Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43424
  • Total Topics: 16521
  • Online today: 2701
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2697
Total: 2698









Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Amker
« on: 27. July 2007., 21:21:27 »

The two most prominent ransomware Trojans of recent times could be the work of the same or a closely-related Russian group, an analysis has suggested.

Last week, a new ransomware Trojan appeared on the radar of security researchers, and was quickly identified as a modified version of the GpCode malware that first hit the Internet as long ago as Spring 2005. As with its predecessors, the new Trojan, also named "Glamour," sets out to encrypt data files on any PC it infects, demanding a ransom of $300 in return for a key to unlock files.

Now an analysis from security research outfit Secure Science Corporation (SSC) has plotted the large number of similarities between the new GpCode and a version that appeared in 2006. Of the 168 functions identified in the code of the new variant, 63 were identical to the older 2006 version.

"The results indicate that these two Trojans, found in the wild nearly 6 months apart, originated from the same source tree. This could mean that the original authors are actively modifying the code themselves, or they sold/traded the source code to another group who is now in charge of the modifications," say the authors.

In other words, a single or allied group is cycling the same basic ransomware platform through a series of attacks, modifying it each time to evade detection for long enough to find victims. If true, that increases the likelihood of future attacks using the same code base.

The planned window of opportunity appears to have been a short one -- the compile date for the malware was July 5th and the deadline date mentioned it its threat message to victims states a payment deadline of July 15th.

SSC has also found frightening evidence of GPCode's effectiveness. "In the 8 months since November, we've recovered stolen data from 51 unique drop sites [...]. The 14.5 million records found within these files came from over 152,000 unique victims," says the report.

Fortunately, despite claiming to have encrypted files using RSA 4096-bit, the new version's apparent use of sophisticated encryption is a bluff. Unlike previous versions of GpCode, the new variant uses a much simpler but unnamed technique to create the appearance of having encrypted files, possibly just a long-strong passphrase. A number of companies have produced tools to reverse the work of the latest GpCode.

Ransomware Trojans have a fearsome reputation, but are still thankfully one of malware's rarer events. The long periods of silence could, indeed, be part of their design. Attacks have been recorded from early 2005, and several times in 2006.
CW

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023