Ransom Trojans

Yet another Trojan that attempts to extort money is doing the rounds. According to SophosLabs this Trojan called Ransom-A “asks the computer user to pay $10.99 or it will delete one file every 30 minutes.” Not only does this Trojan delete files it apparently also makes a random selection of files invisible and disables control-alt-delete. To pay the user has to transfer the payment via Western Union after which a “CIDN number” (whatever that stands for) will be sent to the user. Once this number is entered the Trojan will supposedly go way. I would bet that this type of exploit will become far more common over the next few years because it will work particualrly well on less sophisticated users and at $11 will be relatively easily swallowed. But what if the Trojan’s creator installs a root kit and successfully hides the malware triggering it to reactivate, say, 30 days later? We’ve got a good, old-fashioned protection racket! We’ll call this the Vinny Trojan. Now imagine the Vinny Trojan also finding out your bank and credit card details and maybe personal blackmail information … now anything happens to the Vinny Trojan or Vinny’s owner and your life gets hosed. But if you’re a good boy or girl and just pay up on time every month, you’ll be able to sleep at night. Welcome to the new Mafia … The full Sophos press release follows …

Received 04/28/06 RANSOM TROJAN HORSE THREATENS USERS TO PAY OR DELETE FILES Experts at SophosLabs, Sophos’s global network of security research centers, have warned users about a Trojan horse that prevents victims from accessing their computer data and asks for a ransom to be paid via Western Union. Like last month’s ransom Zippo Trojan horse that demanded $300, this Ransom-A Trojan horse also demands money. The Ransom-A Trojan asks the computer user to pay $10.99 or it will delete one file every 30 minutes. Upon activation the Trojan horse displays some pornographic images, as well as the following message: ‘listen up muthaf**ka is this computer valuable. it better not be. is this a business computer. it better not be. do you keep important company records or files on this computer. you’d better hope not. because there are files scattered all over it tucked away in invisible hidden folders undetectable by antivirus sofware the only way to remove them and this message is by a CIDN number’ The Trojan horse indicates that the “CIDN number” can be acquired by making a payment via Western Union to the hacker. The Trojan promises to remove itself and restore access to the stolen files after the “CIDN number” is entered. “Hackers have found another way to steal money from innocent computer users,” said Ron O’Brien, senior security analyst at Sophos. “We’re seeing these ransom Trojans appear more frequently with a variety of threats.” In March, Sophos reported on a Trojan horse that encrypted victim’s data, and demanded $300 for the password to unlock the information. Fortunately, last month’s Ransom Trojan was halted after Sophos experts published the password, preventing the Trojan from further threats. “It’s important, no matter what, to always back up your files and continue to update your computer with security software,” continued O’Brien. “In the event that a Ransom Trojan does infect your computer, you never want to negotiate your files, so always be prepared.” Sophos experts note that the Trojan horse circumvents attempts to remove it from infected computers once it has activated. If the affected user presses Ctrl-Alt-Del in an attempt to stop the Trojan horse running, another message is displayed: ‘Yeah, We don’t die, We multiply! Ctrl+Alt+Del isn’t quite working today, is it? I’m not the sharpest tool in the shed but Crtl+Alt+Del is everyone’s S.O.S.’ “With a message like this, we’re seeing hackers taking full advantage of computer users’ weaknesses,” continued O’Brien. “We can slow down hackers, but it’s ultimately up to the user to continue to manage their computer with the best of care.” Companies are recommended to protect their email with a consolidated solution to thwart the virus, spyware and spam threats and secure their desktops and servers with automatically updated anti-virus protection. Further information is available at: http://www.sophos.com/pressoffice/news/articles/2006/04/ransom.html