EURweb |
TECHNOLOGY BREAKDOWN: You Can Pay Now, Or Pay Later
There is a disturbing new trend emerging in the world of malware. Malware stands for “malicious software” and encompasses everything from viruses to spyware to phishing attacks distributed by way of email. This new type of threat is often referred to as “ransomware” and it does exactly what its name implies – it holds the files on an infected machine for ransom. On March 11, 2006, the security research firm Luhrq issued an alert about a new program it is calling “Cryzip”.
When Cryzip attacks a vulnerable machine, it searches the hard drive for primarily for text files and other data files (everything from JPEG images to various versions of database files), then packages the lot in an encrypted zip file, then it deletes the files from the victim's hard drive after issuing a ransom notice instructing the victim to make a payment of $300 to an eGold account in order to receive the decryption key. The eGold account number that appears in the ransom message is one of a set of account numbers that is included in the malware itself and chosen at random when the program executes. Fortunately, the writer of the Cryzip program included the password in the program, attempting to hide it in plain sight. The researchers at Luhrq, figured that the program writers (correctly) presumed that any prolonged communications with their victims would increase the likelihood of being caught, simply included the decryption key in the original program so that the decryption process could be accomplished without having to pass another message to the victim containing the key.
In its report, the Luhrq researchers noted that Cryzip is not the first such threat to make its way to the 'Net. Last May, a piece of malware called PGPCoder was released. Like Cryzip, PGPCoder did not propagate profusely as most malware tends to do. To date, the infection vector (how the program gets onto an infected machine) for Cryzip is unknown, but most likely it happens when a user visits a malicious website. What we do know is that the program infects machines running Windows (big surprise there) and was built using an older version of Microsoft's Visual Studio development tools, most likely to ensure that the malware would leverage the backwards compatibility features built into Windows thereby infecting the largest possible population of machines running various versions of Windows.
The Luhrq advisory notes that the fact that two separate incidents of this nature have emerged in the past 10 months indicates that we are most likely witnessing the beginning of a new trend and that future attacks are in the offing that will affect a wider population of users. In all likelihood, future attacks of this nature will be combined with other attack vectors, such by way of phishing scams. The fact that the creators of the Cryzip program chose a propagation mechanism that does not enable rapid spread of the attack indicates that its creators were trying to fly “under the radar” of security companies. However, it could also be that this threat was deployed as a proof of concept and that a more vicious variant of this kind of attack is in the works.
If that is the bad news, then the good news is that defending oneself against a ransomware attack is relatively simple – back up your files early and often. Also (and I don't believe I am still having to say this), it is imperative to not only install anti-malware/antivirus software on all of your computers and keep it updated. The $30 - $50 you spend on an annual subscription to keep your antivirus software current is more than worth the potential price you will have to pay if your computer becomes infected in a ransomware attack. In short, that old adage, “an ounce of prevention is worth a pound of cure” is well heeded advice. Or put another way in the old Fram oil filter commercials, “you can pay me now, or pay me later”. For more information on Cryzip, you can check out the advisory at http://www.luhrq.com/cryzip.html
Russell de Pina is a Principal with n2active, a technology consultancy located in Long Beach, CA and Houston, TX. Russell can be reached by email at rdepina@n2active.com
.jpg)
