BaCa writes "Kaspersky Lab found a new variant of Gpcode which encrypts files with various extensions using an RSA encryption algorithm with a 1024-bit key. After Gpcode.ak encrypts files on the victim machine, it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor. Is this a look into the future where the majority of malware will function based on extortion?"
Question is, does the encryptor rewrite the data in-place, or just encrypt to a new file then delete the original? If the latter, the data is still recoverable with a simple undelete utility.
by Anonymous Coward
on Thursday June 05 2008, @05:06PM (#23675131)
... or from handy backups...
besides... do you really expect to get your data back after a hack like that? you're system is hosed, any correspondence with the malware author is only going to lead to more loss.
you got pwnd, restore from backup, call the FBI if you're a good corporate citizen and have nothing to hide. Otherwise, get a Mac.
I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see where the money goes and who ends up with it.
> I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see > where the money goes and who ends up with it.
Allow me to tell you how the money trail on this works:
You are asked to send money through Western Union or some other provider that doesn't check your ID for amounts smaller than a few thousand USD. Then they send some bum to one of the thousand WD offices, somewhere on this planet, with the withdrawal code. And only once they get your money, you get your decryption key.
So, now you know where the money ends up, and why police can't do jack about it.
Wait a minute... Western Union has absolutely nothing in place to flag illegal payments? You can't fill out the form saying the money is for blackmail?
Jeez. If not - I'd fill out the form saying the payment was to help Osama Bin Laden buy some Yellow Cake Uranium-flavoured rolling papers that had pictures of Child Porn on ons side, and copy written Metallica lyrics and Vista Activation codes on the other. Surely one of our many country's many Big Brother Agency would ensure the black mailer had a quick career change.
There are real banks in Nigeria, owned by the ruling ethnic group, that's where the billions of dollars from oil goes. The rulers get their money while those who live where the oil comes from, the Niger Delta [realclearpolitics.com], have to fight for scraps.
by Anonymous Coward
on Thursday June 05 2008, @08:08PM (#23677049)
anyone with half a brain will not give out their bank account details when blackmailing someone.
I beg to differ. Prince Omadeke has been very forthcoming with all the bank details, officially signed documents, and necessary guarantees to ensure our secret transaction is carried out according to all successful modalities.
He did say "good corporate citizen", so if you are not paying for it, you obviously have something to hide and should be reported.
You may think this is just a joke, but when my second college roommate saw me using an unfamiliar operating system, he naturally started asking me about it. "What's it called?" "Red Hat Linux." "How much does it cost?" "Nothing, it's free." He freaked out: "Oh my God, how can that be legal? That could cost Microsoft so much in lost profits! That should really be illegal..."
The worst part? He was a business major, an honest-to-goodness PHB in training...
If the latter, the data is still recoverable with a simple undelete utility.
No it isn't.
Okay, it might be. Imagine it repeating the process on many files, each time a new file is written it may fill the space of the last deleted one. This also depends on the file system, OS strategy, file sizes, etc.
Using an undelete utility means you risk recovering many corrupt files. That may be better than nothing or sending money to a malware author, which as much as I hate to say it may legitimately be classed as "funding terrorism".
by Anonymous Coward
on Thursday June 05 2008, @05:14PM (#23675263)
Does it matter? I have backups.
And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?
I have plenty of important files which I don't look at very often. It might take months before I realize they are corrupted -- and by that time, I've overwritten the last valid backup with the encrypted stuff.
Unless you have space for infinite backups, his method is write. At some point, you'll run out of space and have to delete old backups to make room for the new ones.
Given properly rolling backups, you don't just keep dailies for the past month. You keep dailies for a week, and weeklies for a month, and monthlies for however long you have space for.
And given that most people work in files which are essentially text or the moral equivalent (Word docs, etc), it's likely that you do, in fact, have enough space for a very, very large number of backups.
"And how often do you roll through your backups? "
try 'never i use 1 time recordable optical media'
i realize some people use 'rewritable' media for backups, and have this 'roll over' issue, but the only part of my backup that does rollover is the redundant external HDD for 'critical' data that i don't trust entirely to a DVD media, even is i only buy grade 1 media...
I don't have a small data set either, I have over 1 TB of stuff on optical discs, but surprisingly only about 30 gigs that is important enough to go to a redundant hdd.
It displays a message when it does it, presumably so that the virus-runner will know that they need to pay someone to decrypt their file. That makes it pretty un-scary: it tells you when to restore. Of course, since your machine is compromised, maybe the "restore" really just overwrites your tape.
