This report contains a description of the more obscure, previously undocumented traits belonging to the GPCode/Glamour trojan. The code is a modified version of the Prg/Ntos family which was detailed in depth during our Encrypted Malware Analysis in November 2006. While a majority of the functionality has not changed since then, this recent variant is distinctive enough to warrant additional research. In particular, the trojan is now equipped with the ability to encrypt a victim’s files on disk. The motive for adding this feature is clearly monetary, as the victim is advised that the files will remain encrypted unless $300 is turned over to the authors, in exchange for a decryption utility.
This trojan also retains the functionality of hooking API functions to steal information from victims, just like the older ones. As an update, in the 8 months since November, we’ve recovered stolen data from 51 unique drop sites for use with Intellifound. The 14.5 million records found within these files came from over 152,000 unique victims.
In the forthcoming analysis, we will explore the key points of interest regarding this new feature. We will also present how the encryption algorithm was reverse engineered to build our own decryption program, how users can help protect their file systems in the future, and some interesting tid-bits of information that is only revealed through binary disassembly.
GPCode Evolution Report is available here.