The virus searches a victim's hard drive and encrypts any text-based documents it finds there. The existing version then displays a ransom note that demands $200 for supplying the software that will decode the encrypted data so that it can be read again.
The novel attack exploits encryption technology originally designed to protect data, not kidnap it. To add insult to injury, it stores the kidnapped data in front of the victim's eyes, on their own personal computer.
The virus was discovered last week by the web-filtering company Websense of San Diego, California, when one of its clients' computers became infected. The malicious code is designed to take advantage of a vulnerability in the victim's web browser to download itself onto their hard drive.
Despite having the filename Pgpcoder, the virus does not use the popular and highly secure encryption algorithm, Pretty Good Privacy (PGP). The name may have been designed to hide the true nature of the file or perhaps to besmirch PGP's good name with the digerati.
Once Pgpcoder has infected a computer, it searches the victim's hard drive for 15 common file types to encode, including Word, Excel and html files. A message then appears demanding money for the decoder.
"It's just another version of extortion," says Dan Hubbard, director of security and defence at Websense. He would not reveal any details of the FBI investigation into what he calls "ransomware", but did point out that a rather obvious weakness in the attack is that the ransom includes a contact email address and an electronic cash account number, both of which could be traced. "This is the only case so far," Hubbard says, and the encryption algorithm it used was not very sophisticated. By reverse engineering the algorithm, Joe Stewart, a computer security consultant with Chicago-based IT firm Lurhq, was able to write a decoder that allowed the encrypted data to be recovered. The danger now is that the virus writers might turn to using strong military-grade encryption systems instead. "That would make it impossible to decrypt the files," Stewart says, leaving people with little option but to pay up.
The best defence against such attacks is to buy antivirus software and keep it up to date, and ensure that the latest operating system and browser security patches are installed. And with webmail services like Gmail offering 2 gigabytes of free storage, it doesn't hurt to back up precious documents elsewhere. This is not the first time "malware" has been written to extort cash. Criminals have tried- and in some cases succeeded- in blackmailing internet betting firms by threatening to bring down their websites with a so-called distributed denial of service attack. The new virus differs in that it targets individual users. Criminals are increasingly turning to malware to make money, Stewart says. One recent instance he quotes is a worm called Myfip, which targets a company's product designs and emails them to product counterfeiters in China.
IF REPORTING ON THIS STORY, PLEASE MENTION NEW SCIENTIST AS THE SOURCE AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.newscientist.com
"This article is posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to http://www.newscientist.com is also required. The story below is the EXACT text used in New Scientist, therefore advance permission is required before any and every reproduction of each article in full. Please contact firstname.lastname@example.org. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."
THIS ARTICLE APPEARS IN NEW SCIENTIST MAGAZINE ISSUE: 4 JUNE 2005
Author: DUNCAN GRAHAM-ROWE