It might take months before I realize they are corrupted
In which case the virus writer never gets payed, since his yahoo email account is probably long disabled by then.
There's no point in delaying extortion. The kind of people who decide to run malware, are the same kind of people who don't have any backups, so they're ready to collect from, immediately.
An important part of the backup process is to occasionally test the backups to make sure that they can be restored properly. corrupted backups suck, but do happen. I test my personal ones pretty regularly. I test my work ones on a set schedule. You should too.
...the Casino Virus [youtube.com]. Perhaps because of the similar concept of "holding data hostage".
The virus takes your FAT and stores it in RAM. Then lets you play a slot-machine game. If you win, you get your data back. If you lose, you lose your data. Some other combination of characters (in the slot machine) gives you the virus-writer's phone number.
how are the criminals supposed to get their money?
Fear, and adware. For example, if this virus becomes really widespread, the malware author could create a rouge anti-virus program that promises to get rid of it, and might even get rid of it, the downside is, it infects the host machine with adware giving the author $$$. Otherwise he can simply modify the script to not only encrypt it but add some adware into there. If you have root, there isn't much you can't do.
Seriously. In order for extortion to work, money has to change hands. Money can be traced, easily (don't believe what they say about Western Union). This is a great way to track down and capture the people who are spreading the virus. And the people whose files are encrypted could as easily have seen those files deleted, or worse. So it's no difference to them, except that they now have a hand in putting a crook behind bars.
The virus tossers are actually making their situation worse by turning to extortion. But they weren't all that bright to start with.
by Anonymous Coward
on Thursday June 05 2008, @05:02PM (#23675081)
The fundamental problems with hairbrained schemes like these is that the money has to change hands somehow, and there's a fundamental trust issue. First, if money gets transferred to you then you are susceptible to being caught.
The trust issue is that there is fundamentally no reason for the person receiving the money to follow through and send you the private keys to decrypt the data. If it was a known person, they'd be arrested, and since they're unknown there is no "reputational" factor that would make people more likely to pay based on the experience of others.
Just another moron criminal scheme from some douchebag who thinks he's found a get rich scheme. Just like other "genius" criminals, the fact is that the professionals in the field are smarter than the criminals.
This same thing happened in the late 80's (or maybe early 90's). Some hackers mailed a 5.25 inch floppy with some "free" software on it to thousands of people around the world. When you installed the software, it would hijack your PC and encrypt various files and you had to pay a ransom to get it back. There was a EULA and everything with the disk (which of course nobody read) which made it clear what would happen if you installed the disk.
Perhaps someone can remember what it was called.
This was done recently, perhaps two or three years ago. I believe it encrypted everything in My Documents and asked for payment to unencrypt it. Turns out they used the same key every time. Article from 2006 here.
Do people still keep stuff in "My documents?". Ya'd think that after all of the very public worms, viruses, malware, and phoning-home that people would learn to make their own "My Stuff" folder(if not regularly back up and/or encrypt their important data).
I'm not going to worry about this.
I'm sure the fine folks of our Government are watching everything that happens on my computer & will promptly decrypt my files for me using their built-in back doors.
by Anonymous Coward
on Thursday June 05 2008, @05:21PM (#23675367)
My computer was infected by this virus... luckily all my files were already encrypted so all it did was make plain-text versions of everything and leave me a file asking for a donation
*ransom note received composed of random letters clipped from newspaper*
"We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"
..but seriously, folks, this starts to sound like some sort of wierd 419 scam. They're not going to decypt your files even if you pay them, and I'll bet you a whole DOLLAR that if you're stupid enough to contact them, they accept only CREDIT CARDS as payment. Chances are that the data isn't even really encrypted, it's just plain overwritten and GONE, copied over with gobbledegook random data, and you'll just get your identity stolen on top of never getting your files back. On the other hand they think they're being really clever, I'm sure, and the ones that think they're clever are usually the ones that get caught quickly and go to jail for a long, long time.
Uh, if 1024-bit RSA was broken, the world of encryption security would collapse (at least for the short term). Could it happen? Sure, it's possible. Will it happen in time to save your pr0n collection? Highly unlikely.
For one thing, compromise of RSA encryption would render SSL useless.
The last version was eventually "cracked", because the virus used the same key for all the encrypted files so once someone paid up they could distribute the key.
As it was pointed out by another poster, no 1024-bit RSA is not
sufficiently strong. Recent papers have demonstrated that factoring a 1024-bit
key is now within practical reach. See for example this PhD dissertation
from a student whose advisor was Shamir (the S in RSA FYI),
which estimates that cracking a 1024-bit key would cost a
few million US dollars [mit.edu].
