New 'scareware' Trojan holds users to ransom
- 26 March, 2009 08:45
- Comments
A Trojan that normally peddles bogus anti-virus scareware' has hit on a new way of persuading users to part with money for a worthless license - it encrypts their data first.
The concept of encrypting data on an infected PC has been seen several times since 2005, but the new version of the Vundo Trojan reported to be doing the rounds by security company FireEye is the first to tie straight extortion to a conventional rogue anti-virus software scam.
The company doesn't fully detail how the program infects users - Trojans such as this sometimes exploit the Windows autorun vulnerability - but once on a system it sets out to encrypt various file types it finds on the host system, including .jpgs, PDFs and Word .doc files, after which it presents a piece of rogueware called FileFix Pro 2009 as the way to unlock the now inaccessible files.
Luckily, it appears that the encryption method is crude enough that one of FireEye's technical staff was able to write a Perl script able to unscramble a victim's files without the need to pay the $40 license fee.
"Vundo has fundamentally altered its criminal business model from Scareware' tactics to Ransomware' extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing," says the company's blog on the enhanced Vundo.
As of 19 March, no anti-virus programs appeared to detect the latest version of Vundo, not helped by its use of polymorphism to mask the executable every time it is downloaded to a PC.
Notwithstanding its unusually crude use of encryption, as with past examples of ransomware such as Cryzip, this one appears to have an Eastern European origin: a Whois lookup lists the domain owner distributing Filefix Pro as being in the Ukrainian city of Kharkov.
Past examples of this type of attack have tended to fall into one of two camps; engineering the user into believing their files have been encrypted even though the key is weak, and using genuinely strong encryption from which even well-equipped security companies would find hard to crack. An example of the latter rare and more dangerous tactic would be last summer's GPcode.ak. Vundo, by contrast, is more of a crafty social engineering attack.
Users unlucky enough to have encountered the crypto version of Vundo can upload files to the FireEye website for decoding, free of charge.
- Bookmark this page
- Share this article
- Got more on this story? Email TechWorld
- Follow TechWorld on twitter
-
Lenovo ordered to pay €1920 for making French laptop buyer pay for Windows too
-
Wikileaks suspect to face US court-martial
-
Wikileaks suspect to face US court-martial
-
Telstra reports issue with BigPond email accounts
-
Samsung Galaxy S II Android phone
-
Windows 7 for Dummies® Dvd+book Bundle
-
Windows 7 for Seniors for Dummies®
-
Teach Yourself Visually Windows 7
-
Office 2007 for Dummies
-
Excel 2007 All-In-One Desk Reference for Dummies
-
MYOB Software for Dummies 6E Australian Edition
-
Computers for Seniors for Dummies, 2nd Edition
-
Microsoft Office
-
Office 2007 All-In-One Desk Reference for Dummies
Get exclusive access to Techworld news, reports & analysis. 
Comments
Post new comment