March 14, 2006 9:15 AM PST

Trojan Cryzip extorts decryption fee

Related Stories

Fix in for Windows flaw

May 10, 2005

Why hackers are a step ahead of the law

May 14, 2002
A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group.

This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.

Lurhq researchers noted Tuesday that the appearance within a year of two encryption Trojans may indicate they are part an emerging trend in malicious software.

"Last year, we saw the PGPcoder, and anything that shows itself to be a viable way to make money, usually people start jumping on the bandwagon after that," said Joe Stewart, senior security researcher for Lurhq.

The Cryzip Trojan will search for files, such as source code or database files, on infected systems. It then uses a commercial zip library to store the encrypted files. Security researchers, however, have yet to determine how the Trojan is distributed, noting it could come from a number of sources, including malicious Web sites, or enter through a previously created backdoor on a virus-infested computer.

The Trojan will overwrite the victims' text and then delete it, leaving only encrypted material that contains the original file name and _CRYPT_.ZIP.

"Unlike the PGPcoder that used a trivial encryption scheme, the zip encryption is stronger. It's harder to go through a list of possible (encryption) keys to get the information back," Stewart said. "But a brute-force attack is still possible, if a user has a copy of the original file. It can be reversed-engineered with a copy of the Trojan."

Cryzip has yet to become a widespread problem. Lurhq said it is aware of only about two dozen infection cases. Increasingly, malicious software writers are becoming more interested in launching low-level attacks in the hopes that it will take longer for security companies to notice their presence and develop a defense.

Users may also be less willing to seek help if it involves disclosing where they might have come across the threat.

The Cryzip writer, who uses an E-Gold account for collecting ransom payments, tells the victims: "Your computer catched our software while browsing illegal porn pages, all your documents, text files, databases was archived with long enough password. You cannot guess the password for your archived files--password length is more than 10 symbols that makes all password recovery programs fail to bruteforce it."

The Trojan writer then goes on to demand that a $300 payment be sent electronically to the E-Gold account.

Stewart advises users to frequently back up their important files, not only to minimize the damage if their system crashes but to reduce damage from an encryption attack.

See more CNET content tagged:
LURHQ Corp., malicious software, trojan horse, victim, writer

24 comments

Join the conversation!
Add your comment
Do people actually pay?
It seems to me that it would be foolish to pay, and I'd like to know
if a legitimate enterprise would actually pay. Or is this geared more
towards the small time user where law enforcement would be of no
help. I know if it happened to me, I'd basically sit for days in the
local police station trying to get help. From past experience with
identity fraud, I know I'd be given no help.
Posted by rbannon (96 comments )
Reply Link Flag
You'd goto the police after surfing illegal p0rn?
These poeple get it because of the illegal p0rn they've been surfing. Like they are going to goto
the police and admit that.

Pay up or else goto jail.

They should lower their price to $39.99 and more people might pay.
Posted by baswwe (299 comments )
Link Flag
Report this type of crime to police.
Major companies would report these types of crimes to the authorities to the anti-fraud units.
No person has the right to extort money from anyone. If the issue becomes a major problem, FBI could become involved, if local authorities can't cope with finding people responsible for the virus. If only one person complains to the police about the problem, case would only be filed. If more people come forward, something eventualy will be done about this. It's only porn. Who cares! People have sex, cops have sex, your parents have sex, it's natural. Me and you wouldn't be here if it wasn't for sex. So you're looking at porn, so what. So does everybody else, including cops.
Posted by pcdoctor101 (11 comments )
Link Flag
How do they get away with this?
I don't know jack about E-Gold, so sorry if the answer is
obvious, but isn't electronic money easy to trace? If someone has
money transferred into their account because of extorsion, can't
law enforcement easily find out who owns the account and seize
the funds and/or bust the owners?
Posted by Lucky Lou (88 comments )
Reply Link Flag
illegal p0rn
they get away with it becuase people are surfing illegal p0rn and deserve it.
Posted by baswwe (299 comments )
Link Flag
E-Gold-what it is.
Ok, this is a bit complicated but here it is.
E-Gold, a Delaware Corporation, is a Alternative Internet Payment System. It's global system. What this means you could be in Tailand collecting money from users in New York. It's 100% backed by gold bullion, thus E-Gold name has been given. E-Gold has been in operation since 1996, in over 165 countires, annual transaction volume exceeding $1 billion USD. Basicaly, E-Gold is used by internet merchants to collect payments. E-Gold is like a collection agency, except it's global not local and they offer online trading etc. They don't require any credit card confirmation, and have the utmost high security for it's users. Another feature E-Gold has, is the Account Referral Incentive Program. What that means, the more people you bring to E-Gold as users of your account, in this case depositing $300, you will receive a 10% of the transaction fee. So basicaly who ever is doing this, is pretending to be a legitimate business, which could be anywhere in the world. He/she uses E-Gold because as I mentioned above, is secured by a gold bullion, so therefore non payments are covered. Still with me?
So therefore, if somebody doesn't send $300 to the E-Gold account, the owner of the account simply puts in a claim of non payment. E-Gold covers the amount and sends the money to the crooks account. Then the crook transfers the money to a private account, lets say to Swiss Bank, where its almost impossible for anybody to trace the money, or other banks let's say in South America where they cater to shady business ventures, such as drug dealers, firearms dealers, etc.
This kind of internet fraud is quite hard catch.
And the amount of internet users who surf porn is astronomical globaly. Not a bad scam, I just wouldn't wanna be in the persons shoes when they get caught.
Hopefuly I answered your question, not just confused you.
Posted by pcdoctor101 (11 comments )
Link Flag
Password is here...
FYI...

