Police 'find' author of notorious virus
Gpcode author still at large, however.
By John E. Dunn, Techworld | Techworld
Published: 11:25 GMT, 30 September 08
The infamous Gpcode 'ransomware' virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.
The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.
Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack - and probably earlier attacks in 2006 and 2007 - using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.
The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private 'master' key and must therefore be genuine.
Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the US, which pointed to the fact that GPcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines.
Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.
To date, it is not clear what if any action the authorities plan to take.
For its part, Kaspersky Lab confirmed that it had been contact with a dozen victims from Russia, Hungary and Slovakia, at whose populations the program appears to have been primarily aimed. Gpcode has since struck further afield, hitting a medical institution in Cuba and, unconfirmed rumours claim, government offices in the US.
Gpcode has appeared in a number of variants since 2006, each using ever-stronger encryption. The program's approach is direct and frightening. Once on a system, it sets about encrypting all data files it finds with any one of 143 file extension types, rendering them inaccessible. Victims are then told they can recover the files by paying a ransom to the author, reachable through a Yahoo email account.
The innovation of the latest Gpcode attack was that it generated keys to the RC4 stream cipher using 1024-bit RSA, a much higher bit length than previous versions, which made it, to all practical intents and purposes, uncrackable.
Luckily, on this occasion, Gpcode's author had made a number of more basic programming errors that allowed researchers to construct a method for recovering files. It turned out that while encrypting data, the original files had been 'deleted' using the Windows file system. This meant that although invisible to the operating system, the files were still on the disk and could be recovered using available tools.
One thing Gpcode has made clear is that technology alone can't now defend against this type of malware. Once on an undefended PC, reversing its effects depends on having access to the private RSA key, and that means tracking down the author.
According to Kaspersky, stopping ransomware-based malware in the future will require more effective law enforcement, the use of forensic software analysis to tie suspects to their malevolent creations, and possibly building restrictions into the Windows cryptographic software libraries used to create Gpcode itself.
Despite its frightening reputation, ransomware is still, thankfully, a rare phenomenon. There are various theories as to why this is the case, ranging from the complexity of the software itself to the difficulty of setting up a reliable channel through which to accept 'ransom' payments from victims. Other, easier types of malware might just be more profitable to criminals.
.gif)
Add your commentComments
Protection for your computer. | Published: 08:26 GMT, 15 December 2008
Search-and-destroy Antispyware is one of the best options available when you are searching for protection for your computer that you can trust. I know because I have tried many different types of scans in the past and the biggest difference I have found between them is the price. I found the antispyware solution from Search-and-destroy to be a great option that is affordable and easy to use. Visit http://www.Search-and-destroy.com/antispyware.html to learn more about this scan and what it can do for you. If you are like me, you will be glad that you took the time to check it out.
Adam | Published: 05:58 GMT, 01 October 2008
Like so many have already posted, just backup your files. In response to the encrypt then vanish thing: Why not just wipe the original file with 0s,1s, or noise. If the aim was just destruction, wiping is way more effective than encryption. There is no profit here. Still, a backup would be unaffected.
Thomas J. | Published: 04:16 GMT, 01 October 2008
It isn't fun to get infected, but it is the cost of running MS Windows. The blame rests largely on Microsoft for making installing random software simple for the average user- even automatic at times (ActiveX is an old example, but a good one). A typical user should not be able to easily install random software that has not been verified by a third party agency. The blame also lies largely on Microsoft for its bad default security configurations. It is also responsible for many vulnerabilities in the wild, and failure to provide timely fixes-and a means to easily apply and reverse these fixes as needed. While GNU/Linux distributions have faults- for the most part they do have a white list of sorts, and acceptable default security policies. It isn't perfect system, but a system typical users won't get into trouble using nearly as easily. We need to stop thinking about security as passing laws and eliminating the bad guys. That doesn't work in the real world.
sylvie chen | Published: 21:39 GMT, 30 September 2008
A more disturbing conclusion would be when a similar high encryption virus is used to encode the data, and then self destruct. No ransom, just someone who hates electronics.
James | Published: 19:27 GMT, 30 September 2008
Hi John, can you please quote Kaspersky's statement regarding building restrictions into the Windows cryptographic software libraries that were used to create Gpcode? What kind of restrictions were they referring to?
Steve | Published: 17:22 GMT, 30 September 2008
What's wrong with backing up data. This is no worse than a hard disk crash.
Lars Friend | Published: 16:49 GMT, 30 September 2008
Plus, restricting the crypto library won't stop anybody, because any fool can write their own implementation of any of several well-known cryptographic functions with just a little bit of programming know-how and a decent text book.
martin d. | Published: 16:24 GMT, 30 September 2008
Well. If people just backed up their files, a normal restore should solve the problem.