Sure, at this point only a small number of organizations have a few million
dollars to spare on cracking RSA, but this is beyond the point. The flaw is
sufficiently serious that security standards are now recommending 2048-bit RSA
keys minimum.
What I am talking about are relatively recent developments, it is not
very well-known that 2048-bit is the minimum recommended length. This
is why 1024-bit keys are still wildly used everywhere. My bank
(www.wellsfargo.com) uses a 1024-bit key...
Damn. 2000 bits of binary... Every single bit added to a binary key does exponential increases to the resulting protection.
This is a common mistake that non-cryptographers make. The above is true only for symmetric algorihtms. For asymmetric ones, like RSA, this is false. A 2001-bit RSA key is not twice harder to crack than a 2000-bit key. This is why for example the NIST recommendations list different key lengths depending on the type of crypto (sym vs. asym). For introductory-level material I suggest Cryptographic key length [wikipedia.org].
Fortunately, brute force attacks aren't necessary. If one can read the memory space used by the 'decryptor' one can find the key in seconds.
this is why movie content will 'never' be immune to cracking. in the case of this virus, the decryptor is sent to you over the internet, if you pay the money, but having a good backup scheme also defeats the need to brute force. having a good security setup, should negate even the need for backups to prevent infection in the first place.
so always have a competent hardened firewall device like smoothwall express, never download attachments (webmail helps a lot in this arena, along with a secure browser, and a phishing aware user/browser add-on) avoid windows like the plague, but if you must run windows make sure it can only get access to the actual ports of the programs you actually use on it. and never run as administrator, unless you really genuinely need to do something that can't be done as a normal user.
trusting a 'commercial' 'hardware' router to protect a windows machine is insane, even if you've replaced the firmware with some variant of linux, it's Still Not hardened like smoothwall...
fine if you have all linux/bsd machines, but windows has as much security as the emperor had new clothes, even with a $$$ security suite. sad but true, only 0% of tested windows security software could stop 50/50 2006/2007 known rootkit/malware post install... the best was i think being able to remove 7/50 and 13/50, if it had actually gotten installed. specialized tools were also tested, not just suites.
the point being, if you must run windows remember that a piece of paper stands more chance of surviving a nuclear blast at point blank than windows has of being de-rooted without a format.
But were they smart, or stupid? (Score:5, Interesting)
Re:But were they smart, or stupid? (Score:4, Insightful)
besides... do you really expect to get your data back after a hack like that? you're system is hosed, any correspondence with the malware author is only going to lead to more loss.
you got pwnd, restore from backup, call the FBI if you're a good corporate citizen and have nothing to hide. Otherwise, get a Mac.
Parent
Re:But were they smart, or stupid? (Score:5, Insightful)
I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see where the money goes and who ends up with it.
Parent
Re:But were they smart, or stupid? (Score:5, Insightful)
> where the money goes and who ends up with it.
Yeah, because they'd never have thought of that.
Parent
Re:But were they smart, or stupid? (Score:5, Informative)
You are asked to send money through Western Union or some other provider that doesn't check your ID for amounts smaller than a few thousand USD. Then they send some bum to one of the thousand WD offices, somewhere on this planet, with the withdrawal code. And only once they get your money, you get your decryption key.
So, now you know where the money ends up, and why police can't do jack about it.
Parent
Re:But were they smart, or stupid? (Score:5, Informative)
"And only once they get your money, you don't get your decryption key."
There, fixed that for you. :-)
Parent
Re:But were they smart, or stupid? (Score:5, Funny)
As a telegram? Do they still exist?
Parent
Re:But were they smart, or stupid? (Score:5, Informative)
Parent
Re:But were they smart, or stupid? (Score:5, Funny)
Parent
Re:But were they smart, or stupid? (Score:5, Funny)
Parent
Re:But were they smart, or stupid? (Score:5, Funny)
Jeez. If not - I'd fill out the form saying the payment was to help Osama Bin Laden buy some Yellow Cake Uranium-flavoured rolling papers that had pictures of Child Porn on ons side, and copy written Metallica lyrics and Vista Activation codes on the other. Surely one of our many country's many Big Brother Agency would ensure the black mailer had a quick career change.
Parent
Re:But were they smart, or stupid? (Score:4, Insightful)
Parent
Re:But were they smart, or stupid? (Score:4, Funny)
Parent
Oh please! We all know there aren't any REAL banks (Score:5, Informative)
in Nigeria?
