ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > General Software Discussion

Interesting Approach by the Profiteering Malware Author

<< < (3/6) > >>

Carol Haynes:
It hardly plugs their AV product if they are appealing to the public for help to solve the problem  :-\

mwb1100:
The best bet would probably be catching the malware while it's doing it's nasty crap, and doing a process memory dump to extract the keys.

That, or find out how to link the "unique ID" with the key.
-f0dder (June 11, 2008, 09:34 AM)
--- End quote ---

I'd guess that the "unique ID" is the RC4 encryption key that has itself been encrypted with the RSA public key.  I'd also guess that the RC4 key is a randomly generated value that gets created right before the encryption of your data files.  If you're able to "catch" the malware at this point, it's probably best to simply stop it rather than extract the keys.

One key to solving this problem (pardon the pun) for people who get hit with finding their data files encrypted is if there's a vulnerability in the RC4 key generation process - if that's the case it may be possible to recreate those keys without the help of the extortionist.  For example, if the malware author makes a mistake similar to the flaw found not too long ago for SSH key generation on Debian distributions, recovering the data would be pretty easy.  But that's a big "if".


Ehtyar:
In all fairness, I daresay cryptanalysis of RC4 as opposed to trying to factor 1024 bit RSA would yield far better results. RC4 is incredibly weak by comparison. Also, apologies for making the virus sound as though it were new, it was not my intention. As f0dder indicated, i did mention the seven previous variants at least.

Ehtyar.

[edit]
And why is it so difficult to catch the key with a debugger, as f0dder suggested?
-CWuestefeld (June 11, 2008, 11:32 AM)
--- End quote ---
I believe this indicates why this won't work, though it's far from an effective explanation. How the author can decrypt files protected by a randomly generated RSA private key I am unsure. Perhaps it is not his/her intention to ever provide the decrypter?

P.S. I do not use Kaspersky AV.
[/edit]

mwb1100:
How the author can decrypt files protected by a randomly generated RSA private key I am unsure. Perhaps it is not his/her intention to ever provide the decrypter?
-Ehtyar (June 11, 2008, 03:52 PM)
--- End quote ---

Note: In the following, I'm speaking about how the malware works based on what I believe to be the case from very sketchy information - I could be missing the boat entirely...

The RSA key is not randomly generated - the RC4 key is.  Then that key is encrypted using the RSA public key.  At this point only a person who holds the corresponding RSA private key can recover the RC4 key.

The approach that Kaspersky seems to be advocating is trying to organize a distributed network of computers (similar to SETI@home) to brute force the RSA private key.

Carol Haynes:
They will need a net as big as SETI if the virus proliferates! Guess what - that net would be the next target!

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version