of people who would be desperate to recover their data, and likely no feasible way to do it on a large scale without key recovery. but really, does the h4xx0r expect to be able to collect a sizeable amount of money without it being traced?

    yet another reason to do regular backups, so you are never solely dependent on your local copies.

    • by mwood (25379)
      What the virus author should be asking himself is: "should I worry more about the FBI tracing the thing back to me, or the minions of some mobster who just had his, uh, business records zapped by this indiscriminate attack?"
  • to "Follow the Money"!
  • Heh (Score:3, Funny)

    by TheRealMindChild (743925) on Tuesday May 24, 2005 @09:44AM (#12622753) Homepage Journal
    Nothing for you to see here. Please move along.

    OOOOOOOOOOOOOOOOH GNOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO. It appears to have infected CmdrTaco and now the news is being held hostage!!!!!!!!??!?!?!!!!

    1) Infect news site and hold "stories" hostage
    2) Hold a slashpoll to see if anyone noticed
    3) ...
    4) PROFIT!
  • by Anonymous Coward on Tuesday May 24, 2005 @09:45AM (#12622756)
    so I figure the virus author could deduct the money from my account, himself.
  • they are just gonna lock our mp3s and then charge us the "fair market amount". $200 per song doesn't seem to be all that much for them, however....
  • Must be a real moron (Score:5, Informative)

    by Kosi (589267) on Tuesday May 24, 2005 @09:45AM (#12622760)
    because his "blackmail-letter" is a file called attention!!!.txt, containing this:

    Some files are coded.
    To buy decoder mail: n781567@yahoo.com
    with subject: PGPcoder 000000000032

    • by caluml (551744)
      Actually, the best **almost** anonymous way of sending messages is to PGP/GPG encrypt them, and post them to alt.anonymous.messages [google.com]. Then, the right person, with the correct key can download your message, and (if he downloads every message in the group every day), you'd never know which ones he was able to read. And obviously others wouldn't be able to read the contents.
    • I got infected by that virus once. It printed this:

      I hold files kidnap: "GPL.TXT" is one
      To buy decoder mail: n781567@yahoo.com
      with subject: PGPcoder 000000000032

      Oh, darn...
  • What happened?

    Did they Install windows?

    was the email address bgates@microsoft.com?

    tee-hee

    G
  • All this guy did was probably change the file attributes and or permissions. It's been my experience that most "Windows" computer users have no clue how to change them or answer "permissions? attributes? what are these terms you speak of?"
    • No, the "locking" is done by encrypting the files and deleting the originals. It encrypts all files with certain endings (for example .jpg, .db, .doc, .pdf and .zip). If you don't have a backup and your undelete fails you have no way of restoring these files (I don't know which algorithm is used to encrypt the files but if he used AES you'll have let a really, really heavy machine brute-force for quite some days).
  • Next time (Score:3, Interesting)

    by WormholeFiend (674934) on Tuesday May 24, 2005 @09:46AM (#12622785)
    Next time the police captures a virus writer, they should put him in a cell and tell him, we'll leave you here unless another virus writer pays us 200$.
  • by NCraig (773500) on Tuesday May 24, 2005 @09:47AM (#12622795)
    "The problem is getting away with it - you've got to send the money somewhere," Stewart said. "If it involves some sort of monetary transaction, it's far easier to trace than an email account."
    These guys won't get caught as long as they operate internationally and keep their ransom demands relatively low. As we've seen with the Nigerian Scam, there will be little impetus to apprehend these worthless criminals.
  • Ransom (Score:5, Funny)

    by mcleaver (105698) on Tuesday May 24, 2005 @09:47AM (#12622798) Homepage
    SOmeone wrote: "this one is unique because it locks your files and then demands a $200 ransom to get them back." Unique? sounds like a description of anti-virus software to me.
  • Or.... (Score:2, Insightful)

    by spotmonk (781716)
    you could just spend the change on a blank cd and back up your data before spending 200 dollars to get it back.
  • Is it just me, or does this seem a little elementary? FTA:

    "I send program to your email," the hacker wrote.

    And only demanding $200.00 from a business? Sounds like one of the following must be true:

    a) person is stupid enough to demand only $200.00 for a crime most likely punishable as extortion.
    b) person is testing the effectiveness of their program.
    c) person is too short sighted to think of either a or b.

    This is just pathetic.
  • by Y2 (733949) on Tuesday May 24, 2005 @09:51AM (#12622841)
    If a smart crook were behind this, he'd not worry much about collecting the supposed ransom, but would pop his head up as a good guy saying he'd cracked the virus and would sell you a fix-it kit for $50.

    Of course, this means any honest white knight is going to learn the hard way about 20 feds and a flashlight.

  • Not that I particularly apprecaite idiot crackers making my work harder, but you gotta figure they'll be cringing at this rather blunt and clumsy attempt at extortion{sp}.

    I mean, is it really that much harder to make a virus that silently installs itself and listens for key strokes, then sends those back to you through a few cracked proxies? And there you go: account numbers and passwords.

    Idiots. If they do try to collect on this, they'll be caught, we'll find it's a couple of dumb as fuck kids who thought it'd be cool to "have a couple hundred bucks".

