ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Interesting Approach by the Profiteering Malware Author

(1/6) > >>

Ehtyar:
It appears malware authors are getting more and more innovative in their approach to profiting from their activities. Kaspersky Labs have recently come across a new variant of the "Gpcode" virus. This little bastard first encrypts various file formats it finds on your computer, then drops a vbs file which deletes the primary executable, and subsequently recommends you email the author with a unique ID that will allow him to decrypt your files, a service for which you will be charged a sum at his/her whim.
For the previous 7 variants, the author has used RC4 to encrypt the files, and then encrypted the RC4 key with variable bit length RSA. The latest variant has moved up to using 1024 bit RSA, and now uses various emails to facilitate extortion of payment.
This virus seems to be proliferating at such an alarming rate that Kaspersky have taken the unprecedented step of asking the public for help in determining how best to combat this virus, and are even asking for suggestions on how to approach factorization of the keys. Providing that a fundamental weakness is not present in any aspect of implementation, the keys are, practically speaking, unbreakable.
I suppose it just goes to show that that mind of a good programmer is always seeking more efficient ways of achieving its goal.
More info here, here, and here.

Ehtyar.

[edit]
Added some extra info
[/edit]

Renegade:
I don't think this is a new attack style. I remember a number of years ago hearing about "ransomware", which is the same as described above. It would lock things up, then demand a ransom for it.

The first example of it (from the Wikipedia article above) was from 1989.

The issue now is probably the number of infections is just higher. <cynicism>Oh, and that it makes for a great news story to plug your antivirus product.</cynicism>

 

f0dder:
It's definitely not new, Renegade, and Ethyar does mention that there's 7 previous variants - I think it's some years since I heard about this particular malware last. But using 1024-bit RSA, hmm... that's "pretty hard" to factor. The best bet would probably be catching the malware while it's doing it's nasty crap, and doing a process memory dump to extract the keys.

That, or find out how to link the "unique ID" with the key. But that probably involves tracking down the author, checking his source code, and putting a bullet or two in his stomach.

scancode:
Rubber hose cryptanalisys!  :up:

40hz:
Why am I suddenly in support of waterboarding?  ;)

Navigation

[0] Message Index

[#] Next page

Go to full version