Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Sneaky Blackmailing Virus That Encrypts Data

Posted by timothy on Thu Jun 05, 2008 04:57 PM
from the ouch-and-double-ouch dept.
Security Encryption Operating Systems Software Windows Worms
BaCa writes "Kaspersky Lab found a new variant of Gpcode which encrypts files with various extensions using an RSA encryption algorithm with a 1024-bit key. After Gpcode.ak encrypts files on the victim machine, it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor. Is this a look into the future where the majority of malware will function based on extortion?"
+ -
story

Related Stories

Submission: Sneaky Blackmailing Virus That Encrypts Data by Anonymous Coward
[+] Using Distributed Computing To Thwart Ransomware 361 comments
I Don't Believe in Imaginary Property writes "The folks at Kaspersky labs are turning to distributed computing to factor the RSA key used by the GPcode virus to encrypt people's files and hold them for ransom. There are two 1024-bit RSA keys to break, which should require a network of about 15 million modern computers to spend a year per key factoring them. Unfortunately, there appear to be no vulnerabilities in the virus' use of RSA, unlike some previous cases. Perhaps more interestingly, there's some debate over whether people should bother cracking it. After all, what if they were trying to trick us into factoring the key for a root signing authority? Besides, there's a more direct method of breaking the encryption: track down the people who wrote the virus and force them to talk."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Sneaky Blackmailing Virus That Encrypts Data 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • But were they smart, or stupid? (Score:5, Interesting)

    by pclminion (145572) on Thursday June 05 2008, @04:59PM (#23675029)
    Question is, does the encryptor rewrite the data in-place, or just encrypt to a new file then delete the original? If the latter, the data is still recoverable with a simple undelete utility.

  • LET'S HOPE SO (Score:5, Insightful)

    by blair1q (305137) on Thursday June 05 2008, @05:01PM (#23675051) Journal
    Seriously. In order for extortion to work, money has to change hands. Money can be traced, easily (don't believe what they say about Western Union). This is a great way to track down and capture the people who are spreading the virus. And the people whose files are encrypted could as easily have seen those files deleted, or worse. So it's no difference to them, except that they now have a hand in putting a crook behind bars.

    The virus tossers are actually making their situation worse by turning to extortion. But they weren't all that bright to start with.

  • Is this the future? (Score:5, Funny)

    by Anonymous Coward on Thursday June 05 2008, @05:01PM (#23675055)

    Is this a look into the future where the majority of malware will function based on extortion?

    I don't know! Stop asking me those questions all the time. Is it obligatory to end every blurb with a question, or what?

  • They think they're pretty clever. (Score:5, Insightful)

    by Anonymous Coward on Thursday June 05 2008, @05:02PM (#23675081)
    The fundamental problems with hairbrained schemes like these is that the money has to change hands somehow, and there's a fundamental trust issue. First, if money gets transferred to you then you are susceptible to being caught.

    The trust issue is that there is fundamentally no reason for the person receiving the money to follow through and send you the private keys to decrypt the data. If it was a known person, they'd be arrested, and since they're unknown there is no "reputational" factor that would make people more likely to pay based on the experience of others.

    Just another moron criminal scheme from some douchebag who thinks he's found a get rich scheme. Just like other "genius" criminals, the fact is that the professionals in the field are smarter than the criminals.

  • This has been done before (Score:5, Informative)

    by mrbill1234 (715607) on Thursday June 05 2008, @05:03PM (#23675085)
    This same thing happened in the late 80's (or maybe early 90's). Some hackers mailed a 5.25 inch floppy with some "free" software on it to thousands of people around the world. When you installed the software, it would hijack your PC and encrypt various files and you had to pay a ransom to get it back. There was a EULA and everything with the disk (which of course nobody read) which made it clear what would happen if you installed the disk. Perhaps someone can remember what it was called.

  • All your dataz (Score:5, Funny)

    by Anonymous Coward on Thursday June 05 2008, @05:08PM (#23675153)
    Joe User: Someone set us up the encryption. We get no data. Readme file turn on.
    Jack Hacker: How are you gentlemen? All your data are belong to us.

  • Gonna be ok (Score:5, Funny)

    by Joebert (946227) on Thursday June 05 2008, @05:21PM (#23675365) Homepage
    I'm not going to worry about this.
    I'm sure the fine folks of our Government are watching everything that happens on my computer & will promptly decrypt my files for me using their built-in back doors.

  • I got infected by this virus (Score:5, Funny)

    by Anonymous Coward on Thursday June 05 2008, @05:21PM (#23675367)
    My computer was infected by this virus... luckily all my files were already encrypted so all it did was make plain-text versions of everything and leave me a file asking for a donation

  • Yeah, sure, *that'll* work.. (Score:5, Insightful)

    by Duncan Blackthorne (1095849) on Thursday June 05 2008, @05:25PM (#23675425)
    *ransom note received composed of random letters clipped from newspaper*

    "We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"

    ..but seriously, folks, this starts to sound like some sort of wierd 419 scam. They're not going to decypt your files even if you pay them, and I'll bet you a whole DOLLAR that if you're stupid enough to contact them, they accept only CREDIT CARDS as payment. Chances are that the data isn't even really encrypted, it's just plain overwritten and GONE, copied over with gobbledegook random data, and you'll just get your identity stolen on top of never getting your files back. On the other hand they think they're being really clever, I'm sure, and the ones that think they're clever are usually the ones that get caught quickly and go to jail for a long, long time.

