Virus Hold Computer Files 'Hostage' for $200

dwayner79 sent in a story about a new virus making the rounds- this one is unique because it locks your files and then demands a $200 ransom to get them back. It seems to me that this might leave some sort of tracable money trail. They don't have much information on any particular transmission mechanism, they just talk about web pages giving it up.

It won't get a penny from me...

[yotto]

...Until I see a photograph of my files with today's paper.

Re:It won't get a penny from me...

[c0ldfusi0n]

In other news, virus writers associate with milk producers to print the output of "dir" on the back of the milk cartons.

Re:It won't get a penny from me...

[MoonBuggy]

Seriously though, the article does not show me any reason that the virus writer can be trusted on his word alone. How would you know that he really will send the key?

I can see three possible ways this is done: the files could be encrypted with a random key which is sent back to the author - in this case I guess the key could be intercepted on its way out of your computer, but you'd have to anticipate being infected. Alternatively, the virus might always use the same key, in which case one person needs to buy/brute force it and everyone's sorted. Finally, it might use a random key which the writer has no way of knowing - secure, but he'll take the money and run because he doesn't know the key.

In any of those three scenarios I'd think it makes sense to try to avoid giving him any money. Either that or I've missed something.

Re:It won't get a penny from me...

[HadenT]

Why not:
generate random key, encrypt data with it (symmetric),
encrypt that key with public one (stored in virus itself), destroy random key, give victim encrypted key.
Victim sends encrypted key to author, he decrypts it using his private key and sends it back.

Re:It won't get a penny from me...

[tchernobog]

Not a really new idea, it's inside Andrew Tanenbaum's "Modern Operating Systems"!
The virus programmer has to have read the book.

This could be good

[a_greer2005]

IF it takes spyware hostage

Re:This could be good

[R.Mo_Robert]

Do you really think a virus is going to take spyware hostage and then demand $200 for the key to unencrypt it? I don't know about you, but even if it did, I sure wouldn't be happy with this kind of virus on my computer.

Plus the article mentions this paritcular infection affected only "at least fifteen types of data," most of which were presumably important to the user, like spreadsheets and the like. But again, even if it did encrypt malware ... I don't see how it could be a good thing. Let's introduce them to Ad-Aware, Spybot, etc. instead, and safe browsing habits--the lack of which probably allowed both this virus and the malware on the computer in the first place.

a fix

[MankyD]

Assuming this virus is telling the truth (and I highly highly highly doubt it is), doesn't that mean that there's a simple command you can send to it to fix the problem? What's to prevent anti-virus companies from figuring this out and providing a quick fix?

Re:a fix

[pentalive]

A simple command to fix this? try
"restore backup"

Re:a fix

[keshto]

Because if the hacker has encrypted the files with a random passphrase and assuming this passphrase isn't the same for all the computers he attacks, it is highly unlikely a security company will be able to easily decrypt the files.

That is what is particularly scary about this. What if the hacker went offline-- even if you are willing to pay the money, you can't get to the files. They are as good as deleted

Re:a fix

[Mr+Guy]

(or discover it through brute force if they dare wait that long)


McAfee runs on an awful lot of enterprise networks, and tons of home users. I wonder how long brute forcing a key through distributed computing would really take. I wonder if McAfee is already using cycles for nefarious reasons. How long until McAfee becomes self aware!

I need more tinfoil

Re:a fix

[jschottm]

I need more tinfoil

There's a family in CA that would prolly be willing to make you a great deal on some tin foil, only slightly used. How big's your house?

Re:a fix

[budgenator]

according to TFA

Stewart managed to unlock the infected computer files without paying the extortion, but he worries that improved versions might be more difficult to overcome.

so it's already been either bruteforced or cracked. My hunch is that a encryption program carried in a virus would be rather simplistic.

Re:a fix

[Your+Pal+Dave]

"s/he" and "his/er" works quite well if you need to get anal about it.

And what if something has no gender and is an "it", you insensitive clod?

Clearly, to avoid offending anyone, we all must start saying "s/h/it".

Re:a fix

[Binestar]

'restore' is not recognized as an internal or external command, operable program or batch file.

You are entering the command at the wrong interface. That's not a command you use at a command prompt. It's a verbal command for your IT underling.

Finally!

