FireEye Uncovers New Cyber Threat Used to Monetize Infected PC's, Offers Victims of Vundo FileFix Pro Extortion Scheme Free Service to Unlock Files

March 26, 2009 at 12:00 AM EDT
FireEye Uncovers New Cyber Threat Used to Monetize Infected PC's, Offers Victims of Vundo FileFix Pro Extortion Scheme Free Service to Unlock Files

Milpitas, Califorinia - Mar 26, 2009 – FireEye, Inc., the leader in global anti-malware and anti-botnet protection announced today that it has developed a free Web service for victims of the Vundo FileFix Pro extortion scheme. The FireEye Malware Intelligence Lab discovered that Vundo had undergone an evolutionary shift in business model. Beyond tricking users into downloading a fake antivirus program, Vundo now encrypts victim's files essentially denying access to the files unless the victim pays a fee for a program called FileFix Professional, which decrypts the files. Vundo's new ransomeware functionality locks the user out of every important file in their "My Documents" folder ranging from Microsoft Office to Adobe PDF files until the victim agrees to pay a $60 ransom demand.

"It's really sobering to see cyber criminals use stealth malware on a massive scale to hold data ransom," said Alex Lanstein, senior security researcher at FireEye. "We were all fortunate this version of Vundo used a basic level of encryption, but it serves as a sinister omen for future malware tactics to come."

Vundo is a generic Trojan that is well known for pushing Web pop-ups that fool victims into thinking they have malware on their PC. Vundo offers to clean up the non-existent malware by selling rogue applications like XpAntiVirus and WinFixer (so-called 'scareware'.) In this current situation, Vundo's criminal operators have escalated the attacks on victims by pushing a new piece of Web-based malware that encrypts victims' documents rendering them unreadable by the original PC applications. Then, FileFix Pro is offered to 'fix' the files (aka 'ransomware'.) The FileFix Pro application can be installed as a trial version or as a full, licensed version when purchased.

By analyzing encrypted victim's files and understanding the trial version of FileFix Pro, FireEye has developed a decryption tool for victims of the Vundo extortion attempt. Victims can decrypt (unscramble) their files using FireEye's free web-based service available at Local decryption tools are also available. More details about the actual attack and tools available are on the FireEye Malware Intelligence Lab's blog,

The FireEye security appliances and FireEye Malware Analysis & Exchange (MAX) Network service together provide comprehensive anti-malware and anti-botnet protection. FireEye appliances use virtual victim machines to analyze enterprise networks for Web-malware and related bot activities on compromised machines. The FireEye MAX Network is a globally deployed malware discovery and analysis service that provides subscribers with the most current botnet and Web malware intelligence to complement on-premise anti-malware security appliances. It catalogs and disseminates security intelligence such as the inbound attack vector as well as the outbound call-back channels used to steal data. This is all derived from malware analyses which are conducted by interconnected networks of FireEye security appliances selectively deployed at service providers around the world. FireEye's solution offers the industry's first complete global and local anti-malware protection to precisely identify, understand, and stop emerging botnet and Web malware threats.

FireEye, Inc. is the leader in anti-malware and anti-botnet protection, enabling organizations to protect critical intellectual property, computing resources, and network infrastructure against Web malware and botnet infiltration. Today's most damaging attacks are perpetrated through Web malware that forms into highly organized botnets, or networks of remotely controlled, compromised machines. FireEye delivers a complete solution that is designed from the ground up to detect and protect organizations from advanced Web malware and botnets through global and local intelligence and analysis. The company is backed by Sequoia Capital, Norwest Venture Partners, JAFCO, SVB Capital, DAG Ventures, and Juniper Networks. For more information, contact (408) 321-6300 or email:


©2006-2009 FireEye, Inc. All rights reserved. FireEye and the FireEye logo are registered trademarks of FireEye, Inc. in the United States and/or other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.