Login

Please login to Techworld.com

Forgot password?
Need your new account confirmation email resent?
Forgot email?

Not a member yet?

Register for a Techworld Account and enjoy unlimited access to our extensive white paper library and exclusive Enterprise multi-user software trials. Account members can also comment on articles and access best practices guides.

Security

Top How-Tos / Advice articles

New 'scareware' Trojan holds users to ransom

New version of Vundo scrambles users' files.

By John E Dunn | Techworld | Published: 17:55, 24 March 2009

A Trojan that normally peddles bogus anti-virus ‘scareware' has hit on a new way of persuading users to part with money for a worthless license - it encrypts their data first.

The concept of encrypting data on an infected PC has been seen several times since 2005, but the new version of the Vundo Trojan reported to be doing the rounds by security company FireEye is the first to tie straight extortion to a conventional rogue anti-virus software scam.

The company doesn't fully detail how the program infects users - Trojans such as this sometimes exploit the Windows autorun vulnerability - but once on a system it sets out to encrypt various file types it finds on the host system, including .jpgs, PDFs and Word .doc files, after which it presents a piece of rogueware called FileFix Pro 2009 as the way to unlock the now inaccessible files.

Luckily, it appears that the encryption method is crude enough that one of FireEye's technical staff was able to write a Perl script able to unscramble a victim's files without the need to pay the $40 license fee.

"Vundo has fundamentally altered its criminal business model from ‘Scareware' tactics to ‘Ransomware' extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing," says the company's blog on the enhanced Vundo.

As of 19 March, no anti-virus programs appeared to detect the latest version of Vundo, not helped by its use of polymorphism to mask the executable every time it is downloaded to a PC.

Notwithstanding its unusually crude use of encryption, as with past examples of ransomware such as Cryzip, this one appears to have an Eastern European origin: a Whois lookup lists the domain owner distributing Filefix Pro as being in the Ukrainian city of Kharkov.

Past examples of this type of attack have tended to fall into one of two camps; engineering the user into believing their files have been encrypted even though the key is weak, and using genuinely strong encryption from which even well-equipped security companies would find hard to crack. An example of the latter rare and more dangerous tactic would be last summer's GPcode.ak . Vundo, by contrast, is more of a crafty social engineering attack.

Users unlucky enough to have encountered the crypto version of Vundo can upload files to the FireEye website for decoding free of charge.

Send to a friend

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.