 | |
| ||||
May 23, 2005
|
|
|
This vulnerability allows applications to run without user intervention. The malicious website uses the Windows help subsystem and a CHM file to download and run a Trojan Horse.
The downloader then connects, via HTTP, to another malicious website. This website hosts the application that encodes files on the user's local hard disk and on any mapped drives on the machine. The malicious code also drops a message onto the system with instructions on how to buy the tool needed to decode the files. This message includes the email address of a third party to contact for instructions, and the user is directed to deposit money into an online E-Gold account.
Joe Stewart, a senior security researcher at Lurhq Corp., looked into the case after hearing about it and contacted Websense with a solution. "I took a look at the encryption scheme and found that it was a pretty trivial and easy to break encryption scheme," Stewart said. "So I wrote a decryptor for that and put that information out there for our customers -- to tell them that if they get hit by this, we can decrypt it and you don't have to pay this guy ransom."
That solution might not work next time, experts said.
"If this evolves, and the person keeps getting more and more money from it -- and if they see the need for more advanced encryption -- they could put it in, and we wouldn't be able to break it," he said. "All we would be able to rely on is getting the key from the original Trojan author, which means you would have to either pay the ransom or law enforcement would have to actually catch the guy and get the key off his hard drive."
Even though this type of attack is not widespread at this point, Internet users should be aware of the threat, said Oliver Friedrichs, a senior manager at Symantec Security Response. "It is a disturbing new trend and really a subversive use of cryptography that we haven't seen in the past. In the past, cryptography has been largely used to protect information. In this case, it's being used to hold your information hostage," he said.
"It's like someone coming into your house, putting all of your valuables into a safe and not telling you the combination until you pay them," added Friedrichs.
Researchers at Symantec have seen the malicious program used in the ransom attack. The "Trojan.Pgpcoder" searches a victim's hard disk drive for 15 common file types, including images and Microsoft Office file types. It then encrypts the files, removes the originals and drops a note asking $200 for the encryption key, Friedrichs said.
Attackers could use e-mail, a Web site, or other means to distribute the Trojan.Pgpcoder and launch a widespread extortion campaign, Symantec's Friedrichs said.
Websense, however, doesn't see a trend yet. "This type of attack is not that difficult to perform. However, in order to collect money the attackers are leaving themselves open to investigation and tracing," said Dan Hubbard, senior director of security and research at Websense.
RELATED STORIES
July 4, 2005 Malware authors continue to use extortion
 E-mail this story
 Printer-friendly version  Bookmark this page |
Custom Search
|
|
|
