[ISN] Cryzip Trojan Encrypts Files, Demands Ransom
isn at c4i.org
Tue Mar 14 03:12:29 EST 2006
By Ryan Naraine
March 13, 2006
Virus hunters have discovered a new Trojan that encrypts files on an
infected computer and then demands $300 in ransom for a decryption
The Trojan, identified as Cryzip, uses a commercial zip library to
store the victim's documents inside a password-protected zip file and
leaves step-by-step instructions on how to pay the ransom to retrieve
It is not yet clear how the Trojan is being distributed, but security
researchers say it was part of a small e-mail spam run that
successfully evaded anti-virus scanners by staying below the radar.
While this type of attack, known as "ransomware," is not entirely new,
it points to an increasing level of sophistication among online
thieves who use social engineering tactics to trick victims into
installing malware, said Shane Coursen, senior technical consultant at
Moscow-based anti-virus vendor Kaspersky Lab.
The LURHQ Threat Intelligence Group, based in Chicago, was able to
crack the encryption code used in the Cryzip Trojan and determine how
the files are encrypted and the payment mechanism that has been set up
to collect the $300 ransom.
According to a LURHQ advisory, Cryzip searches an infected hard drive
for a wide range of widely used file types, including Word, Excel, PDF
and JPG images.
Once commandeered, the files are zipped and overwritten the text:
"Erased by Zippo! GO OUT!!!"
The Trojan then deletes all the files, leaving only the encrypted file
with the original file name, followed by the "_CRYPT.ZIP" extension.
A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific
instructions on how to use the E-Gold online currency and payment
system to send ransom payments.
The instructions, which are marked by misspellings and poor grammar,
contain the following text: "Your computer catched our software while
browsing illigal porn pages, all your documents, text files, databases
was archived with long enought password. You can not guess the
password for your archived files - password lenght is more then 10
symbols that makes all password recovery programs fail to bruteforce
it (guess password by trying all possible combinations)."
The owner of the infected machine is warned not to search for the
program that encrypted the data, claiming that it simply doesn't exist
on the hard drive.
"If you really care about documents and information in encrypted files
you can pay using electonic currency $300," the note says. "Reporting
to police about a case will not help you, they do not know password.
Reporting somewhere about our E-Gold account will not help you to
restore files. This is your only way to get yours files back."
The Trojan author uses scores of E-Gold accounts simultaneously to get
around potential shutdowns, according to LURHQ, which published the
complete list of E-Gold accounts in the advisory.
Officials from E-Gold, which operates out of the Caribbean island of
Nevis, were not available for comment.
"Infection reports are not widespread, so it is not believed this is a
mass threat by any means," LURHQ said. However, the company said
social engineering malware is typically more successful when it is
delivered in low volume to get around anti-virus detections.
"[M]ore attention means the likely closing of the accounts used for
the anonymous money transfer," LURHQ said.
More information about the ISN