SophosLabs is warning computer users about Troj/Zippo-A, also known as Cryzip, this week, and offering the secret code to crack the scam. The Trojan horse encrypts computer data and attempts to extort a US$300 ransom.
Zippo-A searches for files, such as Word documents, databases and spreadsheets, and moves them into password-encrypted ZIP files on a victim’s computer. The Trojan horse then creates another file informing the victim that he or she needs to ante up some cash to an E-Gold account to recover the data.
When run, Cryzip searches the C: drive for files, overwrites the files with the text “Erased by Zippo! GO OUT!!!,” and then deletes the file. When victims attempt to open infected files, they find only the encrypted ZIP file bearing the name of the original file and the encryption extension.
Following is the Trojan writer’s email message, complete with spelling errors: “Your computer catched our software while browsing illigal porn pages, all your documents, text files, databases was archived with long enought password. You cannot guess the password for your archived files — password lenght is more than 10 symbols that makes all password recovery programs fail to bruteforce it…”
Bold as Brass
Companies that have made regular backups may be able to recover easily, but less diligent businesses may be in a quandary about whether to cough up the cash, said Graham Cluley, senior technology consultant for Sophos.
“In the old days, malware was typically written by teenagers who wanted to show off to their mates,” Cluley stated. “Now most of the viruses and Trojan horses we see are being written with the intention of making money from innocent internet users. The attacks are becoming more organized and more malicious, and every computer needs to be properly defended.”
The brute force method of retrieving the data is no longer necessary. Sophos security experts have determined the password used to encrypt users’ data: C:Program FilesMicrosoft Visual StudioVC98.”
“There should be no need for anyone unfortunate enough to have suffered from this ransomware attack to have to pay the reward to the criminals behind it. It looks like this password was deliberately chosen by the Trojan’s author in an attempt to fool analysts into thinking it was a directory path instead,” Cluley said.
This type of encryption and extortion is a rare incidence in malicious code, according to Ken Dunham, senior engineer at VeriSign’s threat intelligence firm iDefense. Indeed, while this type of scheme is 15 years old, the last such execution of an extortion worm came in 1989. LURHG reports this is the third extortion scam of its kind.
“This is not something I would expect to yield very high profits for criminals as compared to other types of financial fraud and extortion that might take place,” Dunham told TechNewsWorld. “Many people have backups of their files, and now the code has been cracked.”
All About Money
Attackers are much more likely to use a bot or an e-mail worm that requires user interaction, Dunham said, because these methods will yield as many as 10,000 or 20,000 victims. More victims means more money.
“There is a lot more money to be made a lot easier in a lot of other ways. That tends to downgrade the likelihood of this type of attack going forth. It’s interesting. It’s notable, but we don’t think it’s likely because water flows down hill and attackers take what’s easiest. Why break the window when the front door is open?” Dunham asked.