[Apreche]

What the hell took so long for this to happen? There are thousands of viruses all around and most of them are so benign. They just eat system resources, send spam, show ads and other bs. It took way too long for someone to make a virus that actually compromises data. I hope soon someone makes one that takes important data files and uploads them to a web server for public view. And another one that overwrites the hard drives 3 or 4 times to prevent data recovery.

Maybe when this happens people will actually pay more attention to computer security, instead of just putting up with the inconvenience.

Re:Finally!

[i.r.id10t]

You've not been around computers for long have you? We used to have all these nasty viruses, before Visual Basic and script kiddies, back when AOL wasn't on the Internet and dial up was mostly BBSes. Boot sector viruses, trashing hard drive controllers, etc.

Re:Finally!

[meringuoid]

Maybe when this happens people will actually pay more attention to computer security, instead of just putting up with the inconvenience.

What will do that is a virus that replaces all .jpg files found with goatse, tubgirl and lemonparty.

So many people have stored their digital camera photos on vulnerable Windows PCs. The only thing that will get them to secure those boxes is the threat that little Sophie's birthday photos, or the last time they went on holiday with Grandma before the illness, might be replaced with hideous porn by some virus...

Re:Finally!

[MullerMn]

I knew what goatse was.
I knew what tubgirl was.
Never heard of lemonparty before.
Now I know.

Allow me to be the first to say:
AAAAAAAAAAAAARRRRRGHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH!

Re:Finally!

[EnglishTim]

Yes, I'd never heard of lemonparty before either.

'course, I've got the sense not to look it up...

Re:Finally!

[Dusabre]

WATCH OUT!

There is a thumbnail!

Re:Finally!

[srleffler]

There was even at least one that could wipe the BIOS eproms, leaving the computer completely inoperable and difficult to repair if not outright irreparable.

Re:Finally!

[mrchaotica]

Yeah, that's exactly why we don't see really destructive viruses anymore: they've evolved. Just like biological viruses, computer virus writers have learned that your virus will spread farther if it doesn't completely kill the host, or generate an overwhelming immune response.

I call hoax

[Short+Circuit]

If it were real, we would have heard it from Symantec or McAffee long before a third-world news website.

Re:I call hoax

[saskboy]

I call RTFA ;-)

"The FBI said the scheme, which appears isolated, was unlike other Internet extortion crimes.

Leading security and anti-virus firms this week were updating protective software for companies and consumers to guard against this type of attack, which experts dubbed "ransom-ware"."

Re:I call hoax

[t123]

try the websense website with more detailed information.

The original infection occurs when the user visits a malicious website that exploits a previous vulnerability in Microsoft Internet Explorer. This vulnerability allows applications to run without user intervention. The malicious website uses the Windows help subsystem and a CHM file to download and run a Trojan Horse (download-aag). The downloader then connects, via HTTP, to another malicious website. This website hosts the application that encodes files on the user's local hard disk and on any mapped drives on the machine. The malicious code also drops a message onto the system with instructions on how to buy the tool needed to decode the files. This message includes the email address of a third party to contact for instructions, and the user is directed to deposit money into an online E-Gold account.

Re:I call hoax

[XMyth]

http://securityresponse.symantec.com/avcenter/venc /data/trojan.pgpcoder.html

Payment Options

[BunnyClaws]

Do they accept PayPal?

interesting attack

[rayde]

this is interesting. if a virus did this on a large scale, there would be loads of people who would be desperate to recover their data, and likely no feasible way to do it on a large scale without key recovery. but really, does the h4xx0r expect to be able to collect a sizeable amount of money without it being traced?

yet another reason to do regular backups, so you are never solely dependent on your local copies.

Heh

[TheRealMindChild]

Nothing for you to see here. Please move along.

OOOOOOOOOOOOOOOOH GNOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO. It appears to have infected CmdrTaco and now the news is being held hostage!!!!!!!!??!?!?!!!!

1) Infect news site and hold "stories" hostage
2) Hold a slashpoll to see if anyone noticed
3) ...
4) PROFIT!

I use Bank of America...

so I figure the virus author could deduct the money from my account, himself.

Must be a real moron

[Kosi]

because his "blackmail-letter" is a file called attention!!!.txt, containing this:

Some files are coded.
To buy decoder mail: n781567@yahoo.com
with subject: PGPcoder 000000000032

Getting away with it...

