New 'Scareware' Trojan Holds Users to Ransom

A Trojan that normally peddles bogus anti-virus scareware' has hit on a new way of persuading users to part with money for a worthless license - it encrypts their data first.

The concept of encrypting data on an infected PC has been seen several times since 2005, but the new version of the Vundo Trojan reported to be doing the rounds by security company FireEye is the first to tie straight extortion to a conventional rogue anti-virus software scam.

The company doesn't fully detail how the program infects users - Trojans such as this sometimes exploit the Windows autorun vulnerability - but once on a system it sets out to encrypt various file types it finds on the host system, including .jpgs, PDFs and Word .doc files, after which it presents a piece of rogueware called FileFix Pro 2009 as the way to unlock the now inaccessible files.

Luckily, it appears that the encryption method is crude enough that one of FireEye's technical staff was able to write a Perl script able to unscramble a victim's files without the need to pay the $40 license fee.

"Vundo has fundamentally altered its criminal business model from Scareware' tactics to Ransomware' extortion. While a user may be "silly" to buy into scareware, they have little choice but to purchase the decryption software once the ransomware does its thing," says the company's blog on the enhanced Vundo.

As of 19 March, no anti-virus programs appeared to detect the latest version of Vundo, not helped by its use of polymorphism to mask the executable every time it is downloaded to a PC.

Notwithstanding its unusually crude use of encryption, as with past examples of ransomware such as Cryzip, this one appears to have an Eastern European origin: a Whois lookup lists the domain owner distributing Filefix Pro as being in the Ukrainian city of Kharkov.

<a href="http://www.techworld.com/security/features/index.cfm?featureid=4136"> Past examples of this type of attack </a> have tended to fall into one of two camps; engineering the user into believing their files have been encrypted even though the key is weak, and using genuinely strong encryption from which even well-equipped security companies would find hard to crack. An example of the latter rare and more dangerous tactic would be <a href=" http://www.techworld.com/security/news/index.cfm?newsid=101710#"> last summer's GPcode.ak </a>. Vundo, by contrast, is more of a crafty social engineering attack.

Users unlucky enough to have encountered the crypto version of Vundo can upload files to the <a href=" https://filefix.fireeye.com/ "target="_blank"> FireEye website for decoding </a> free of charge.

Subscribe to the Security Watch Newsletter

Comments