Feeds

back to article Ransomware Trojan code break 'impractical'

A cryptographic expert has questioned the practicality of a code breaking initiative geared to cracking the key used in the dangerous Gpcode-AK ransomware virus. Gpcode-AK encrypts content on compromised PCs using a 1024-bit RSA key. In response, Russian net security firm Kaspersky Labs launched an international code-breaking …

COMMENTS

This topic is closed for new posts.
Silver badge
Alert

Looks like a win-win for the cybercrooks.

Because this cyber-extortion employs technologies already used in the real world for security reasons, this racket essentially puts the security experts at the receiving end of the problem--the trickster becoming the tricked. Apart from preventive measures, any attempt at the cure would be worse than the disease itself, since anything used to try to break the malware encryption (that's right) would just be turned around and used in those real-world encryptions protecting those oh-so-vital files.

Better to simply write off any malware-encrypted files as shredded and start over.

Next thing you know, these cyber-criminals will start encrypting the files AND then start shipping them off, piece by piece (since they're encrypted when they're transmitted, they'll be indistinguishable from Internet noise) to the virus writers (or some associated party) in an attempt to further extort or even exploit the victim.

0
0
Tom

I agree it's pointless

Even if it could be done with 15 million computer years of work, wouldn't we find they started using a different key and we had to start again?

0
0
Linux

Decoder application?

Wouldn't it be a bit cheaper to just buy a copy of the ransomware decoder software from the authors and pull the private key from it?

Or perhaps it is transmitting the files to a server to decrypt then returning them to people unencrypted? In which case surely some kind of raid for the server at the other end of the purchased decoder is pointing to would be the easiest way to get the key?

Seems a lot better than wasting 15 million years worth of electricity breaking the key, since it will take them all of 15 seconds to just generate a new key for the next version... but what do I know?

0
0
Anonymous Coward

erm

Why not just buy the decryption tool and reverse engineer the key?

0
0

why not...?

(assuming the decryption utility even exists)

just pay a single ransom and get a copy to reverse engineer?

0
0
Flame

Once again

Isn't it better to track the payment, catch them and ask "nicely" (with crowbar) for a key?

Why in our silly society we only try be nice and politically correct? F*ck this. Catch them and send them to China for interrogation and punishment!

0
0
Black Helicopters

Ah, maybe not.

"Buy the ransomware" AC again. OK, just read up and buying the ransomware is no good, since the files aren't actually encrypted with the key KL are trying to break, they are encrypted with a random symmetric key which is then encrypted with the public key. So the purchased software will have the key for your files, but only your files. Silly me, oh well :)

Guess the people who do get stung should buy the decryption prog and be more careful next time ;)

0
0

Pay the ransom?

Perhaps I'm not getting it, but it seems to me if someone actually paid the ransom (as distasteful as that would be) having the unencryption code would make unraveling the key fairly simple. Wouldn't that wind up being cheaper than all the man-and-computer hours involved in brute-forcing the beast?

0
0
Coat

No problem

Surely we can just give this to the police in the UK? Apparently they only take about 42 days to decrypt a computer.

0
0
Anonymous Coward

one ransom or hundreds.

Wouldn't it be easier for Kaspersky pay the ransom, get the decryption software and reverse engineer that to find the key?

Though you give the scammers a little money, they won't get nearly as much as if everyone has to pay them, and it must be much cheaper than brute forcing 1024 bits.

0
0
Anonymous Coward

@Doc Technical

Nope

http://en.wikipedia.org/wiki/Public_key_cryptography

0
0
Coat

One key down

.. and only 2^1024 - 1 keys to go! He's just going to change keys and redistribute the Trojan. In my experience, the quickest way to solve this problem is to backup your files regularly.

0
0

Here in the UK...

If the Ministry of Rational Policies decides to confiscate your computers after you have been infected with this virus, they can throw you in jail for the crime of witholding an encryption key from the police.

On the other hand, if you are asked to surrender your keys, the defence of 'it wasn't me, it was a virus' may be worth trying :).

