ID: IRCNE2014012059
Date: 2013-01-04
According to "techworld", security researchers have discovered what looks like a copycat version of the Cryptolocker ransom Trojan that drops some of the malware’s sophistication in favour of the single innovation of being able to spread via USB drives.
According to security firms Trend Micro and ESET, the recently discovered worm-like Crilock.A variant (which calls itself ‘Cryptolocker 2.0) poses as an updater for Adobe Photoshop and Microsoft Office on sites frequented by P2P file sharers.
The command and control architecture is also new, ditching the domain generation algorithm (DGA) in favour of less sophisticated hardcoded URLs. Both of these odd developments have convinced Trend Micro that Crilock.A is the work of copycats rather than the original Cryptolocker gang.
Targeting file sharers is a strange choice because it while it increases the chance that the malware will be downloaded the potential list of victims is still far smaller than with previous ‘official’ version.
Most interesting and perhaps revealing of all, Crilock.A adds the ability to infect removable drives. This worm technique is as old as the hills and although slowing its spread it does ensure a degree of longevity. On the other hand, while it can hide on drives for years to come, by the time it activates it will probably detected by every security programme in existence.
ESET has published a full list of the differences between Cryptolocker and Crilock.A/Cryptolocker 2.0 on its website.
- 2