Earlier this week, government, public sector and networks of private companies were hit hard by a new wave of crypto malware named Trojan-Dropper.Win32.Dorifel. Computers were shut down and the old-fashioned type writers that were gathering dust in the basement reappeared in the work place. For a moment I even thought this was funny.
The Dorifel Trojan scans network shares, local drives and USB connected drives for executables and Microsoft Office (Word and Excel) documents. Documents and programs were replaced with a new executable file that has the .scr file extension. Currently, most affected users will not notice anything since the ‘documents’ open as usual. It looks like the malware is currently only interested in propagating itself to as many machines as possible. But it is not unlikely that the attackers will later start blocking the ‘documents’ and requesting a ransom fee for unblocking them.
This is bad news for the organizations that were hit. But what’s even worse is that the Trojan entered the networks through a variant of the Zeus/Zbot banking Trojan called Citadel. This means that this Trojan was already present on one or more computers inside the network for days, may-be weeks. In other words: the malware could already be snooping all electronic communication inside the organization, including stealing passwords of critical infrastructure, copying confidential documents, social security numbers, passport details, etc. without anyone (or anything) noticing (!)
Not being able to use your computer for a while, while system administrators are shutting them down, cleaning them and bringing them back into the network is very inconvenient. But it is even more worrysome that computers and networks have been infected for a much longer period without anyone noticing.