0
0
Gates Halo

Recovery

It still doesn't wipe files or free disk space, just deletes, so pulling the power on the computer to avoid overwriting any disc space is a good option.

There are programs about designed specifically for the GPcode style attack and recovery from slack space.

Suprised it wasn't mentioned in the article as it's the current best method, the virus writer should have done at least one pass of zeros while time is short, and then continue for as long as possible, including the next boot.

0
0
Silver badge
Stop

or

we could just "reverse engineer" the guy who came up with the program... I think we've all Been Reading the bofh for long enough to know how.

0
0
Coat

If I wrote ransomware

All this encryption stuff is too complicated, I would fill the files with random gibberish then demand my ransom. When they pay up just laugh and run away with the money. It's so much easier when you don't have to be honest as it's not like you're expecting repeat business.

(Icon of me pickpocketing someone who hasn't kept backups)

0
0
Happy

F-Secure claim to have done it

F-Secure claim their software decrypts the files ...

"F-Secure Anti-Virus can detect and decrypt files encrypted by Gpcode trojan as well as it can detect and remove the trojan's file. If you are hit by this trojan and your files are encrypted, please scan ALL files on your hard disk and they will be decrypted."

http://www.f-secure.com/v-descs/gpcode.shtml

0
0

There's probably a unique key for each system

Buying one piece of decryption software to use for everyone probably won't work because I'd guess the system will be set up to generate a unique key for each system it infects. I think it would be easier to follow the cashflow, find out where it stops and break a few fingers. Its relatively simple for the puerps to cover their tracks when your system needs to communicate with them but its not so easy to cover a payment authorization.

There should be an island based detention facility going spare in the near future. Maybe we should stick these people in it with the suggestion that once they've cracked a 1024 bit RSA key they can go home.

0
0
Silver badge
Alien

For the unwritten Guarantee for Prime Performance......

"All this encryption stuff is too complicated, I would fill the files with random gibberish then demand my ransom. When they pay up just laugh and run away with the money. It's so much easier when you don't have to be honest as it's not like you're expecting repeat business." ...... By Anonymous Bastard Posted Saturday 14th June 2008 02:25 GMT

And for to right ransomware to handsome writeware .... It's so much easier when you have been honest as it's always expected for repeat business.

In the virtual world, the one which isn't really there but which definitely exists, and which is now the object/subject of all manner of contrived and assumptive PowerPlays by Control Freaks in the Establishment [Think Big Money/Old Money/Banking/Religion/WarMongers/Saints and Sinners/Crooks and Thieves] unless and until you are able to articulate your earnest desire honestly, will you always be offering what you are not selling an therefore are doomed to spinning a false yarn with conflicting ambiguity, your sorry soulmate/lead weight to bear.

That will always ensure that you never get what you do not share and always end up with what you do not want ....... which is most definitely NOT SMART. That also makes the Establishment Systems in the Virtual Environment ..... Vulnerable to Catastrophic Breakdown/Virtual TakeOver...... with nothing they can do to Stop IT.

The Wiser Establishment Player will Align and Diversify their Assets with and into Virtual Businesses which underwrite unwritten Guarantees for Prime Performance ...... for they Risk Losing All to Something which is not really there but definitely Exists to Milk them of their Assets, and all QuITE Legitimately and above Board [Level].

And it is most unlikely that you will ever know who you are actually dealing with.... but what would that really matter, if you were being Servered with everything that you really needed.

Some things you just don't actually Need to Know.

0
0
Flame

And we still haven't considered the DMCA angle

Wouldn't breaking this actually be illegal in the MPAA/RIAA/MAFIAA-friendly countries that has implemented DMCA-like laws? Afterall, such a move _WOULD_ be "breaking a copy-protection scheme", and as such the malware people could (under the DMCA laws) sue those responsible for the crack for "lost revenue"...

//Svein

0
0
Stop

Why do we put up with this?