[NCraig]

"The problem is getting away with it - you've got to send the money somewhere," Stewart said. "If it involves some sort of monetary transaction, it's far easier to trace than an email account."

These guys won't get caught as long as they operate internationally and keep their ransom demands relatively low. As we've seen with the Nigerian Scam, there will be little impetus to apprehend these worthless criminals.

Ransom

[mcleaver]

SOmeone wrote: "this one is unique because it locks your files and then demands a $200 ransom to get them back." Unique? sounds like a description of anti-virus software to me.

If a smart crook were behind this ...

[Y2]

If a smart crook were behind this, he'd not worry much about collecting the supposed ransom, but would pop his head up as a good guy saying he'd cracked the virus and would sell you a fix-it kit for $50.

Of course, this means any honest white knight is going to learn the hard way about 20 feds and a flashlight.

And computer criminals everywhere cringe

[grasshoppa]

Not that I particularly apprecaite idiot crackers making my work harder, but you gotta figure they'll be cringing at this rather blunt and clumsy attempt at extortion{sp}.

I mean, is it really that much harder to make a virus that silently installs itself and listens for key strokes, then sends those back to you through a few cracked proxies? And there you go: account numbers and passwords.

Idiots. If they do try to collect on this, they'll be caught, we'll find it's a couple of dumb as fuck kids who thought it'd be cool to "have a couple hundred bucks".

And while I'm on that, 200 bucks? If you are really trying to get money, why not charge 20 bucks? For 200 bucks, most people are likely to seek outside help. For 20 bucks, people are more likely to just fork it over. I'd bet you'd have a greater ROI with the lower charge.

Wow

[NubKnacker]

"This seems fully malicious," said Joe Stewart, a researcher at Chicago-based Lurqh who studied the attack software.

Gee, I wonder how he figured that out....

Re:Wow

[httptech]

Yes, funny funny. In context, though, you have to know the question the reporter asked me, which was, "Do you think this software was a test, or do you think it was malicious?"

-Joe

--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/

Isn't that a feature

[overshoot]

that Microsoft is adding to the next version of Office?

Why so much press..

[technomancer68]

This has been out for years, it's called Windows XP Activation.

"Malicious Cryptography: Exposing Cryptovirology"

[scovetta]

I just finished reading "Malicious Cryptography: Exposing Cryptovirology", and it talks greatly about exactly this. The problem is that, due to wonderful things like public-key encryption, evildoers could conduct an attack like this without leaving a trace.

I'd highly recommend the book (no, I don't know that author).

Yes, it's possible

[3770]

What the programmer needs to do is to buy a speed boat and have the victim drop the bag from a bridge into the boat and then flee and stage his own death with an explosion.

I've seen it in the movies.

The trick is to do that without spending more than $200.

New Variant

[Timberwolf0122]

If you dont send the money with in two weeks they start sending the files back, bit by bit.

Subtlely (?) destructive viruses

[mgkimsal2]

I've written about this before, but I'm *so* waiting for a virus to do one or more of the following:

* alter scheduled appointments in outlook/exchange
* alter contact information in outlook/exchange
* alter information in ms word and ms excel documents

The key to all this is to do it in small doses - change a 3 to a 4, alter appointments by 1 hour, etc, introduce a few wrong spellings into ms word documents, etc.

People have this view that viruses are horribly destructive, and it decreases the estimation of Windows in some. Others stick by Windows, content to use anti-virus stuff because a virus just generally uses up resources indiscriminately or 'steals' data.

If viruses started attacking the integrity of core MS Office products, not 'just' the operating system itself, more damage would be done to MS' hold on corporate america than any attack on the 'operating system' level by viruses.

Put more simply, most people really don't understand the ins and outs of operating systems, nor the potential damage than can be done to them. Everyone can understand the damage that could be done by having your spreadsheets altered without your knowledge.

Well, at least I *think* everyone could understand that.

Sounds familiar...

[Source+Quench]

This is what happened when I installed windows 98... it crashed and a dialog box appeared and demanded that I upgrade to windows XP in order to save my files from digital heaven.

Re:Gives new meaning

[njfuzzy]

No, that's pretty much the original meaning.

Stockholm Syndrome

[zbeeble]

What happens if after I pay the money, my files do not want to come back ?

Re:This won't last long

[Mysticalfruit]

Then...

