Attack uses Microsoft flaw to hold electronic files hostage

By SearchSecurity.com Staff 25 May 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A new attack uses an unpatched Internet Explorer flaw to install a Trojan that essentially then holds computer files on infected systems hostage.

Users become infected by browsing a malicious Web site if they haven't applied Microsoft

More on spyware Survey: Spam is out, what's in? IT managers don't care about spam, according to a new report. What has their complete attention now? Viruses 'a thing of the past' Two new quarterly reports from AV vendors McAfee and Kaspersky say mass-mailer viruses are no longer the biggest threat. Guess what is.

patch MS04-023. The site uses the Windows help subsystem and a .chm file to upload a Trojan that Websense Security Labs called Download-AAG. It then connects to another malicious site for further instructions, which encodes files on the user's local hard disk and mapped drives and drops a message into the system that tells the infected user how to buy the decoder through an online E-Gold account.

San Diego-based Websense said it has received several reports of the attack from its customers.

The Associated Press reported that this type of attack has been dubbed "ransom-ware" and that the attacker demands $200 for the decoding software. The AP said Websense discovered the attack when an unidentified corporate customer fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets. The article reports that the attack encoded at least 15 different types of data files.

The IE flaw was labeled "critical" by Microsoft when it was released last July. Experts recommend vulnerable IE users apply the patch immediately. Vulnerable versions include:

• Windows 2000 SP2, SP3 and SP4
• Windows XP and Windows XP SP1
• Windows XP 64-Bit Edition SP1
• Windows XP 64-Bit Edition Version 2003
• Windows Server 2003
• Windows Server 2003 64-Bit Edition

Antivirus provider Symantec identifies the malware as Trojan.Pgpcoder and ranked it a low threat because it is not self-propogating. However, the AV vendor acknowledged the malware represents a growing trend among "for-profit" online criminals. "This Trojan horse is certainly an example of using cryptography for malicious purposes," said Oliver Friedrichs, senior manager of Symantec Security Response, in a statement. "It is the equivalent of someone coming into your home, locking your valuables in a safe and refusing to give you the combination."

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary