RansomWare Disassembly Reveals Evolutionary Path

flaws writes "The guys at Secure Science Corporation have written a revealing article demonstrating the relationship with the most recent Ransom-based Trojan (known as Glamour) and some previous data stealing trojans. They include an open source decrypting utility for unlocking your files if infected, and some stats that are a bit disturbing. According to their report, in the past 8 months, 152,000 victims have been infected, and over 14.5 million records were discovered to be logged by the trojan."

My poor pornography :(

[Token_Internet_Girl]

"Dear User: We are currently holding your pornography hostage. Unless you send us $300, you will never see Jenna Jameson and that beer can again."

Re:My poor pornography :(

[Drew+McKinney]

It was a beer bottle.

I never did get that picture back...

Re:My poor pornography :(

"Dear User: We are currently holding your pornography hostage. Unless you send us $300, you will never see Jenna Jameson and that beer can again."

No problem, I'll just download it again via bittorrent. What, my ISP is using Deep Packet Inspection to block my bittorrent pr0n feeds? They must be in cahoots!

Re:My poor pornography :(

no problemos, now that you have my "pirated" softwares, movies and songs, all I need to do is call up MPAA/RIAA/BSA and you would be history :)

Re:My poor pornography :(

[Token_Internet_Girl]

That makes more sense, I'd think a beer can would cave under the pressure... Oh wait there is no pressure in a gaping cavern... Damn!

Re:My poor pornography :(

[UncleTogie]

"Dear Sheeple,

Remember that night you and your wife got drunk and took all those nasty photos? $500 to sugarinyourgastankwhilstanallyrapingyourmom@quicky lube.com or your neighborhood gets to critique them, too...

...and have a nice day.

Kudos,
Howie Feltersnatch"

I'd bet 10-to-1 odds some unscrupulous f**k will try/has tried it, too...

Re:My poor pornography :(

[Alien+Being]

Token_Internet_Girl wrote...

Re:My poor pornography :(

> That makes more sense, I'd think a beer can would cave under the pressure... Oh wait there is no pressure in a gaping cavern... Damn!

"Joke's on you, RansomWare guy! It was a can, and that's not Jenna, that's Goatse Guy!"

I'm not the only person who was disappointed that this week's story (about the YouTube/CNN/Democrats debate sneaking in a single frame of Goatse onto national TV) turned out to be a hoax.

Re:My poor pornography :(

[zipwow]

Yeah, this story about goatse on national tv via youtube was a hoax, but I wonder if the next one will be.

Re:My poor pornography :(

[Architect_sasyr]

NOT IF I CAN HELP IT!!!!

Noddleware.

" RansomWare Disassembly Reveals Evolutionary Path"

Prehistoric Trojans. Were's the missing link?

Re:Noddleware.

[dwarfsoft]

The first trojan was created 6000 years ago and left the garden some years after that. The garden was invaded by Greeks in a wooden horse, or something...

Re:Noddleware.

trojans are da bomb

chewy404@gmail.com

Re:Noddleware.

[Dunbal]

The first trojan was created 6000 years ago and left the garden some years after that. The garden was invaded by Greeks in a wooden horse, or something...

      And now you can find trojans littering many urban gardens, parks, playgrounds...

Re:Noddleware.

[dwarfsoft]

Those trojans are even worse! At least according to the Catholic church...

*Dances around singing "Every Sperm is Sacred..."*

Tag this haha and pwned

[Interl0per]

From the report: "...it was quickly apparent that the files were not really encrypted with 4096-bit RSA....This is a bit bewildering...implementing real 4096-bit RSA is simple and would have made it extremely difficult, if not impossible, to produce a working decryptor without paying $300." Silly script kiddies.

In a related story

. . .Trojan brand shown to BLOCK Evolutionary Path!

I keep reading about these.

[Lumpy]

Do people still really open attachments from people that do not know or were not expecting? Are people really executing unknown .exe files?

What is the infection vector for these things? Is it email, P2P networks fooling people into believing that mp3 really is an EXE file?

although I cant believe that people are stupid enough to fall for a nigerian scam wanting to deposit 30 billion dollars in their accounts overnight either.