"Nuke the site from orbit, it's the only way to be sure"...

reminds me of the 'jackpot' virus

[Errtu76]

back in the msdos days (aka: the good old days) there was a virus that locked your pc, did something nasty to your mbr (or fat - i forgot) and you had to play a game (or two .. or usually aLOT) on the slots machine. You would get your system back when you got the jackpot.

Re:reminds me of the 'jackpot' virus

[RIAA+Bounty+Hunter]

That virus was known as Casino.2330.

Screenshots

There will be no negotiations.

[vertinox]

I'm sorry, but we don't negotiate with terrorists. The files knew the danger when they took the job.

C:\>format c:

This makes me wonder...

Will Microsoft start factoring these little occurances into the TCO of Windows?!

Wow, it's like the movie "Hackers"... only lamer

[Shaper_pmp]

Wow - it's like "Hackers"... only ten years after the idea even made the mainstream. And much more low-rent. And without the cool graphics and computer-generated voice. And with less supertankers. And without Angelina Jolie with her nips out.

How lame is that?

(And that's leaving aside the huge number of social and technical ways this scam could be improved...)

laundering the money

[goombah99]

Everyone speculates that laundering the money will be hard. Perhaps not so hard really. This happens daily on E-bay with the western union scams. Apparentyl none of those are ever traced so why not these?

As for tracing the e-mail well that wont work either: again people do this all the time on e-bay rip offs and none of those get traced.

besides which the attacker might very well be logging your keystrokes and simply watching for you to send any text continaing a fake address he gave you, then sending this real text somewhere else. Fat chance you would notice this in time to do anything about it. He just picks off the western union number, then pays some street urchin to go collect for him.

or you could rig this as sort of a two part thing. One is to have the virus encrypt the files. then "coincidentally" this spam e-mail comes offer to sell you a universal decoder program for the low price of 49.99$. THe company could be legitimate in the same sense that McAffee is legit. They just sell decryption tools. Sure they might be suspect but some company IS going to crack this and when they do they are going to SELL the decoder. The evil-doer merely has to be one of many companies offer this product for sale. It would be in his interest to leak the decoding method just so those decoy compamies would appear.

Re:laundering the money

[team99parody]

In fact, Symantec does this to me (at work) all the time. I bought their product once; and every 6 months or however long it takes that license to expire; they keep spamming me with more emails that say if I want to keep my computer safe from all the stuff infectig it I need to pay them more protection money.

At home, I don't have the problem; since more honorable vendors that distribute their software via apt-get don't run these kinds of protection rackets.

Re:Crypto Question

[swillden]

If you have just two files its still extremely hard... you need something like 2^23 files to do it in a reasonable amount of time (assuming RSA+IDEA).

This post is incorrect. Probably a semi-subtle troll rather than an honest error.

Neither RSA nor IDEA is vulnerable to a known-plaintext attack. In fact, any cipher that is vulnerable to such an attack is considered completely insecure, especially if only 2^23 "files" are needed.

If you get to choose the contents of one of the files its only about 2^17.

Neither RSA nor IDEA is vulnerable to a chosen-plaintext attack. There were some chosen-plaintext attacks against RSA a few years back (mid 90s), but proper padding eliminates them. And far more than 2^17 trials were required for typical key sizes. Again, no cipher that was vulnerable to such an attack would be considered secure.

Obviosly, if the keys are larger, it will take exponentially longer.

Larger than what? Are you assuming extremely small key sizes in order to achieve the numbers above? Actually, you don't get to pick the size of an IDEA key, because IDEA keys are 128 bits. Though you can arbitrarily fix key bits to produce a smaller effective key, there's no reason why the virus writer would want to do that.

typo

[commodoresloat]

you misspelled "ls"

Oh, wait a minute, never mind...

I forgot we were talking about viruses.

I have a *GREAT* idea to make this a good thing...

[fzammett]

Twoeasy steps:

(1) Get this virus into the DMCA-supporters computers.

(2) When they are screaming that all their data is encrypted, kindly inform them that you could create a crack for it and get all their data back, but unfortunately you would run afoul of the DMCA reverse-engineering laws and therefore cannot help them.

Yes. Irony is *NOT* dead!!

A simple request

[bunratty]

Some kind soul should write a virus that holds your files hostage until Firefox is installed and is set as the default browser. Hint, hint...