Why do we put up with exploits like this year after year? The only reason they work is because the operating system they're running on is completely insecure. Any "security" is a band-aide, trying to hide the mass of holes underneath. If Windows were really secure, we wouldn't need third-party firewalls, anti-virus programs or malware removers because such things would be impractical. I'm not going to say that everybody needs to switch to Linux (although I recently did) because not everybody wants to learn how to use a new OS and its programs. All I'm asking is that Microsoft come out with a version of Windows that's as secure as Linux is. Considering how much Windows costs, they should be able to make it as safe to use as an OS you can get for free!

0
0

@ Phil

That's the OLD version of gpcode that f-secure can fix, so not so f-secure.

Version=2005-05-23_01

0
0
Max

Decryption...

According to this: http://www.f-secure.com/v-descs/gpcode.shtml an automated decryption solution is already available from f-secure?

0
0

And then comes the version with the 2048 bit key

The other day I was walking down the street with a gun and a shifty looking guy I didn't know came up to me and said "Hey, point that thing straight down and pull the trigger." I did, of course, as anyone would, and seriously injured my foot. Obviously this is not on.

I have contacted Browning, the manufacturer of my gun, and asked why they don't follow me around and give me a second opinion with reference to any advice I receive from untrusted strangers about what target I ought to fire upon, but they seem totally disinterested (typical of Browning!).

So thankfully Kaspersky Firearm Security Co. are investigating the possibility of developing a device which could be fitted to a handgun which could determine, when the trigger is pulled, whether the weapon is trained on the user's foot. Obviously this involves some pretty heavy image analysis but it's totally worthwhile. A lot of people use Browning firearms so this problem urgently needs to be solved, and a few million machine years of computation has got to be worthwhile.

0
0

trojan horse

Stranger idea. Imagine you need to break a key. Create a virus which overwrites the victims data with your encrypted data and telling them about the extortion.

In sympathy, the really smart guys, provide a mechanism to break it.

You then use the broken key to decrypt all the other data you have....

0
0
Anonymous Coward

Following the money...

..may not be so easy. For starters, there are ways of sending money between countries which can be abused to be completely untraceable (Western Union for example).

Added to this, the people who do this are most likely well-connected in their home country. As long as they don't target people there, they are unlikely to attract the interest of the authorities there, other than the collection of the regular bribes.

If you were to go there with the aim of "breaking a few fingers", it is likely you would end up dead and buried in a remote part of Siberian forest.

Best keep backups and avoid the problem altogether.

0
0

@Joe Jeff

WTF are you on about?

If you can point me to an OS where the user cannot run an application that encrypts their own files, then maybe your post has some merit.

An application that runs when a user tells it to, and all it does is encrypts files that the user has access rights on.... tell me exactly how on earth any OS is going to stop this?

This isn't a Windows exploit (like the majority of virus/malware infected users) - it's an application that is installed under the pretence of something else. Called a Trojan - look it up.

And there isn't a OS in the world that this wouldn't work on - unless humans are not allowed to touch it.

And regarding your Windows bashing - I want to double check with you... your Ubuntu (presumably as your technical knowledge seems to be lacking) box is plumbed into the internet without a firewall...? If that's the case, you really have little credibility posting here. Any OS - Windows, Mac, Linux SHOULD have a firewall in front of them. It's just common sense and best practice.

Whilst you don't seem to understand the concept of Trojan Horses, i'm going to explain it just to see..... If a user is logged onto a computer with administrator / root access then clicks on a "free screensaver" download - what has the OS done wrong? That's how malware is often installed. Users run as admins (as they prefer convience over security) and then download any old crap. Again - that is not a Windows exploit, but rather a social engineering trick with the payload written/compiled to run on a Win32 operating system.

Vista's UAC (similar to linux Sudu) wouldn't stop this if the user is an admin as they think they are installing screensavers. Again, on a Mac or Linux box the same applies - just get a user with root to try to install your malicious application - simply ensure the app is advertised as "britneynaked.exe" instead of "ransomware_virus.exe".

Very few infections are from worms or browser exploits. It's normally stupid users opening attachments / downloading apps whilst running as an administrator. This has nothing to do with the OS of choice - it's the end user that executed an application without knowing what it will do - resulting in actions that the user didn't want. The OS obeys the users commands and opens the app which encrypts files.

