This is new...Ransom Trojans

Printable View

March 17th, 2006, 02:27 PM
Sm0kinP0t

This is new...Ransom Trojans

One could think the usual trojan would always have the same purpose (z0mbies, credit&other data theft, D0s and so on...), but folks at Sophos have found a new sort of trojans:
one that focuses malicious actions on password-encrypting documents,spreadsheets and database files only to later ask the victim for a 300$ payment to an E-Gold account, in order to receive the password that unlocks the documents.

Quote:

Source: ZDnet

A Trojan that tries to hold users to ransom could be part of a growing trend

Experts warned computer users on Wednesday of a Trojan that could steal their data and try to sell it back to them.

Zippo-A (also known as CryZip) searches for word documents, database files and spreadsheets, and converts them to password encrypted zip files on the user's computer. A file is then created that instructs users to pay $300 (£170) to an e-Gold account to recover their data.
"This is most interesting as an extension of a growing trend of Russian ransomware. This is the first time we've seen this in the UK," said Graham Cluley, senior technology consultant at Sophos.

"Companies who have made regular backups may be able to recover easily, but less diligent businesses may be in a quandary about whether to cough up the cash," Cluley said.

http://news.zdnet.co.uk/internet/sec...9257682,00.htm

Although *.zip password is easy cracking material, if this turns into a new "fashion trend" we can start seeing more of these, probably with harder encryp and bigger $$$ demands.

edit> forgot to say, the pass is: C:\Program Files\Microsoft Visual Studio\VC98 :D
March 17th, 2006, 02:44 PM
brokencrow

Let me guess, this only affects Windows computers...
March 17th, 2006, 02:59 PM
nihil

Hi,

These first started to show up at the beginning of last year. They didn't seem to catch on, probably because it is difficult to actually collect the money without getting caught?

If you think about it, there is no big deal. If you got a virus that wiped out your data you would be in the same position.

The answer is to have backups.

No, brokencrow there were a couple of cross-platform ones as I recall. That actually makes sense as businesses do use *nix servers reasonably commonly.

This activity is not aimed at private individuals.

;)
March 17th, 2006, 03:58 PM
thehorse13

There are two posts in circulation right now. This one, which as Nihil points out, is not new. The other references a keylogger for online banking. Again, old news.

This information is roughly 2 years old.

That said, truly new attack vectors focus on primitive tools. Why use a keylogger when the person throws the data needed into the garbage w/o shredding it? Same for companies.

I'd concentrate on low tech vectors such as dumpster diving. These classic attack vectors are beginning to see increases in use. Same for war dialing.

When we shift focus as a security community, the bad guys always look for the path of least resistance.

On the tech side of things, leveraging services such as DNS to sneak data in and out of environments is on the rise. Encrypted throttled sessions is another fabulous vector. Hiding in the white noise of network traffic is next to impossible to detect.

Anyway. Another 2 cents.

--TH13
March 17th, 2006, 04:03 PM
morganlefay

As always TH13 brings up a great point

Quote:

That said, truly new attack vectors focus on primitive tools. Why use a keylogger when the person throws the data needed into the garbage w/o shredding it? Same for companies.

"There are no technical solutions for administrative problems"

My .02 cdn

MLF
March 17th, 2006, 04:40 PM
Tiger Shark

Quote:

There are no technical solutions for administrative problems

Hey... That's my line... ;)
March 17th, 2006, 07:31 PM
morganlefay

Quote:

Hey... That's my line...

Thats because GREAT minds....think alike :D

Think what TH13 is trying to say ....all information is at risk...just not the stuff stored on your computer.

Quote:

When we shift focus as a security community, the bad guys always look for the path of least resistance.

Whats the point of encrypting all your data...when the hard copies are improperly handled....

anyway....I find this interesting and downright scarey :(

Quote:

On the tech side of things, leveraging services such as DNS to sneak data in and out of environments is on the rise. Encrypted throttled sessions is another fabulous vector. Hiding in the white noise of network traffic is next to impossible to detect.

MLF
March 17th, 2006, 07:33 PM
Tiger Shark

Quote:

Whats the point of encrypting all your data...when the hard copies are improperly handled....

Oh, come now Mistress LeFay.... Think!!!! Print the hard copies in encrypted form... Hmmm... I think I'm onto something... ;)
March 17th, 2006, 07:40 PM
morganlefay

Quote:

Print the hard copies in encrypted form...

geez Tiger....I never thought of that :rolleyes:

MLF
March 17th, 2006, 07:57 PM
Tiger Shark

I swear... from a security standpoint it's _gold_....

I'm gonna be rich...

Take that you dirty dumpster divers... hah...

Seriously though, as usual, TH13 is right.... when you attack anything you look for the "easy" route... It may not _seem_ to be the easiest but if the intent is to avoid detection and reach a target then avoidance of your enemy is the easiest way... I've crawled 200 yards up a stream in winter, (which isn't "easy", trust me it's cold), to pass through a perimeter. Why? Because no-one thought anyone would do it so it wasn't properly watched... So it was the "easy" route.

Let's be honest... SE will always be pretty easy... So it's always a big threat....