0 Results Found
              Back To Results
                Threat Analysis

                Cryzip Ransomware Trojan Analysis

                By: Joe Stewart
                • Date: March 11, 2006
                • Author: Joe Stewart

                Summary

                In May 2005, a trojan called PGPcoder was discovered in the wild by Websense Security Labs. The trojan's purpose was to encrypt a user's files, then demand a ransom for their decryption. Although this scheme seemed novel, it is actually predated by over 15 years, by a similar scam in 1989. SecureWorks' research team has now discovered a third such scheme involving ransomware which we are calling Cryzip.

                Unlike PGPcoder, which used a custom encryption scheme (which was subsequently reverse-engineered by SecureWorks) Cryzip uses a commercial zip library in order to store files inside a password-protected zip. Although the zip encryption is stronger, a brute-force attack is still possible on the files, especially if one has a copy of the original file inside the zip.

                File Details

                Filename: vcmauth.dll
                Filesize: 1,191,936 bytes
                MD5: 86a48836bced8c4a0b59fca972800890
                SHA1: 0b3a49b3172fc65db607fcb1b8029820ec11c5b6
                Packer: none
                Compiler: Visual C++ 6.0
                Compile Date: Thu Mar 2 18:11:02 2006
                CME Number: none assigned
                Identifying Strings:
                • zippo.dll
                • ZippoCrypt
                • _zippo_crypter_v1.0_

                Analysis

                When run, Cryzip searches the C: drive (except for files in directories named "system" or "system32") for files which it will zip, overwrite with the text "Erased by Zippo! GO OUT!!!", and then delete, leaving only the encrypted zip file with the name original-file-name_CRYPT_.ZIP, where original-file-name is the original file name complete with the file extension.

                Cryzip searches for and zips files with the following extensions:

                • .arh
                • .asm
                • .arj
                • .bas
                • .cdr
                • .cgi
                • .chm
                • .cpp
                • .db1
                • .db2
                • .dbf
                • .dbt
                • .dbx
                • .doc
                • .dpr
                • .dsw
                • .frm
                • .frt
                • .frx
                • .gtd
                • .gzip
                • .jpg
                • .key
                • .kwm
                • .lst
                • .man
                • .mdb
                • .mmf
                • .old
                • .p12
                • .pas
                • .pak
                • .pdf
                • .pgp
                • .pwl
                • .pwm
                • .rar
                • .rtf
                • .safe
                • .tar
                • .txt
                • .xls
                • .xml
                • .zip

                After it has finished processing a directory, Cryzip leaves a text file in the directory named AUTO_ZIP_REPORT.TXT, which contains the following text:

                OUR E-GOLD ACCOUNT: XXXXXXXINSTRUCTIONS HOW TO 
                GET YUOR FILES BACKREAD CAREFULLY. IF YOU DO NOT UNDERSTAND, 
                READ AGAIN.This is automated report generated by auto archiving 
                software.Your computer catched our software while browsing 
                illigal pornpages, all your documents, text files, databases 
                was archivedwith long enought password.You can not guess the 
                password for your archived files - passwordlenght is more then 
                10 symbols that makes all password recoveryprograms fail to 
                bruteforce it (guess password by trying allpossible combinations).
                Do not try to search for a program what encrypted your information - 
                itis simply do not exists in your hard disk anymore.If you really 
                care about documents and information in encrypted filesyou can 
                pay using electonic currency $300.Reporting to police about a 
                case will not help you, they do not knowpassword. 
                Reporting somewhere about our e-gold account will not helpyou to 
                restore files. This is your only way to get yours files back.
                ------------------------------How to pay to get your information 
                back.1. click on this link to open your free e-gold account - 
                the first   screen is the e-gold "terms and conditions" page. 
                You need to   agree to these by clicking on the "I AGREE" button 
                on the bottom   on the page.2. On the next page is the sign up form:    
                1. "Account name" - here is where you name your account - tip:        
                make it easy to remember (as you will be asked for it) and          
                reasonably short, example, "John's e-gold", "My Money e-gold"        
                or perhaps "Felix" (whatever you like, just make it easy for        
                you to remember it).    2. "User Name" - here just repeat the account 
                name (from 1 above).    3. "Point of Contact" - this is where you 
                put our name, address,        phone number and email address 
                (any email address can be used        here but it is recommended 
                you use your ISP address - not a        free hotmail, etc address).        
                It is also recommended your also include a fax number        
                (don't have a fax number? This company offers free fax to email        
                services). Try and make it as easy as possible for e-gold to contactyou.    
                4. "Passphrase" - this is the most important piece of information        
                connected to any e-gold account. We can not stress enough how        
                important it is that your passphrase is kept safe and secure.    
                5. "Turing Number Entry" - type the 6 numbers you see there into theinput        
                box below.    6.  The last step click "Open"On the next page 
                it will tell you that your e-gold account number has beenemailed 
                to you.check your email - you can expect to wait up to 5 minutes 
                for your accountnumberto arrive. If it does not arrive after 
                5 minutes then that means the emailaddressyou supplied was 
                incorrect and you will have to open another new account 
                (gothroughand repeat what you just did above again).To buy e-gold to 
                your account please use official exchange services
                http://www.me-gold.com/http://www.goldex.net/http://usece.com/or try 
                to search own way withhttp://gold-pages.net/e-Gold__1MDC__Pecunix_Wizard_
                Links/Purchase_E-gold/index.htmlhttp://www.google.com/search?hl=en&q=buy+
                e-gold&btnG=Google+SearchFINALLY when you bought e-gold you have to transfer 
                $300 to our e-goldaccount.In next 24 hours you will recieve $1 back 
                to your account. Transfer detailsof this $1 transfer will have a link 
                to software that will automaticallyunzip all your files back to normal 
                state.Next day login to your account https://www.e-gold.com/acct/
                login.html,press History and press submit, you will see LINK TO 
                UNZIP-software.
                ##########################################################################
                Remember you are just $300 away from your files
                ##########################################################################
                
