Computer Blackmail

It seems that some virus writers are bored with just trying to mess up people's computers. It appears that their warped egos are no longer just interested in gaining a reputation among fellow hackers by writing the one code that screws up the most machines. Now, they want to make money off of their evil doings.

In that vein, one or more of them have moved into computer blackmail...that is extorting money from people who's computers they have just violated. Virus hunters have found a new Trojan that encrypts files on an infected computer and then demands $300 in ransom for a password that will uncrypt them. The Trojan, identified as "Cryzip", uses a commercial zip library to store the victim's documents inside a password-protected zip file and leaves step-by-step instructions on how to pay the ransom to retrieve the files.

It is not yet clear how the Trojan is being distributed, but security researchers say it was part of a small e-mail spam run that successfully evaded anti-virus scanners by staying below the radar. While this type of attack, known as "ransomware," is not entirely new, it points to an increasing level of sophistication among online thieves who use social engineering tactics to trick victims into installing malware.

The LURHQ Threat Intelligence Group, based in Chicago, was able to crack the encryption code used in the Cryzip Trojan and determine how the files are encrypted and the payment mechanism that has been set up to collect the $300 ransom. Cryzip searches an infected hard drive for a wide range of widely used file types, including Word, Excel, PDF and JPG images.

The Trojan then deletes all the files, leaving only the encrypted file with the original file name, followed by the "_CRYPT.ZIP" extension. A new directory named "AUTO_ZIP_REPORT.TXT" is created with specific instructions on how to use the E-Gold online currency and payment system to send ransom payments.

The instructions, which are marked by misspellings and poor grammar, contain the following text: "Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You can not guess the password for your archived files - password lenght is more then 10 symbols that makes all password recovery programs fail to bruteforce it (guess password by trying all possible combinations)."

The Trojan author uses scores of E-Gold accounts simultaneously to get around potential shutdowns, according to LURHQ, which published the complete list of E-Gold accounts in their advisory. Officials from E-Gold, which operates out of the Caribbean island of Nevis, have not yet commented or taken any action.