Re:I keep reading about these.

[necro2607]

Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?

If you've used any common p2p apps like eDonkey or the like, you'll notice that when you search for something, even if you type some arbitrary crap like "huoshgahgauoiwhrgoaghnaj" you'll also get "huoshgahgauoiwhrgoaghnaj.mp3.exe" and "huoshgahgauoiwhrgoaghnaj pics xxx mpeg avi.exe" or similar shit. So someone searching for a keygen is going to get "exactly the keygen they wanted.exe" .... and so on and so forth. You can imagine how quickly someone will eagerly download and run a keygen they've been looking for for ages that they couldn't find anywhere else.... ;)

Re:I keep reading about these.

[conlaw]

If you RTFA all the way through, you'll find reference to a Kaspersky discussion of the beginning of this Trojan from June 2006. According to that discussion (http://www.viruslist.com/en/analysis?pubid=189678 219), the original emails were sent to people who had applied for jobs on a Russian job site and the attachment supposedly discussed the compensation plan. The email, as translated from the original Russian was:

Hello !

We are writing to you regarding the resume you have posted on the job.ru website. I have a vacancy that is suitable for you. ADC Marketing LTD (UK) is opening an office in Moscow and I am searching for appropriate candidates. I will soon be asking you to come in for an interview at a mutually convenient time. If you are interested in my offer, please fill out the attached form related to compensation issues and email the results to me.

Sincerely,

Viktor Pavlov

HR manager

I imagine that they could use the same method here by getting names from someplace like monster.com.

Re:I keep reading about these.

[DrSkwid]

That "only from people you know" is bollocks. Your bozo friends are likely to get infected and the result of the infection is sending you infected files.

Who's going to suspect a PDF from their friend contains an unscanned virus payload.

Javascript in PDF, great idea!

Re:I keep reading about these.

[bahwi]

Why use a virus? That sounds official enough to get them to fill out the attached form with their social and just sell that info for identity theft purposes. Damn russians, not even a little capitalistic! Or heck, they could be doing both!

Yes, I know it doesn't sound official, have you ever seen a person desperate for work? They'll take any response and run with it.

Re:I keep reading about these.

The question you should be asking is "Are people stupid enough to continue to use Windows?" I _assume_ you are smart enough to know better? I'll bet money you and I are both asses.

Re:I keep reading about these.

Speaking as someone who works in the AV industry... unfortunately, a lot of users are that stupid. To the point that their software will pop up an alert telling them that they probably shouldn't open that attachment, but they'll proceed to do it anyway.

Re:I keep reading about these.

[k3vlar]

What bothers me is people believe naming something "Artist - Track.mp3.exe" will make it look like an mp3. If windows hides the file extensions, then a file called "Artist - Track.mp3.exe" will look like "Artist - Track.mp3" and a file legitimately called "Artist - Track.mp3" will show without any extension at all, and therefore "Artist - Track". You'd think that one song out of 24 that actually has .mp3 at the end might seem a little suspicious. Especially when that .exe has an icon for a Windows Media Player file, and you use iTunes or Winamp.

Re:I keep reading about these.

[Aellus]

I'm living at my parents house for the next month while I'm in transition between two places. Conveniently, my fathers machine has gone haywire and I'm still trying to figure out what happened to it (OS install crashes every time, and _yes_ that includes various forms of linux). Anyway, I've come back to my computer from time to time and discovered he has been checking his email on it. Twice I've noticed that the firefox download window still had random .pdf and .exe files. He once left an email page open that he had clicked on informing him that he had received a wonderfully animated greeting card, and to view it he had to click the link to http://xx.xx.xx.xx/something.exe. Oh yes, he clicked. I'm terrified what is hiding on my machine right now.

Re:I keep reading about these.

[Lavene]

Do people still really open attachments from people that do not know or were not expecting? Are people really executing unknown .exe files?
A fun experiment: Write a small, harmless program that when executed send a single ping to your home machine/ server and an equally simple program to count the incoming pings on said system.

Write a short message saying something like "The well known virus 'YouAreTooStupid' is again spreading across the Internet. Please run the attached program to clean and/ or immunize your PC", attach your little program and send it to twenty people. Then sit back and watch your counter...

