This is a new iteration of a rather persistent favourite we see a lot, the filename in question is called "NTOS.EXE" Which we detect generically as Win32.PSWSteal.Gen, entirely preventing the threat of stolen data and infection.
When the file is executed on the machine, it encrypts all documents, pictures, datafiles and more on the machine, and leaves this message:
"Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: firstname.lastname@example.org and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data -- Glamorous team."
At the time of writing there are 6317 records in the stat.txt file below, used to track how many people are infected, with their ip numbers. The picture below illustrates a graphic view of the dumpsite containing the harvested data.
Here are the latest Virustotal Detections for it:
Now for the really interesting part. Translating the logfiles on the server to meaningful data was quite easy, here is the moneyshot.
All the above corporations IP's appear in the stats and there is tagged datafiles with these ip's on the dropsite - shocking.
While writing this, and looking at the Virustotal stats, one message sits clear with me. If these stats indicate that these companies have been attacked and they are running any of the products by the vendors that didn't detect it, do they even know they are infected? This could put them at significant risk.
And, if they don't know they are infected - how will they protect their customer data once its been leaked?
After a brief crack at decrypting the data, the results are staggering. For example in the case of the infection at the US Dept of Transportation, there is over 500KB of stolen information. We think thats a lot, and the level of detail.. well.
These hosts are high profile companies that spend a significant amount of money every year on security, and these threats still seem to be able to penetrate their defences,
its worthwhile to add that this particular threat is not very sophisticated against some things we see nowadays.
SecureSciences did an excellent write-up November last year of an older variant of this threat, which can be found here.
More to follow, including a decryptor, so if you are about to fork out $300 to some shady character, just hang on...
** UPDATE ** By Marco Giuliani
As Jacques wrote during the weekend, we've had a number of reports about a new ransomware trojan that encrypts files on the user's hard disk. It isn't really a new trojan instead it's a variant of an old password stealer trojan we already saw in the last couple of months. The latest build has a new ransomware feature built into it.
After a lively weekend spent on this malware, we've reversed it and, unlike claims done by malware writers though the readme file, it doesn't use RSA 4096 bit algorithm but a simpler one.
Prevx is the first to provide full disinfection and decryption for this malware that infected thousands of computer around the world.
Moreover, the trojan steals username's and passwords from user's online transactions, then store them in a encrypted file and uploads them to a remote server. Malware writers can then decode the files and steal your credentials.
We've decoded this algorithm too, but no decryption tool will be released for it because of privacy concerns. Anyway, we are working together with the FBI to get the server shut down and to track down the authors.
So, instead of paying 300$ to buy the decryption software from the malware writer, you can now save that money and buy something worthwhile!