- <a class="jive-link-external" href="http://www.securityfocus.com/brief/162" target="_newWindow">http://www.securityfocus.com/brief/162</a>
2006-03-14
"Ransomware is back. A security firm has found, what it characterized as, the third known case of a program holding data for ransom. The malicious program searches for 44 different types of files, encrypts them, and then leaves a note for the user to pay $300 for the password to recover the files, according to an analysis by security firm LURHQ*... The latest Trojan to hold people's data hostage has a fatal flaw. The password for all systems is the same and is stored in plaintext on the victim's system, according to LURHQ. The password is C:\Program Files\Microsoft Visual Studio\VC98 ."

* <a class="jive-link-external" href="http://www.lurhq.com/cryzip.html" target="_newWindow">http://www.lurhq.com/cryzip.html</a>
Posted by J. Warren (17 comments )
Reply Link Flag
You ruined Cnet's story
You ruined their story giving the password away.

You should be a jouranalist for Cnet. You know more than them.
Posted by baswwe (299 comments )
Link Flag
Hats off, and thanks for your dedication.
I thank you from everyone who has been cursed with this problem, for finding the password. Don't pay any attention to that simpleton that accused you of ruining the Cnet's story. Thank good lord that there are people like you in the world.
Posted by pcdoctor101 (11 comments )
Link Flag
Can e-gold close the account?
Under the "Rights of Issuer (Right of Association)", clause in the Account User Agreement, can e-gold exercise their prerogative to freeze or drop the account?
Posted by (1 comment )
Reply Link Flag
Can't be closed
Under the E-Gold agreement, Terms Of Use, paragraph 2.5.1,"Any disputes arise between Users are not responsibility of Issuer (E-Gold).
2.6 User agrees to indemnify and hold harmless Issuer, it's agents, affiliates officers, directors, and employees from any claim or demand whatsoever relating to or arising out of User's use of the E-Gold system, except for any loss caused by negligance or willful misconduct of Issuer. (Therefore if User is commiting a fraud using E-Gold, Issuer, the E-Gold is not responsible).
Posted by pcdoctor101 (11 comments )
Link Flag
Can't be closed
Under the E-Gold agreement, Terms Of Use, paragraph 2.5.1,"Any disputes arise between Users are not responsibility of Issuer (E-Gold).
2.6 User agrees to indemnify and hold harmless Issuer, it's agents, affiliates officers, directors, and employees from any claim or demand whatsoever relating to or arising out of User's use of the E-Gold system, except for any loss caused by negligance or willful misconduct of Issuer. (Therefore if User is commiting a fraud using E-Gold, Issuer, the E-Gold is not responsible).
Posted by pcdoctor101 (11 comments )
Link Flag
How little do you know
No they don't get it because of porn. Porn is the mosty common platform to use on the net, since over 80% of net users do visit porn sites. And nobody deserves it either. Another words if a woman wears very sexy clothes, and gets raped, according to you she deserves it. My god, I thought narrow minded dinos died long time ago, quess I was wrong. It's a shame that people get victimized, and then somebody like yourself comes along and says: "You deserve it".
Posted by mario05111976 (7 comments )
Reply Link Flag
Finally, somebody intelligent
You've got it! Perfect platform to conduct criminal activities. Porn is the most visited on the internet. Not just in North America, but world wide. People like sex, it's our nature. Most people would feel to embarassed to go to a local porn shop, but in privacy of their own homes, they can satisfy their needs and curiosity. Curiosity can be a weaknes, and in this case is being exploited by thief.
And to even suggest by Brian S. that "They deseve it", it's pretty pathetic.
Posted by pcdoctor101 (11 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.