Personal files encrypted until payment is made

Mar 21, 2009 09:50 GMT  ·  By

Security researchers from FireEye warn of a new dangerous technique employed by the Vundo trojan in order to push worthless system tools. A malicious component encrypts personal documents on the affected systems and the users are forced to pay for software that decrypts them.

Vundo, also known as Virtumondo or Virtumonde, is a computer trojan whose main purpose, according to specialists from anti-virus vendor Sophos, is to serve as a malware-distribution service. The same experts have recently warned that the trojan has got upgraded with worming capabilities through the help of an autorun-infecting component.

There are various pieces of malware that get dumped onto Vundo-infected computers, including rogue anti-virus programs. These attempt to scare users into paying for unneeded licenses by displaying fake security alerts. Such invasive software is called "scareware" or "rogueware" by security professionals

It seems that new Vundo variants also exhibit a dangerous shift in paradigm. The distribution of fake software through the trojan has become a lot more aggressive, changing from tricking users into making worthless payments to basically forcing them.

A malicious component dropped by Vundo first scrambles documents with common extensions, such as .pdf, .doc, .jpg, etc. and renders them inaccessible. The trojan then advertises a program called FileFix Pro 2009, which is able to decrypt the files, after a license is acquired, of course. This basically transforms the concept of "scareware" into "ransomware."

In addition, the same "server-side polymorphism" that characterizes Vundo is also used by the creators of  FileFix Pro 2009. This technique involves generating slightly different executables every time in order to subvert pattern-based anti-virus detection and, according to the FireEye analysts, it appears to be working. "The samples I fetched are currently 0/39 on VirusTotal. Yikes," Alex Lanstein, senior security researcher at FireEye Malware Intelligence Lab, cautions.

However, there is also some good news. FireEye analyst Julia Wolf has reverse-engineered the fpfstb.dll component used by Vundo to encrypt the files and has coded a Perl script that is able to recover them without paying any money for  FileFix Pro 2009. The script can be downloaded as a stand-alone file or used online to unscramble affected files. For the moment, this is a hassle, because it fixes one file at a time, but the release of a full application to recover all of them at once is planned for the upcoming days.

The domain used to distribute  FileFix Pro 2009 is owned by a company in Ukraine, suggesting the threat's origins. Furthermore, this time, the researchers have been lucky, because the malware authors did not use a strong encryption algorithm, otherwise it would have been impossible to recover the files without paying up. Unfortunately, this might change in the future. "The level of egregiousness of the folks at FileFixerPro has me completely floored. I didn't think this day would be upon us so soon," Alex Lanstein notes.

Photo Gallery (2 Images)

Vundo holds personal files for ransom
FileFix Pro 2009 Screenshot - Ransomware
Open gallery