  • data ransom != blackmail (Score:5, Informative)

    by Deanalator (806515) <pierce403@gmail.com> on Thursday June 05 2008, @05:47PM (#23675719) Homepage
    This is data ransom, not blackmail.

  • Actually it's called Ransomware (Score:5, Informative)

    by ewhenn (647989) on Thursday June 05 2008, @06:12PM (#23675991)
    http://en.wikipedia.org/wiki/Ransomware_(malware) [wikipedia.org]

    The crypting your files and extort has been around since 1989 http://en.wikipedia.org/wiki/PC_Cyborg_Trojan [wikipedia.org]

    • Re:Anti-Malware Response (Score:5, Informative)

      by pclminion (145572) on Thursday June 05 2008, @05:02PM (#23675077)

      Uh, if 1024-bit RSA was broken, the world of encryption security would collapse (at least for the short term). Could it happen? Sure, it's possible. Will it happen in time to save your pr0n collection? Highly unlikely.

      For one thing, compromise of RSA encryption would render SSL useless.

      • Re:Anti-Malware Response (Score:5, Informative)

        by AmiMoJo (196126) <mojo@[ ]ld3.net ['wor' in gap]> on Thursday June 05 2008, @05:36PM (#23675583) Homepage
        The last version was eventually "cracked", because the virus used the same key for all the encrypted files so once someone paid up they could distribute the key.

      • 1024-bit RSA is NOT considered secure anymore (Score:5, Informative)

        by this great guy (922511) on Thursday June 05 2008, @06:22PM (#23676087)

        As it was pointed out by another poster, no 1024-bit RSA is not sufficiently strong. Recent papers have demonstrated that factoring a 1024-bit key is now within practical reach. See for example this PhD dissertation from a student whose advisor was Shamir (the S in RSA FYI), which estimates that cracking a 1024-bit key would cost a few million US dollars [mit.edu].

        Sure, at this point only a small number of organizations have a few million dollars to spare on cracking RSA, but this is beyond the point. The flaw is sufficiently serious that security standards are now recommending 2048-bit RSA keys minimum.

        What I am talking about are relatively recent developments, it is not very well-known that 2048-bit is the minimum recommended length. This is why 1024-bit keys are still wildly used everywhere. My bank (www.wellsfargo.com) uses a 1024-bit key...

          • Re:1024-bit RSA is NOT considered secure anymore (Score:5, Informative)

            by this great guy (922511) on Thursday June 05 2008, @08:46PM (#23677363)
            Damn. 2000 bits of binary... Every single bit added to a binary key does exponential increases to the resulting protection.

            This is a common mistake that non-cryptographers make. The above is true only for symmetric algorihtms. For asymmetric ones, like RSA, this is false. A 2001-bit RSA key is not twice harder to crack than a 2000-bit key. This is why for example the NIST recommendations list different key lengths depending on the type of crypto (sym vs. asym). For introductory-level material I suggest Cryptographic key length [wikipedia.org].

        • Re:Anti-Malware Response (Score:5, Informative)

          by kesuki (321456) on Thursday June 05 2008, @06:00PM (#23675839) Journal
          Fortunately, brute force attacks aren't necessary. If one can read the memory space used by the 'decryptor' one can find the key in seconds.

          this is why movie content will 'never' be immune to cracking. in the case of this virus, the decryptor is sent to you over the internet, if you pay the money, but having a good backup scheme also defeats the need to brute force. having a good security setup, should negate even the need for backups to prevent infection in the first place.

          so always have a competent hardened firewall device like smoothwall express, never download attachments (webmail helps a lot in this arena, along with a secure browser, and a phishing aware user/browser add-on) avoid windows like the plague, but if you must run windows make sure it can only get access to the actual ports of the programs you actually use on it. and never run as administrator, unless you really genuinely need to do something that can't be done as a normal user.

          trusting a 'commercial' 'hardware' router to protect a windows machine is insane, even if you've replaced the firmware with some variant of linux, it's Still Not hardened like smoothwall...

          fine if you have all linux/bsd machines, but windows has as much security as the emperor had new clothes, even with a $$$ security suite. sad but true, only 0% of tested windows security software could stop 50/50 2006/2007 known rootkit/malware post install... the best was i think being able to remove 7/50 and 13/50, if it had actually gotten installed. specialized tools were also tested, not just suites.

          the point being, if you must run windows remember that a piece of paper stands more chance of surviving a nuclear blast at point blank than windows has of being de-rooted without a format.

             

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.