Malware that Kidnaps Data


This article was published by ComputorEdge, issue #2503, 2007-01-19, as a feature article, in both their print edition (on pages 20-21) and their website.

Many human activities are finding their equivalent forms online. The Internet has made possible new forms of communication, new venues for meeting others, and, unfortunately, new opportunities for criminals. Kidnapping, the seizure of something valuable, usually for a ransom, is no exception.

As the economies of the world become increasingly knowledge-based, the business and personal files and other data on our computers become increasingly valuable to us. Thus it is perhaps inevitable that modern-day kidnappers are beginning to target our irreplaceable data.

A new cyber twist on the conventional type of kidnapping, is the use of extortion malware that encrypts a computer user's valuable data, demanding that the victim make a payment to the criminals online in order to receive a password that unlocks the data, making it available again to the hapless victim.

At least, that is the promise made by the kidnappers. There is always the possibility that they will demand a second payment before the password is provided. In fact, as with any such criminals, there is no guarantee that they will ever allow the victim to see the data again. Like relentless blackmailers, the data kidnappers could keep making demands, until the victim gives up, and decides that the data is truly lost forever.

A Harrowing Harbinger?

In the summer of 2006, Internet users and computer security experts throughout the world received a first look at what might develop into one of the most devastating types of malware, when a Trojan horse known as Archiveus struck users of Microsoft Windows. Discovered on 6 May 2006, Archiveus takes control of all of the files in the user's My Documents folder, combines them into password-locked files, deletes the user's original files, and demands something in return for the passwords to unlock the encrypted files.

In effect, this pioneering new form of malware, dubbed by the media as a form of "ransomware", is a virus that archives files — though not in the usual file compression sense. This is the likely reason for the chosen name, "Archiveus".

All of the details of this Trojan horse are well known, and hence PC users who are currently running Windows can quickly determine whether or not they currently are a victim of this piece of malware. All widely-used versions of Windows are vulnerable: 95, 98, Me, NT, 2000, XP, and even Server 2003.

Archiveus targets all of the files in the "%UserProfile%\My Documents" folder. %UserProfile% is a Windows variable that refers to the current user's profile folder. For instance, if your Windows username is BillG, then in any version of Windows that is based upon NT (XP, 2000, and of course NT), your %UserProfile% folder would be C:\Documents and Settings\BillG.

An obvious clue that Archiveus has struck your PC, is that all of the files in your My Documents folder have been replaced by three files: Demo.als, EncryptedFiles.als, and "INSTRUCTIONS HOW TO GET YOUR FILES BACK.txt". As is evident from the names, the second file contains your kidnapped data, and the third file is basically the ransom note. It describes how you must purchase goods from a series of websites, in order to receive the passwords to unlock the other two files.

For those users who are comfortable working inside the Windows Registry, they can look for the subkey HKEY_CLASSES_ROOT\ALS, which is created by Archiveus.

A Close Call

Fortunately for victims of this Trojan horse, security researchers quickly discovered that the author of Archiveus had left a gaping hole in his strategy — certainly as gaping as the fabled gates of Troy, which were wide enough to accommodate the massive wooden horse. The passwords demanded by Archiveus were located in the code itself, and were consequently discovered by security experts examining the code, and rapidly published on the Internet.

Just in case any readers are currently in the clutches of Archiveus, or might be in the future, the password for the Demo.als file is kw9fjwfielaifuw1u3fw3brue2180w3hfse2, and the password for the EncryptedFiles.als file is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. When trying to open either file, you will be prompted for the password, which then extracts your files, making them available to you again.

Malware victims and anti-malware product vendors got lucky this time, in that the author of this particular piece of ransomware made a technical error, thereby allowing his intended attack to be neutralized in a relatively straightforward manner. But what will happen in the future when more sophisticated and thorough data kidnappers do not make any such mistakes? What will we do then? How will you get your data back?

What if the next example of ransomware does not contain the password in the code, but instead requires that your PC be connected to the Internet, so that the ransomware can forward you to a website that will accept your credit card payment in exchange for the password to release your imprisoned data, so you can get back to using your computer? (And no snide comparisons now to Windows activation.)

Kick the Kidnappers

If and when you become a victim of ransomware, it is possible that the password given to you by the criminals would not correctly free your imprisoned files — either intentionally on their part, or simply from technical ineptitude on their part. In fact, as noted earlier, they might not even bother to give you a password after your first payment, or any subsequent ones.

If your personal and business data is as valuable to you as the criminals are betting that it is, then you need to protect yourself ahead of time, to avoid falling victim. The usual Internet security safeguards apply: Only connect to the Internet on a PC that has a hardware or software firewall in place. Regularly update and run anti-spyware and antivirus software. Use Web browsers with the best security track records (such as Firefox and Opera).

In addition, you can make it much more difficult, if not impossible, for ransomware to actually locate your valuable files. The "%UserProfile%\My Documents" folder is such an obvious target. To avoid that trap, store all of your personal files and folders in a folder that you have created, not contained within the %UserProfile% folder.

Last and certainly not least, perform regular backups of all your important files, and periodically test those backups to confirm that the data is fully recoverable from them, and contains no malware. That way, even if you somehow get hit by ransomware, you can disinfect your computer, delete the kidnappers' files, and turn a potential disaster into a valuable lesson.

Copyright © 2006 Michael J. Ross. All rights reserved.

Content topics: