RansomWare Disassembly Reveals Evolutionary Path 64
flaws writes "The guys at Secure Science Corporation have written a revealing article demonstrating the relationship with the most recent Ransom-based Trojan (known as Glamour) and some previous data stealing trojans. They include an open source decrypting utility for unlocking your files if infected, and some stats that are a bit disturbing. According to their report, in the past 8 months, 152,000 victims have been infected, and over 14.5 million records were discovered to be logged by the trojan."
My poor pornography :( (Score:5, Funny)
Re: (Score:2, Funny)
I never did get that picture back...
Re: (Score:3, Funny)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Remember that night you and your wife got drunk and took all those nasty photos? $500 to sugarinyourgastankwhilstanallyrapingyourmom@quicky lube.com or your neighborhood gets to critique them, too...
...and have a nice day.
Kudos,
Howie Feltersnatch"
I'd bet 10-to-1 odds some unscrupulous f**k will try/has tried it, too...
Re: (Score:2)
Re: (Score:2, Funny)
Re: (Score:2)
And now you can find trojans littering many urban gardens, parks, playgrounds...
Re: (Score:1)
*Dances around singing "Every Sperm is Sacred..."*
Tag this haha and pwned (Score:1)
Why bother? (Score:3, Insightful)
If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300. How many are going to find out about this open source decryptor? I betcha 80% of IT consultants won't even know about it, and h
Because of who the targets are. Re:Why bother? (Score:5, Interesting)
If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300.
No, they are going to look for a "free decoder program," ha ha ha. Oh, the joys of non free software.
Jokes aside, this trojan is aimed at corporate users. If it's easy to fix, big dumb companies will tell their sheep to bring forth their problems and fix them. If the creeps had been bright enough to use real encryption, there would be no solution and embarrassed users will try to fix the problem themselves. Of course, paying $300 to an extortionist will get you nothing more than another request for money unless they want to sell you back each file. For more evidence of this, see Vista pricing.
Because in the end users are stupid (Score:1)
Re: (Score:2)
Yes, you illustrate the corporate ethos adeptly.
This post is RSA-13 encrypted (Score:3, Funny)
In a related story (Score:5, Funny)
I keep reading about these. (Score:2)
What is the infection vector for these things? Is it email, P2P networks fooling people into believing that mp3 really is an EXE file?
although I cant believe that people are stupid enough to fall for a nigerian scam wanting to deposit 30 billion dollars in their accounts overnight either.
Re:I keep reading about these. (Score:5, Informative)
If you've used any common p2p apps like eDonkey or the like, you'll notice that when you search for something, even if you type some arbitrary crap like "huoshgahgauoiwhrgoaghnaj" you'll also get "huoshgahgauoiwhrgoaghnaj.mp3.exe" and "huoshgahgauoiwhrgoaghnaj pics xxx mpeg avi.exe" or similar shit. So someone searching for a keygen is going to get "exactly the keygen they wanted.exe"
Re: (Score:1)
Re: (Score:2)
Besides, even if you do think before acting, you could still get fooled. Exe's can have their own icons embedded, so a trojan might look like an mp3 after all. I usually look at the icon first, myself, so I might get fooled by it... except I scan suspicious wares before opening.
Helpful tip (Score:3, Informative)
"Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?
Which is why I've been telling people for years the first thing they should do after installing Windows (immediately after selecting the "Show hidden files and folders" option and unchecking (clearing) the "Hide extensions for known file types" and "Hide protected operating system files" options in Control Panel -> Folder Options, View tab) is to run REGEDIT and do a 'Find' for all occurrences of "NeverShowExt" and delete every single one found. All of them (spare none).
Yes, it is admittedly unappe
Re: (Score:1)
Since for as long as I can remember. <shrug>
Perhaps the reason you were never able to make them show is because you either:
Trust me, it does work as described.
Try it again.
Re: (Score:1)
Re: (Score:1)
This doesn't really solve anything, though, since people can't reasonably be expected to know a safe file extension from a dangerous one. ...
Obviously the little bit of metadata provided by displaying the file extension is better than none at all, but it's not going to make email attachments all that much safer.
I beg to differ. In my experience does help -- quite a bit.
Even though most people (myself included, and I consider myself to be one of the more sophisticated/experienced Windows users) wouldn't necessary know all of (or even most of) those other file extensions you mentioned were "executable" type file extensions, they would at least know some of them were.
Most malware writers use extensions such as ".exe", ".scr", ".vbs", etc, and not the more arcane ones.
And I hope you'll agree that all but the
Re: (Score:1)
And as for saving a text file and not finding it later because windows helpfully renamed it something.txt.txt (it takes your .txt extension and "knows" that you're only allowed to modify the first part of the filename)
That's the application you're using that's doing that and not Windows. I've experienced the same phenomenon myself but I forget which program it was now.
I do remember this though: it only seemed to occur whenever:
If I'd instead select "All files (*.*)" and then enter "something.txt" as the filename, it then did indeed
Re: (Score:1)
Hello !
We are writing to you regarding the resume you have posted on the job.ru websit
Re: (Score:2)
Yes, I know it doesn't sound official, have you ever seen a person desperate for work? They'll take any response and run with it.
Re: (Score:2)
Who's going to suspect a PDF from their friend contains an unscanned virus payload.
Javascript in PDF, great idea!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:2, Interesting)
Do people still really open attachments from people that do not know or were not expecting? Are people really executing unknown .exe files?
A fun experiment: Write a small, harmless program that when executed send a single ping to your home machine/ server and an equally simple program to count the incoming pings on said system.
Write a short message saying something like "The well known virus 'YouAreTooStupid' is again spreading across the Internet. Please run the attached program to clean and/ or immunize your PC", attach your little program and send it to twenty people. Then sit back and watch your counter...
It will keep counting for da
Re: (Score:2)
Then there's MPack. Quite hard to track down and near impossible to avoid, unless you happen to have a browser that's not affected and/or a system that can't run Windows executables natively.
P2P works too, if you manage to make people think your executable is just what they want, be it a crack for a recent game
off topic, but (Score:1)
Re: (Score:1)
That explains (Score:1)
Re: (Score:3, Funny)
I just bought 144 condoms, and now I'm grossly [google.com] oversexed.
Re: (Score:2)
You can prevent encryption by creating a reg key (Score:5, Funny)
Mod parent INFORMATIVE (Score:4, Informative)
There is in fact a check for a value of "31337" in a "WinCode" registry key.
Don't be fooled! (Score:1)
Evolutionary Path? (Score:1)
Re: (Score:1)
Yeah, but... (Score:1)