Trojan Cryzip extorts decryption fee

By Dawn Kawamoto
Staff Writer, CNET News.com

Published: March 14, 2006, 9:15 AM PST

A Trojan making the rounds encrypts victims' files and demands a $300 payment to have them decrypted and unlocked, according to a report by security firm Lurhq Threat Intelligence Group.

This so-called "ransomware" Trojan, dubbed Cryzip, is the second of its type to emerge in the past 10 months, following the PGPcoder Trojan. It also is the third such Trojan to appear since 1989.

Lurhq researchers noted Tuesday that the appearance within a year of two encryption Trojans may indicate they are part an emerging trend in malicious software.

"Last year, we saw the PGPcoder, and anything that shows itself to be a viable way to make money, usually people start jumping on the bandwagon after that," said Joe Stewart, senior security researcher for Lurhq.

The Cryzip Trojan will search for files, such as source code or database files, on infected systems. It then uses a commercial zip library to store the encrypted files. Security researchers, however, have yet to determine how the Trojan is distributed, noting it could come from a number of sources, including malicious Web sites, or enter through a previously created backdoor on a virus-infested computer.

The Trojan will overwrite the victims' text and then delete it, leaving only encrypted material that contains the original file name and _CRYPT_.ZIP.

"Unlike the PGPcoder that used a trivial encryption scheme, the zip encryption is stronger. It's harder to go through a list of possible (encryption) keys to get the information back," Stewart said. "But a brute-force attack is still possible, if a user has a copy of the original file. It can be reversed-engineered with a copy of the Trojan."

Cryzip has yet to become a widespread problem. Lurhq said it is aware of only about two dozen infection cases. Increasingly, malicious software writers are becoming more interested in launching low-level attacks in the hopes that it will take longer for security companies to notice their presence and develop a defense.

Users may also be less willing to seek help if it involves disclosing where they might have come across the threat.

The Cryzip writer, who uses an E-Gold account for collecting ransom payments, tells the victims: "Your computer catched our software while browsing illegal porn pages, all your documents, text files, databases was archived with long enough password. You cannot guess the password for your archived files--password length is more than 10 symbols that makes all password recovery programs fail to bruteforce it."

The Trojan writer then goes on to demand that a $300 payment be sent electronically to the E-Gold account.

Stewart advises users to frequently back up their important files, not only to minimize the damage if their system crashes but to reduce damage from an encryption attack.