An easy-to-write hack could leave computer users locked out of their own files. The scam, discovered by San Diego security firm WebSense when one of its clients was attacked, encrypts files on infected computers and then seeks a ransom to unlock them.
It is not the first time security experts have seen “ransom-ware,” but it is also unlikely that it is the last time.
When TechNewsWorld asked if he thought the problem would grow, Joe Stewart, researcher at Lurhq, a security firm, said: “Yes, I think it will, until there is a concerted effort on the part of the governments of the world to proactively address the problem of malware and its use in e-commerce fraud.”
One researcher sees this attack as part of a trend.
“This is another example of a fundamental change in several waves of malicious code attacks. The motives are changing (monetary gain), the attack vectors are changing (more use of the web), and the payloads are changing. All are also becoming more sophisticated,” Dan Hubbard, senior director, security and technology research, WebSense said in an email to TechNewsWorld.
Users got the virus by visiting a malicious Web site that has since been shut down. Once there, the hackers used an Internet Explorer vulnerability to download and run malicious code. Finally, a ransom e-mail requesting $200 be wired to an Internet bank account in exchange for the key to unlock the files.
“There are a few precedents for this going back over a decade, although they have historically been less concerned with making money as with playing pranks on the computer owner. For example, the casino virus would play a game akin to roulette with the computer owner and either wipe the disk contents or leave them intact based on the outcome of the game,” Ed Moyle, president, SecurityCurve, told TechNewsWorld.
The Peter_II virus encrypted drive contents and would unlock them only if the computer owner was able to answer trivia questions, Moyle said.
No Special Knowledge Needed
The scam was an easy one to set up and could have been accomplished by any C++ programmer, according to Stewart.
“All you need to do is set up the exploit on a Web site, upload your EXE and get visitors to your site. This is how most adware/spyware works nowadays, and it’s easy to copy the scheme and adapt it for whatever kind of fraud you want to pull off,” he said.
Stewart also said that he had little difficulty unlocking the files. “Since the author used a simple cipher to encode the documents, reverse-engineering the Trojan was enough to learn how the cipher worked and write a decryptor for it,” he said.
Analysts also pointed out that although the scam does not seem to be spreading, if it did, the hackers might not be difficult to find. Internet banking transactions would leave a trail that could lead right to them.
“It’s easier to prevent this type of infection than it is to remediate the problems caused by it once a machine is infected,” Moyle said. As always, employing a current and updated anti-virus software product is beneficial, as is avoiding unknown or suspicious executable content in e-mail and downloaded programs.”
He also suggested regular backups to ensure that damaged files could be restored.