It will keep counting for days or even weeks. Your non-viral little program will spread like a virus as stupid people 'immunize' their system. Writing viral code is just a waste of time... just ask people to distribute your malware for you. They are more than happy to do so.

Re:I keep reading about these.

[Opportunist]

There are quite a few well working vectors. One is the still popular invoice.pdf.exe file with an Adobe logo. And as long as people have file extensions disabled by default, this will continue to fly.

Then there's MPack. Quite hard to track down and near impossible to avoid, unless you happen to have a browser that's not affected and/or a system that can't run Windows executables natively.

P2P works too, if you manage to make people think your executable is just what they want, be it a crack for a recent game where no cracks are available yet, or the latest key for HDDVD. Or, hell, even claiming that that exe is some celebrity porn movie works.

You just have to realize that the average user has no clue. Then think hard and you'll come up with a fair lot of ideas. If you think "nobody's SO stupid that this could work", you have your vector.

Re:I keep reading about these.

[fbjon]

You're assuming the existence of rational thought...

Besides, even if you do think before acting, you could still get fooled. Exe's can have their own icons embedded, so a trojan might look like an mp3 after all. I usually look at the icon first, myself, so I might get fooled by it... except I scan suspicious wares before opening.

Re:I keep reading about these.

[MstrFool]

Um, well, me. I learned early on that few of my friends had my level of understanding with computers. Frankly, when it comes to files I subscribe to the Paranoia mind set 'Trust no one. Stay alert. Keep your anti-virus handy'. I also keep my laser handy, but have found it to be less effective against attachments. I still do this, even though I have dumped windows and use Linux. Figure I'd rather not be one of the first folks to get infected with a Linux capable virus when spammers and script kiddies start using them.

Re:I keep reading about these.

"Well, considering that Windows by default doesn't show the file extension for known filetypes"

Why is that still enabled by default in windows? in fact, why was it ever created?

And as for saving a text file and not finding it later because windows helpfully renamed it something.txt.txt (it takes your .txt extension and "knows" that you're only allowed to modify the first part of the filename)

Re:I keep reading about these.

[Fish+(David+Trout)]

And as for saving a text file and not finding it later because windows helpfully renamed it something.txt.txt (it takes your .txt extension and "knows" that you're only allowed to modify the first part of the filename)

That's the application you're using that's doing that and not Windows. I've experienced the same phenomenon myself but I forget which program it was now.

I do remember this though: it only seemed to occur whenever:

1. "Text file (*.txt)" was selected in the Save dialog's drop-down File-types list, and
2. The filename I entered included the ".txt" extension (i.e. I was specifying redundant information)

If I'd instead select "All files (*.*)" and then enter "something.txt" as the filename, it then did indeed save it under that exact name and not "something.txt.txt" like before.

What I suspect was happening was, the [helpful?!] program was, because you selected "Text files" as the filetype in the dropdown, always blindly adding the ".txt" extension to whatever you entered as a filename. That is to say, since you already told it you wanted a ".txt" file extension (by virtue of your having specified "Text files" in your dropdown "Save As" filetype), you didn't need to also specify that again. All you really needed to enter was the filename. But because you entered "something.txt" as the filename, the program [correctly?!] presumed you wanted the file called "something.txt.txt"!

Yeah, stupid program making a bad presumption I agree, but then whoever said all programmers were smart? ;-)

Re:I keep reading about these.

[DrSkwid]

If you used a proper OS with incremental backup, you'd have the peace of mind that files never die.

off topic, but

[begbiezen]

Can anyone explain what "Beware of geeks bearing graft" means? (QOTD)

Re:off topic, but

[jaredcall]

Look for "greeks bearing gifts" and you'll find your answer. Related to Trojan Horses.

Why bother?

[bill_mcgonigle]

This is a bit bewildering...implementing real 4096-bit RSA is simple and would have made it extremely difficult, if not impossible, to produce a working decryptor without paying $300." Silly script kiddies.