    And while I'm on that, 200 bucks? If you are really trying to get money, why not charge 20 bucks? For 200 bucks, most people are likely to seek outside help. For 20 bucks, people are more likely to just fork it over. I'd bet you'd have a greater ROI with the lower charge.
  • Wow (Score:5, Funny)

    by NubKnacker (787274) on Tuesday May 24, 2005 @09:54AM (#12622871)
    "This seems fully malicious," said Joe Stewart, a researcher at Chicago-based Lurqh who studied the attack software.

    Gee, I wonder how he figured that out....

    • Re:Wow (Score:5, Informative)

      by httptech (5553) on Tuesday May 24, 2005 @11:02AM (#12623509) Homepage
      Yes, funny funny. In context, though, you have to know the question the reporter asked me, which was, "Do you think this software was a test, or do you think it was malicious?"

      -Joe

      --
      Joe Stewart, GCIH
      Senior Security Researcher
      LURHQ http://www.lurhq.com/ [lurhq.com]
  • by overshoot (39700) on Tuesday May 24, 2005 @09:54AM (#12622875)
    that Microsoft is adding to the next version of Office?
  • by technomancer68 (865695) on Tuesday May 24, 2005 @09:57AM (#12622905)
    This has been out for years, it's called Windows XP Activation.
  • by scovetta (632629) on Tuesday May 24, 2005 @10:04AM (#12622961) Homepage
    I just finished reading "Malicious Cryptography: Exposing Cryptovirology", and it talks greatly about exactly this. The problem is that, due to wonderful things like public-key encryption, evildoers could conduct an attack like this without leaving a trace.

    I'd highly recommend the book (no, I don't know that author).
  • New Variant (Score:5, Funny)

    by Timberwolf0122 (872207) on Tuesday May 24, 2005 @10:09AM (#12622999) Journal
    If you dont send the money with in two weeks they start sending the files back, bit by bit.
  • by Source Quench (857046) on Tuesday May 24, 2005 @10:12AM (#12623030)
    This is what happened when I installed windows 98... it crashed and a dialog box appeared and demanded that I upgrade to windows XP in order to save my files from digital heaven.
  • by zbeeble (808759) on Tuesday May 24, 2005 @10:17AM (#12623086)
    What happens if after I pay the money, my files do not want to come back ?
  • by Bender0x7D1 (536254) on Tuesday May 24, 2005 @10:28AM (#12623191)
    Is to back up your data on a regular basis.

    This little bit of wisdom has been around since computers hit the home. Now if only people would follow the advice given to them this virus would be a complete non-issue. Instead, we have a bunch of users who are convinced nothing bad will happen to them, (or are completely oblivious to the dangers), complaining since they didn't do what someone told them it was important to do.

    I know I am paranoid, but I make sure important files are regularly copied to 3 different systems. Gmail makes a great place to store some of data - lots of space, geographically separated and administered by people who aren't complete idiots. I also copy my important stuff every week or two and put the disk in a fireproof safe designed for computer media.

    This scheme seems to work well against these sorts of viruses as well as natural disasters and harware failures.
  • by Errtu76 (776778) on Tuesday May 24, 2005 @10:37AM (#12623282) Journal
    back in the msdos days (aka: the good old days) there was a virus that locked your pc, did something nasty to your mbr (or fat - i forgot) and you had to play a game (or two .. or usually aLOT) on the slots machine. You would get your system back when you got the jackpot.
  • by vertinox (846076) on Tuesday May 24, 2005 @10:53AM (#12623437)
    I'm sorry, but we don't negotiate with terrorists. The files knew the danger when they took the job.

    C:\>format c:
  • by Shaper_pmp (825142) on Tuesday May 24, 2005 @11:01AM (#12623497)
    Wow - it's like "Hackers"... only ten years after the idea even made the mainstream. And much more low-rent. And without the cool graphics and computer-generated voice. And with less supertankers. And without Angelina Jolie with her nips out.

    How lame is that?

    (And that's leaving aside the huge number of social and technical ways this scam could be improved...)
  • by fzammett (255288) on Tuesday May 24, 2005 @11:58AM (#12624132) Homepage
    Twoeasy steps:

    (1) Get this virus into the DMCA-supporters computers.

    (2) When they are screaming that all their data is encrypted, kindly inform them that you could create a crack for it and get all their data back, but unfortunately you would run afoul of the DMCA reverse-engineering laws and therefore cannot help them.

    Yes. Irony is *NOT* dead!!
  • by bunratty (545641) on Tuesday May 24, 2005 @12:04PM (#12624200)
    Some kind soul should write a virus that holds your files hostage until Firefox is installed and is set as the default browser. Hint, hint...
  • Money Agents (Score:3, Insightful)

    by gone.fishing (213219) on Tuesday May 24, 2005 @12:36PM (#12624532) Journal
    I wonder if this (or some other) extortion attempt is why my bank recently sent it's customers a warning about a new scam that asks you if you would be willing to become a "money agent" for someone in another country. Supposedly, you would allow money to be deposited in your account and then you would send 90% of it along to a Western Union account. According to the scam, this is supposed to be faster, safer, and cheaper for people in forigen countries.

    Seems like a great way of breaking the money trail and it only costs 10%!

    Crooks are pretty inventive.
    • Re:Money Agents (Score:3, Insightful)

      by djrogers (153854)
      If I'm willing to work with a foreign criminal, why wouldn't I just hang on to all 100% of the $$? Crooks don't trust other people that far... It's far more likely that the 'scam' is simply a way to get your checking account info so the crooks can drain it directly.

"Show business is just like high school, except you get paid." - Martin Mull

Working...