There are real banks in Nigeria, owned by the ruling ethnic group, that's where the billions of dollars from oil goes. The rulers get their money while those who live where the oil comes from, the Niger Delta [realclearpolitics.com], have to fight for scraps.
FalconParent
Re:But were they smart, or stupid? (Score:5, Funny)
Parent
Re:But were they smart, or stupid? (Score:5, Funny)
He did say "good corporate citizen", so if you are not paying for it, you obviously have something to hide and should be reported.
Damn commie scum.
Parent
Re:But were they smart, or stupid? (Score:5, Interesting)
You may think this is just a joke, but when my second college roommate saw me using an unfamiliar operating system, he naturally started asking me about it. "What's it called?" "Red Hat Linux." "How much does it cost?" "Nothing, it's free." He freaked out: "Oh my God, how can that be legal? That could cost Microsoft so much in lost profits! That should really be illegal..."
The worst part? He was a business major, an honest-to-goodness PHB in training...
Parent
Re:But were they smart, or stupid? (Score:5, Insightful)
I hope you promptly yelled "WHAT THE FUCK IS WRONG WITH YOU?!" and slapped some sense into him.
Parent
Re:But were they smart, or stupid? (Score:5, Insightful)
Okay, it might be. Imagine it repeating the process on many files, each time a new file is written it may fill the space of the last deleted one. This also depends on the file system, OS strategy, file sizes, etc.
Using an undelete utility means you risk recovering many corrupt files. That may be better than nothing or sending money to a malware author, which as much as I hate to say it may legitimately be classed as "funding terrorism".
Parent
Re:But were they smart, or stupid? (Score:5, Insightful)
Does it matter? I have backups.
And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?
I have plenty of important files which I don't look at very often. It might take months before I realize they are corrupted -- and by that time, I've overwritten the last valid backup with the encrypted stuff.
Parent
Re:But were they smart, or stupid? (Score:4, Funny)
Parent
Re:But were they smart, or stupid? (Score:4, Informative)
Unless you have space for infinite backups, his method is write. At some point, you'll run out of space and have to delete old backups to make room for the new ones.
Parent
Re:But were they smart, or stupid? (Score:5, Informative)
And given that most people work in files which are essentially text or the moral equivalent (Word docs, etc), it's likely that you do, in fact, have enough space for a very, very large number of backups.
Parent
Re:But were they smart, or stupid? (Score:5, Informative)
try 'never i use 1 time recordable optical media'
i realize some people use 'rewritable' media for backups, and have this 'roll over' issue, but the only part of my backup that does rollover is the redundant external HDD for 'critical' data that i don't trust entirely to a DVD media, even is i only buy grade 1 media...
I don't have a small data set either, I have over 1 TB of stuff on optical discs, but surprisingly only about 30 gigs that is important enough to go to a redundant hdd.
Parent
Re:But were they smart, or stupid? (Score:4, Interesting)
In which case the virus writer never gets payed, since his yahoo email account is probably long disabled by then.
There's no point in delaying extortion. The kind of people who decide to run malware, are the same kind of people who don't have any backups, so they're ready to collect from, immediately.
Parent
Re:But were they smart, or stupid? (Score:5, Informative)
Parent
Reminds me of... (Score:4, Interesting)
The virus takes your FAT and stores it in RAM. Then lets you play a slot-machine game. If you win, you get your data back. If you lose, you lose your data. Some other combination of characters (in the slot machine) gives you the virus-writer's phone number.
Parent
Re:But were they smart, or stupid? (Score:5, Insightful)
Fear, and adware. For example, if this virus becomes really widespread, the malware author could create a rouge anti-virus program that promises to get rid of it, and might even get rid of it, the downside is, it infects the host machine with adware giving the author $$$. Otherwise he can simply modify the script to not only encrypt it but add some adware into there. If you have root, there isn't much you can't do.
Parent
Re:But were they smart, or stupid? (Score:5, Funny)
But a crimson anti-virus program can detect a rouge one.
Parent
LET'S HOPE SO (Score:5, Insightful)
The virus tossers are actually making their situation worse by turning to extortion. But they weren't all that bright to start with.
Re:LET'S HOPE SO (Score:5, Insightful)
Parent
Is this the future? (Score:5, Funny)
I don't know! Stop asking me those questions all the time. Is it obligatory to end every blurb with a question, or what?
They think they're pretty clever. (Score:5, Insightful)
The trust issue is that there is fundamentally no reason for the person receiving the money to follow through and send you the private keys to decrypt the data. If it was a known person, they'd be arrested, and since they're unknown there is no "reputational" factor that would make people more likely to pay based on the experience of others.