If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300. How many are going to find out about this open source decryptor? I betcha 80% of IT consultants won't even know about it, and half of them will advise to pay up. The other half might refer to law enforcement, but how many of them are even going to have heard of the trojan. Etc., etc., etc.

Easier to just XOR the data and get back to surfing porn. Until somebody traces the bank transfers back to your pad and a tear gas can drops in your window...

WGA

[chinhnt2k3]

They should disassemble WGA too. Amazing things in there!

Re:WGA

[cheater512]

The poor buggers would have to be put in padded rooms with strait jackets if they did that.

so...follow the money, right?

[zarozarozaro]

nosig

Because of who the targets are. Re:Why bother?

[twitter]

If you just XOR the data and tell people it's RSA-4096 99.44% of them are going to just accept that it's true (after googling to find out what RSA means) and send you the $300.

No, they are going to look for a "free decoder program," ha ha ha. Oh, the joys of non free software.

Jokes aside, this trojan is aimed at corporate users. If it's easy to fix, big dumb companies will tell their sheep to bring forth their problems and fix them. If the creeps had been bright enough to use real encryption, there would be no solution and embarrassed users will try to fix the problem themselves. Of course, paying $300 to an extortionist will get you nothing more than another request for money unless they want to sell you back each file. For more evidence of this, see Vista pricing.

Re:speaking of trojans

[Farmer+Tim]

I just bought 72 condoms.

I just bought 144 condoms, and now I'm grossly oversexed.

You can prevent encryption by creating a reg key

[jpetts]

The entry should be a REG_DWORD named WinCode in the HKLM\SOFTWARE\Microsft\Windows NT\CurrentVersion location, and should have the value 31337

Because in the end users are stupid

[Sorn]

Most virus and trogen work because no matter how much awareness you put out there, in the end you can not increase the intelligence of people. People are still going to click on those links, still going to download their 'free' porn and still utilize p2p networks where these people can just fish with shotguns in. And lets say a corporate employee does some of this at work, gets this virus then half their companies documents are held hostage more then likely they are going to pay up $300 to hurry and get the fix. If you notice the main payload of this was programmed to reap the most monetary value within 5days, the file was compiled on 5 July released on 10 July and demanded payment on 15 July. Any employee who values their job and does non-authorize web surfing on work computer who jump at the chance to hurry and cover their tracks. I hope this was comprehensible it's pretty late here and very sleepy. Damn /dot

Re:Because in the end users are stupid

[bill_mcgonigle]

I hope this was comprehensible it's pretty late here and very sleepy.

Yes, you illustrate the corporate ethos adeptly.

Re:speaking of trojans

Never explain your jokes.

Mod parent INFORMATIVE

Read the report: http://ip.securescience.net/advisories/Glamour-Ran somWare.pdf page 15.
There is in fact a check for a value of "31337" in a "WinCode" registry key.

Don't be fooled!

[sykopomp]

Microsoft has been doing this for years now. They call it an "operating system" and also "office suite". Those are just code names though, don't let it fool you!

Re:speaking of trojans

[kestasjk]

I bought two score condoms, to score.

Evolutionary Path?

[vsavkin]

Evolution is nonsense. Surely this trojan was intelligently designed.

Re:Evolutionary Path?

[ToriaUru]

This should be modded as intelligent LOL! But seriously this is scary stuff for the average user such as myself. :(

Helpful tip

[Fish+(David+Trout)]

"Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?

Which is why I've been telling people for years the first thing they should do after installing Windows (immediately after selecting the "Show hidden files and folders" option and unchecking (clearing) the "Hide extensions for known file types" and "Hide protected operating system files" options in Control Panel -> Folder Options, View tab) is to run REGEDIT and do a 'Find' for all occurrences of "NeverShowExt" and delete every single one found. All of them (spare none).

Yes, it is admittedly unappealing (at first) to see all your shortcuts (including those in your Start and Programs menus) with an ugly ".lnk" extension following them, but trust me, you get used to it pretty quickly.

Perhaps it's just me but I personally prefer my operating system not to lie to me by default. The above procedure ensures that it doesn't.

p.s. your example is a poor one; the ".exe" extension is always shown (never hidden) by default.