                

                At the top of the AUTO_ZIP_REPORT.TXT file, the number of an E-Gold account is inserted. This number is picked at random from a list embedded in the DLL. By operating many accounts simultaneously, the trojan author is betting that even if E-Gold shuts down some of the accounts, he/she will still receive payment on some of the others. The complete list of E-Gold accounts is:

                  293436329175012917
                  50529175102934
                  36929343762934380
                  29343822934383293
                  4389293439229343942
                  93439629344042934409
                  2934419293442129344
                  252934427289
                  7227293443028971912
                  89719329344352897209
                  289721229344412
                  897232293444629
                  3444828972432897
                  2582934452289702
                  12917497293435429
                  343562917500289726
                  329344552934459293
                  44662934469293447729
                  344912934501293450
                  6293451029345152934474
                  29347822934788
                  29347992934
                  80629348142934
                  81629348202
                  9348252934829
                  293483229348
                  37293484129348
                  49293485329
                  34860293486229
                  34866293487
                  22934869293488
                  52934880293
                  48912934895293
                  48982934903
                  293492529
                  349292934938
                  29349482934
                  9532934956
                  29349642934
                  4802934487
                  29347752934
                  80229348112
                  93486429352
                  772935274293
                  526829352642
                  935260293525
                  2293524429352
                  3529352322935
                  2292935223

                The text of the AUTO_ZIP_REPORT.TXT file is encrypted inside the Cryzip DLL, using simple XOR (0x13) encoding. The password used to zip the files is also embedded inside the DLL but it is not encrypted - instead, the author decided to hide the password in plain sight, so to speak. The password is:

                • C:\Program Files\Microsoft Visual Studio\VC98

                Because this string often appears inside projects compiled with Visual C++ 6, the author likely figured anyone who found the infecting DLL and examined its strings looking for the password would simply overlook it.

                Conclusion

                At this time the infection vector is unknown. Infection reports are not widespread, so it is not believed this is a mass threat by any means. Malware of this nature is actually more successful when it is delivered in low volumes, as it is less likely that anti-virus vendors will have detection for it, and more attention means the likely closing of the accounts used for the anonymous money transfer. As such, most users will probably not have to worry about this threat - keep in mind however that the two incidents in the last 10 months indicate the possible start of a trend of this type of malware, and future incidents may affect a wider swath of users. However, in most cases, simply having and using proper backup software would mitigate the risk from ransomware.

                Update - March 22, 2006:

                The infection vector has been established to be recent Bagle virus runs. Starting in February and into March, a group of Bagle variants was seen which do not resemble other modern Bagles. Based on our research, we have determined that the author of Cryzip took the circa-2004 source code of Bagle, and adapted it to his/her own purposes. Part of the variants were used to spread a variant of Sality, among other files, downloaded primarily from invis1lblearm3333.com. The other variants directly downloaded an executable which installs Cryzip on the system, downloaded primarily from egozda.com. The author uses a specific User-Agent string in the download requests which is checked by the script serving the executable - therefore attempts to manually download the Cryzip dropper were unsuccessful unless the requestor used the proper User-Agent.

                Further evidence in the binaries indicates that Cryzip and Sality are probably written by the same individual. In one example of this, the same psuedo-random number generator (PRNG) code was used in both Cryzip and Sality. The PRNG was apparently cribbed from the Mydoom source code, which would put it in wider use than just Cryzip and Sality - however, both Cryzip and Sality have minor variations in the binary code of the PRNG caused by a certain non-default compiler optimization setting which is uncommon even in Mydoom or Mytob variants which use the same PRNG. Based on other code similarities and the fact both were spread by open-source Bagle variants around the same time which were packed with the same unique executable packer, gives strong credence to the idea that they share the same author.

                Update - May 22, 2006:

                A second Cryzip variant has been released. This time, instead of storing the password in the trojan, the author uses a list of passwords which are served by a PHP script on a remote site. The trojan downloads the password dynamically and uses it to encrypt the files. Currently the website which served the passwords during the initial infection phase simply redirects to a porn site.

                Due to the ephemeral nature of the password retrieval, users who are infected with this variant of Cryzip will probably not be able to find the password. If they do not wish to pay the ransom, the only other option is to brute-force the password. This is unlikely to work unless the user has a backup copy of one of the files inside one of the password-protected zip files. If so, it may be possible to do a "known plain-text" attack against the zip encryption for that file, using a tool such as Elcomsoft's Advanced ZIP Password Recovery tool. Note that this tool is commercial software, and costs $30 for a Personal license, and $60 for a Business license.

                If a user does not have an original copy of one of the files inside the zips, it is unlikely they will be able to break the password encryption unless a) they pay the ransom or b) the trojan author is arrested and forced to divulge the passwords. While the latter option is not very likely, affected users are still encouraged to report the crime so that the authorities may be more likely to open a case.

                You can report Internet crime online at http://www.ic3.gov/

                Related Content