If you need correcting in more simple terms then I suggest a GCSE IT.... FFS

0
0
Anonymous Coward

Pay once approach

Why are people assuming only one key has been used?

If they thought about it they would generate a few thousand key pairs for encryption, and just kept a lookup.

There are many other ways as well, to layer in more security, why not use a few ciphers, and multiple keys.

No, the problem here for the cracker is making the pay day, the funds have to be wired somewhere, or picked up in some fashion, thats the weakness.

So, I suspect they will probably never give the key or receive the funds for many, they are probably looking for that one or two that will offer a big payout.

0
0
Silver badge

@Martin

I"m pretty sure the money trail will simply lead to a hostile or indifferent power, and there would be nothing you could do, as it'd be impossible to extradite or maybe even prosecute the originators. For all we know, the government could be getting a cut on the side so as to keep quiet.

@Joe: A lot of the insecurities of the OS don't come from the OS but from the user. You could make the most secure OS in the world, but an incompetent user could simply turn off all the security systems as annoyances and still get owned. That's the big problem with Windows. There are areas where ease of use and security clash, and in those cases ease of use usually has to take precedence; otherwise, the user finds it unbearable and won't buy the product--look at the complaints about Vista User Access Control. Linux is no panacea, especially with the unskilled user. There are still privilege escalation bugs and the like.

0
0
Silver badge

Trojan Horse .....MI ASP

Whenever the Application MetaDataMorphs from Petty Trojan to Top Class Hooker/from Crooked Possibilities to Perfect ZerodDay Opportunities, has the System met its Match and AI NeuReal Great Game Begins

"In the Beginning, there was always Imagination which gives Birth to Future Light and Universal Powers....... and how very Bizarre should it be Ransomed rather than declared a Treasure for Purchase.

0
0
Thumb Up

@Following the money...

Governments routinely invade your privacy and snoop into everybodys' money transfers.

If e-Bay, Western Union etc. did not allow various spooks, customs and tax persons to mine thier data they would have thier operation shut down.

So why not put this all to good use! All they need to do is trace the payment of one ransom and the bad guys are in the bag.

0
0
Silver badge

Crack the crooks!

It would be cheaper for a few interested individuals to hire a bunch of ex SAS/SEALS to go visit the crooks.

That, my friends, is how to do brute force decryption!

0
0

backups

No, the real smart guys have backups.

0
0
Linux

Linux vs Windows

The only advantage Linux has over Windows in this example is.

1. The Linux user is generally more technical than the Windows user.

2. Linux has a smaller market share so there is less Malware produced to exploit it.

These two arguments will gradually become less and less as Linux is used by more stupid users and gains a larger market share, which I am sure it will. I'm not a Microsoft fanboy but bashing Microsoft here isn't going to achieve anything, Windows is simply a victim of its own success.

0
0

F-Secure

The solution is for GPcode.b; this version is GPcode.AK. There is no solution for it.

Everyone who believes you can simply reverse engineer a solution for this type of encryption please take 3 steps back from your computer and never touch it again.

Even if you manage to learn part of the algorithm, you have no idea of the actual variables and values used...hence, you need a lot of computer time to plug them all in (ie brute force).

0
0

Burning the computer in the back yard works but. . .

It probably won't work but my solution would be to run the virus through a decompiler and once in C code determine what it did.

There are really no true random numbers in computer programming; the seed (which is probably encryption time) should be given away by the file creation date.

At least that is the way we used to encrypt client data (before we found a better, more secure way).

Of course this implies that any of the computers I am responsible for ever catches a virus.

This has happened exactly once in the last 20 years.

0
0
Silver badge
Alien

Non Secret Encryption ...... NEUKlearer IT Methodology for AI Beta Transparency

"It would be cheaper for a few interested individuals to hire a bunch of ex SAS/SEALS to go visit the crooks.

That, my friends, is how to do brute force decryption!" ...... By Charles Manning Posted Monday 16th June 2008 08:18 GMT

Charles,

That would also Present AI Future Administration Opportunity.

And what do you think current and future SAS/SEALS are doing right now?

0
0
This topic is closed for new posts.