Now ".vbs" files on the other hand...

Re:Helpful tip

Yes, it is admittedly unappealing (at first) to see all your shortcuts (including those in your Start and Programs menus) with an ugly ".lnk" extension following them

When did windows start doing that? The only time I've ever seen .lnk is on the command prompt. I've never been able to make it show in the windows shell no matter what options were on or off.

Re:Helpful tip

[kat_skan]

"Well, considering that Windows by default doesn't show the file extension for known filetypes, as far as all the noobs can tell, the file they just double-clicked was "Artist - song.mp3", since they wouldn't even see the .exe at the end. Sweet deal eh?

Which is why I've been telling people for years the first thing they should do after installing Windows (immediately after selecting the "Show hidden files and folders" option and unchecking (clearing) the "Hide extensions for known file types" and "Hide protected operating system files" options in Control Panel -> Folder Options, View tab) is to run REGEDIT and do a 'Find' for all occurrences of "NeverShowExt" and delete every single one found. All of them (spare none).

This doesn't really solve anything, though, since people can't reasonably be expected to know a safe file extension from a dangerous one. Just as an example, try to list all the extensions you know that indicate an executable file. Then compare with the list of extensions blocked by Outlook.

How many did you get? Did you have all of the help file formats? How about the shell scripts for DOS, NT and the MKS Korn shell? How about HyperText Applications? How about Microsoft's proprietary obfuscated VBScript and JavaScript files?

Some of the files blocked by Outlook are completely beneign (e.g. you can't execute an .asp file). Do you know which ones? How about the mysterious, unlabeld MAU files? How about Internet Document Set files, do you know they are safe? Do you know what they even do? I can't say I do.

How many of the file extensions associated with Windows Media Player can you name? If someone sent you an .ivf file, would you know it was an Indeo video? Would your mom know? How about Windows Media Player Skins. Are those safe to open? They aren't blocked by Outlook, but they contain "any associated JScript files that... add functionality to the skin". Safe? Not? Beats me.

So, you might say, just don't open files if you don't know what they are. But if people followed advice like that, they would be checking with the sender before opening any files they weren't expecting, anyway.

Obviously the little bit of metadata provided by displaying the file extension is better than none at all, but it's not going to make email attachments all that much safer.

Re:Helpful tip

[Fish+(David+Trout)]

When did WIndows Start doing that?

Since for as long as I can remember. <shrug>

Perhaps the reason you were never able to make them show is because you either:

1. Forgot to set those other options I mentioned beforehand, or
2. After deleting all "NeverShowExt" registry entries, you failed to logoff and re-logon again (so as to restart Windows Explorer)

Trust me, it does work as described.

Try it again.

Re:Helpful tip

[Fish+(David+Trout)]

This doesn't really solve anything, though, since people can't reasonably be expected to know a safe file extension from a dangerous one. ...

...

Obviously the little bit of metadata provided by displaying the file extension is better than none at all, but it's not going to make email attachments all that much safer.

I beg to differ. In my experience does help -- quite a bit.

Even though most people (myself included, and I consider myself to be one of the more sophisticated/experienced Windows users) wouldn't necessary know all of (or even most of) those other file extensions you mentioned were "executable" type file extensions, they would at least know some of them were.

Most malware writers use extensions such as ".exe", ".scr", ".vbs", etc, and not the more arcane ones.

And I hope you'll agree that all but the most careless and idiotic of Windows users would likely hesitate before clicking on an attachment that ended with "...mp3.exe" (or "...mp3.scr", etc).

True, you point is well taken, but until malware users start using more of those rather arcane file extensions you mentioned (and continue to stick with the more common ones), what I suggest s/b good enough as far as addressing the described problem.

And when they do start using them, well... We can cross that bridge when we come to it.

This post is RSA-13 encrypted

[MillionthMonkey]

Vs lbh jnag gb ernq vg V fryy n qrpelcgbe sbe $300 abj fraq zr zl zbarl!

Yeah, but...

[ninevoltz]

does it run on Linux?

That explains

[begbiezen]

the beginning. The part I don't get is "graft." Beware of geeks bearing political corruption?? it doe snot make sense.