Web Infection Holds Computer Files Hostage
> By TED BRIDIS, AP Technology Writer 11 minutes ago
> Computer users already anxious about viruses and identity theft have
> new reason to worry: Hackers have found a way to lock up the
> electronic documents on your computer and then demand $200 over the
> Internet to get them back.
> Security researchers at San Diego-based Websense Inc. uncovered the
> unusual extortion plot when a corporate customer they would not
> identify fell victim to the infection, which encrypted files that
> included documents, photographs and spreadsheets.
> A ransom note left behind included an e-mail address, and the attacker
> using the address later demanded $200 for the digital keys to unlock > the files.
> "This is equivalent to someone coming into your home, putting your
> valuables in a safe and not telling you the combination," said Oliver
> Friedrichs, a security manager for Symantec Corp.
> The FBI said the scheme, which appears isolated, was unlike other
> Internet extortion crimes. Leading security and antivirus firms this
> week were updating protective software for companies and consumers to
> guard against this type of attack, which experts dubbed "ransom-ware."
> "This seems fully malicious," said Joe Stewart, a researcher at
> Chicago-based Lurqh Corp. who studied the attack software. Stewart
> managed to unlock the infected computer files without paying the
> extortion, but he worries that improved versions might be more
> difficult to overcome. Internet attacks commonly become more effective
> as they evolve over time as hackers learn to avoid the mistakes of > earlier infections.
> "You would have to pay the guy, or law enforcement would have to get
> his key to unencrypt the files," Stewart said.
> The latest danger adds to the risks facing beleaguered Internet users,
> who must increasingly deal with categories of threats that include
> spyware, viruses, worms, phishing e-mail fraud and denial of service > attacks.
> In the recent case, computer users could be infected by viewing a
> vandalized Web site with vulnerable Internet browser software. The
> infection locked up at least 15 types of data files and left behind a
> note with instructions to send e-mail to a particular address to
> purchase unlocking keys. In an e-mail reply, the hacker demanded $200
> be wired to an Internet banking account. "I send programm to your
> email," the hacker wrote.
> There was no reply to e-mails sent to that address Monday by The > Associated Press.
> FBI spokesman Paul Bresson said more familiar Internet extortion
> schemes involve hackers demanding tens of thousands of dollars and
> threatening to attack commercial Web sites, interfering with sales or
> stealing customer data.
> Experts said there were no widespread reports the new threat was
> spreading, and the Web site was already shut down where the infection
> originally spread. They also said the hacker's demand for payment
> might be his weakness, since bank transactions can be traced easily.
> "The problem is getting away with it - you've got to send the money
> somewhere," Stewart said. "If it involves some sort of monetary
> transaction, it's far easier to trace than an e-mail account."
> Details:
formatting link
> Copyright 2005 The Associated Press.
> NOTE: For more telecom/internet/networking/computer news from the
> daily media, check out our feature 'Telecom Digest Extra' each day at
>
formatting link
. Hundreds of new > articles daily.
> [TELECOM Digest Editor's Note: But, as some of our Bright young
> readers would explain, "on internet there is no consensus on what
> is, and is not malicious."
Oh my, I see I've been "promoted" to a "bright young reader", by the esteemed moderator. I'm not exactly young, but he gets credit for getting things 50% right.
I will point out, yet again, that that remark was in regards to a proposal for a law that banned quote malicious activity unquote on the Internet. The point being was that that term is too broad and too vague to be _legally_ _enforceable_. To get a law that would pass judicial review, one would have to specify the _particular_kinds_ of acts that are to be proscribed.
Note: *all* computer viruses, 'zombie' infectors, etc. most 'spyware', and virtually all the 'browser hijacker' type stuff are *ALREADY*ILLEGAL* in the United States, under 18 USC 1030. Available on-line at: http:/
formatting link
*But* the enforcement of that law is lax-to-nonexistent.
A "new law" won't do diddly-squat about the problem without active enforcement.
And, if you _have_ active enforcement, you _don't_need_ any new laws.
Recommended reading: The FTC's "Report to Congress" on the practicality (or lack thereof) of a national "Do Not E-mail" registry, similar to the Do Not Call registry. Available on-line at:
While I disagree with a number of their conclusions regarding the viability of a Do Not Email registry -- there _are_ ways to do it that address the drawbacks they identify -- the really _interesting_ meat in the report has to do with the difficulty of prosecution of violators of existing law. See "C. Obstacles to Enforcement" starting on Page 23 of the report.
In 2003, Earthlink got over 45 million pieces of spam to the 'honeypot' addresses they run. They were able to link about 5% of those messages to an identifiable source. Barely 1/3 of the identifications were good enough that they could send a cease-and-desist warning letter.
That is what *over* _twelve_thousand_ man-hours of effort 'bought'. Call it half-a-million dollars worth of effort.
Another ISP reports over ONE THOUSAND man-hours expended in _preparing_ a lawsuit against *one* spammer.
Government prosecutions from the States of WA, and VA show similarly high costs:
"A prosecutor in Washington State spent four months and sent out 14 pre-suit civil investigative demands (CIDs) just to identify the spammer in one lawsuit. Likewise, in another case, it took the Virginia Attorney General, over the course of four months, multiple subpoenas to domain registrars, credit card companies, and Internet providers, and the execution of a search warrant, before having enough information to file a case against a spammer."
Or as another reader would explain, "there
> is no such thing as an internet; just a collection of sites, and
> we cannot tell another site how to operate."
What they do on _their_ own private property *IS* their prerogative.
Their 'right' to do so does not extend to coming onto _my_ private property to do it.
And the Bright young
> reader concurs, "nor does anyone on the net want things any
> different". PAT]
Show the 'bright young reader' that people are demanding that restrictions be put on _their_own_ activities -- as distinct from demands that limits be imposed on the actions of 'other people' -- and he will willingly change that to 'practically anyone'.
The situation is exactly like that with various kinds of 'morals' laws -- try to find _anyone_ who supports an anti-prostitution statute on the basis that "it will discourage _me_ from hiring prostitutes".
In many areas of the country, "pan-handling", and/or other forms of "spare change?" solicitation, on the streets is disallowed by law. Should equivalent pleas be allowed on the Internet, or not?