Mikko Hypponen’s “Hack In Paris” keynote continues with further analysis of ransom Trojans, ranging from the flagrantly manifested GPCode to the craftier fake Copyright and Police alerts; and provides an overview of banking Trojans industry.
So you get hit by Blackhole, your Windows computer is owned, you boot up Windows, and the next time you boot it up, it boots up but your wallpaper has been changed.
Your wallpaper in Windows has been changed to a wallpaper which explains to you that all your personal files have been encrypted with RSA-1024 with a unique key, and this includes all of your documents, all of your files, all of your images. And if you want to get your files back, please read the “how to decrypt.txt”.
And when you open up “how to decrypt.txt” it explains in detail that they went through your local hard drives, they went through the shares, they went through the network and found all .doc, .xls, .ppt, .pdf, .jpg and .txt files and they’ve encrypted them. You can’t access your files anymore. And it’s all true, that’s exactly what they’ve done. And they’ve implemented RSA-1024 correctly, there are no crypto vulnerabilities we could find. And then they explain that if you want to get your files back, please pay $125 by contacting firstname.lastname@example.org and sending this unique key generated from the encryption key on your computer. And when you contact them and you email them, they’re very responsive, you send them $125 over the Ukash mechanism; they will send you back a program which will decrypt your files for real. So at least these guys are honest criminals, right..?
And that’s the reason why we haven’t shut down the email address. Normally, we would shut down an address like this, addresses used by criminals. We haven’t. This address still works today. Why? Because we know there are victims out there who have to be able to reach out to these guys so that they can pay them to get their files back. And as much as I hate the idea of paying these clowns, it’s still the better option out of losing your files. We’ve had people contact us who lost their email history – no backups; they lost their holiday pictures – no backups, they’ve had their company infected, encrypting local area network, and the backups are from last month. And these guys would have been happy to pay much more than $125.
And of course the solution here is backups, and running something that would actually block this from infecting your system. But you can see how it’s different from banking Trojans or credit card theft, where you basically get the money back if you just complain about it. Here, you lost your files.
But this is an extreme case, this is called GPCode. This is very blatant, it actually tells you: “We are the bad guys, we took over your computer, you have to pay us”. There are other similar ransom Trojans that are much more clever on how they play with the user. For example, you boot up an infected Windows computer and it boots up, but then it stops just before explorer comes to the page, and instead of actually being able to access your computer, you get prompted by “Copyright violation alert”: “copyrighted content detected”.
It says that Windows has detected that the content you’re using was downloaded in violation of copyright, so you’re now being sued by “Motion Picture Association of America” and RIAA, and the “Copyright Alliance”. And they have a lawsuit against you, there is a PDF file which has your information, evidence list – they list all the .mp3 files you have on your hard drive, all the movies, all the torrents, your IP history, your type of violation. And you can sort of see how people are feeling the steam in their heart: “Oh, shit, I do have some .mp3 files on my hard drive”. And you have only 2 actions: you can either pass the case to court, so you can fight this in court; or you can press this “Settle case in pre-trial order” button, which basically means you can pay and get a license for your .mp3s and movies with the credit card.
And no, this isn’t really the MPAA or the RIAA, or the “Copyright Alliance”. But you can see why people fall for this, because they know these copyright agencies are playing really hardball with their tactics, so it’s plausible, but it actually isn’t real.
And the last example: you boot up your computer, it won’t start up, just like with the previous Trojan. It stops in the middle of the boot, and then you get prompted by the FBI that they have found porn, child porn, zoophile and child abuse images on your hard drive, and your computer has been used to send out spam with terrorist motives. To unlock the computer you have to pay a fine – $100 (read Reveton Trojan – FBI ransomware).
And the interesting thing here is that if you take the very same computer out of the United States and you bring it, for example, to Germany, and you boot it up again with a German IP, then it’s “auf Deutsch”: “Bundespolizei, Achtung, Achtung…” And the price just went up from €100 to Ein Hundert Euro. In fact, you keep taking the very same computer to different countries and it always changes: there’s Spanish and Swedish, Luxemburg, Italian, Greek, German and French, right here.
And even the Finnish version, they have a version targeting us, Finns, there’s only 5 million of us, so we’re not a very big target. And yet they’ve localized it, and their Finnish is great, I mean there’s no typos or anything, they’ve had someone do it professionally. And I have to highlight the fact that as online criminal, if you really want to make 100% sure that the global law enforcement will go hunting after you – this is the way to do it, right? This is the way to make sure all the police will want to find you. And we, by the way, know at least 2 guys, Russians, who are involved in this case, so they will be going down.
A couple of words about Banking Trojans and the money mechanisms there. Most of these are being run by Zeus or SpyEye, which has become the leader in the field, and they are being sold online. There’s Gribodemon, or somebody using his nick, at least, who is the guy behind SpyEye, another Russian guy selling SpyEye. The prices are U.S. dollars, or actually Webmoney, but that’s U.S. dollars, so $2000 for the base kit, Firefox injects for another $2000, RBP functionality for $3000, Opera and Chrome formgrabbers for $1000. But all upgrades are free.
And the compatibility between the configuration file of these banking Trojans is great now. You can use the very same configuration file for Zeus and SpyEye, where you can just configure which bank is being targeted, which has created a market for guys like these. This is Facade selling Zeus Trojan setup. So he’s not selling the Trojan, he’s just selling the customization and tailoring of the Trojan against a specific Bank.
You tell them you have Zeus or you have SpyEye, and you want to target this bank. And they will look at the interface, they will look at the different versions, they will get an account in the bank, they will do online banking, they will tailor the scripts to work with that particular bank to do extra transactions or to change the account numbers on the fly when somebody’s doing banking there from an infected computer. This is 500 Euros, and it comes with full 24-hour support, they will update the scripts if the bank changes the interface and all that – great services, you don’t really have to do anything at all by yourself.