Just another moron criminal scheme from some douchebag who thinks he's found a get rich scheme. Just like other "genius" criminals, the fact is that the professionals in the field are smarter than the criminals.
This has been done before (Score:5, Informative)
Re:This has been done before (Score:5, Informative)
The Aids information disk:
http://www.jahewi.nl/malware/ransomware/ransomware.html [jahewi.nl]
Parent
Re:This has been done before (Score:5, Funny)
Parent
Re:This has been done before (Score:5, Informative)
http://news.bbc.co.uk/2/hi/technology/5038330.stm [bbc.co.uk]
The magic key is:
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
Parent
Re:This has been done before (Score:5, Interesting)
Parent
Re:This has been done before (Score:5, Funny)
America On Line?
Parent
All your dataz (Score:5, Funny)
Jack Hacker: How are you gentlemen? All your data are belong to us.
Gonna be ok (Score:5, Funny)
I'm sure the fine folks of our Government are watching everything that happens on my computer & will promptly decrypt my files for me using their built-in back doors.
I got infected by this virus (Score:5, Funny)
Yeah, sure, *that'll* work.. (Score:5, Insightful)
"We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"
data ransom != blackmail (Score:5, Informative)
Actually it's called Ransomware (Score:5, Informative)
The crypting your files and extort has been around since 1989 http://en.wikipedia.org/wiki/PC_Cyborg_Trojan [wikipedia.org]
Re:Anti-Malware Response (Score:5, Informative)
Uh, if 1024-bit RSA was broken, the world of encryption security would collapse (at least for the short term). Could it happen? Sure, it's possible. Will it happen in time to save your pr0n collection? Highly unlikely.
For one thing, compromise of RSA encryption would render SSL useless.
Parent
Re:Anti-Malware Response (Score:5, Informative)
Parent
1024-bit RSA is NOT considered secure anymore (Score:5, Informative)
As it was pointed out by another poster, no 1024-bit RSA is not sufficiently strong. Recent papers have demonstrated that factoring a 1024-bit key is now within practical reach. See for example this PhD dissertation from a student whose advisor was Shamir (the S in RSA FYI), which estimates that cracking a 1024-bit key would cost a few million US dollars [mit.edu].
Sure, at this point only a small number of organizations have a few million dollars to spare on cracking RSA, but this is beyond the point. The flaw is sufficiently serious that security standards are now recommending 2048-bit RSA keys minimum.
What I am talking about are relatively recent developments, it is not very well-known that 2048-bit is the minimum recommended length. This is why 1024-bit keys are still wildly used everywhere. My bank (www.wellsfargo.com) uses a 1024-bit key...
Parent
Re:1024-bit RSA is NOT considered secure anymore (Score:5, Informative)
This is a common mistake that non-cryptographers make. The above is true only for symmetric algorihtms. For asymmetric ones, like RSA, this is false. A 2001-bit RSA key is not twice harder to crack than a 2000-bit key. This is why for example the NIST recommendations list different key lengths depending on the type of crypto (sym vs. asym). For introductory-level material I suggest Cryptographic key length [wikipedia.org].
Parent
Re:Anti-Malware Response (Score:5, Informative)
this is why movie content will 'never' be immune to cracking. in the case of this virus, the decryptor is sent to you over the internet, if you pay the money, but having a good backup scheme also defeats the need to brute force. having a good security setup, should negate even the need for backups to prevent infection in the first place.
so always have a competent hardened firewall device like smoothwall express, never download attachments (webmail helps a lot in this arena, along with a secure browser, and a phishing aware user/browser add-on) avoid windows like the plague, but if you must run windows make sure it can only get access to the actual ports of the programs you actually use on it. and never run as administrator, unless you really genuinely need to do something that can't be done as a normal user.
trusting a 'commercial' 'hardware' router to protect a windows machine is insane, even if you've replaced the firmware with some variant of linux, it's Still Not hardened like smoothwall...
fine if you have all linux/bsd machines, but windows has as much security as the emperor had new clothes, even with a $$$ security suite. sad but true, only 0% of tested windows security software could stop 50/50 2006/2007 known rootkit/malware post install... the best was i think being able to remove 7/50 and 13/50, if it had actually gotten installed. specialized tools were also tested, not just suites.
the point being, if you must run windows remember that a piece of paper stands more chance of surviving a nuclear blast at point blank than windows has of being de-rooted without a format.
Parent