Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sneaky Blackmailing Virus That Encrypts Data

timothy posted more than 6 years ago | from the ouch-and-double-ouch dept.

Security 409

BaCa writes "Kaspersky Lab found a new variant of Gpcode which encrypts files with various extensions using an RSA encryption algorithm with a 1024-bit key. After Gpcode.ak encrypts files on the victim machine, it changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor. Is this a look into the future where the majority of malware will function based on extortion?"

cancel ×

409 comments

Sorry! There are no comments related to the filter you selected.

Wow (-1, Redundant)

Jor-Al (1298017) | more than 6 years ago | (#23675019)

I for one welcome our new encryption-based, extorting overlords.

But were they smart, or stupid? (5, Interesting)

pclminion (145572) | more than 6 years ago | (#23675029)

Question is, does the encryptor rewrite the data in-place, or just encrypt to a new file then delete the original? If the latter, the data is still recoverable with a simple undelete utility.

Re:But were they smart, or stupid? (4, Insightful)

Anonymous Coward | more than 6 years ago | (#23675131)

... or from handy backups...

besides... do you really expect to get your data back after a hack like that? you're system is hosed, any correspondence with the malware author is only going to lead to more loss.

you got pwnd, restore from backup, call the FBI if you're a good corporate citizen and have nothing to hide. Otherwise, get a Mac.

Re:But were they smart, or stupid? (0, Redundant)

Anonymous Coward | more than 6 years ago | (#23675375)

... or from handy backups... besides... do you really expect to get your data back after a hack like that? you're system is hosed, any correspondence with the malware author is only going to lead to more loss. you got pwnd, restore from backup, call the FBI if you're a good corporate citizen and have nothing to hide. Otherwise, get a Mac.
Or get GNU/Linux.

Re:But were they smart, or stupid? (5, Insightful)

severoon (536737) | more than 6 years ago | (#23675779)

I would happily contact the criminal and send them $1 after working with my bank and law enforcement to set up an account trace to see where the money goes and who ends up with it.

Re:But were they smart, or stupid? (1, Insightful)

moderatorrater (1095745) | more than 6 years ago | (#23675147)

Even if it's not, how are the criminals supposed to get their money? Worst case scenario, if this becomes widespread, people will start doing backups more often. The question at the end of the summary, like all slashdot questions, is dumb and doesn't promote discussion at all.

Re:But were they smart, or stupid? (4, Insightful)

Darkness404 (1287218) | more than 6 years ago | (#23675401)

how are the criminals supposed to get their money?


Fear, and adware. For example, if this virus becomes really widespread, the malware author could create a rouge anti-virus program that promises to get rid of it, and might even get rid of it, the downside is, it infects the host machine with adware giving the author $$$. Otherwise he can simply modify the script to not only encrypt it but add some adware into there. If you have root, there isn't much you can't do.

Re:But were they smart, or stupid? (5, Funny)

Cajun Hell (725246) | more than 6 years ago | (#23675791)

if this virus becomes really widespread, the malware author could create a rouge anti-virus program

But a crimson anti-virus program can detect a rouge one.

Re:But were they smart, or stupid? (2, Informative)

nine-times (778537) | more than 6 years ago | (#23675183)

Does it matter? I have backups.

Really, this doesn't scare me very much. Can these people stop making money on spam, please, and let them try their hand at blackmail? Because it's fine-- a lot of people won't pay, and others will get the FBI to trace the money to the criminals behind it. They'll probably get caught, but either way they won't get me. Like any sane person, I have a firewall, don't open random attachments, and keep backups.

Re:But were they smart, or stupid? (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23675263)

Does it matter? I have backups.

And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?

I have plenty of important files which I don't look at very often. It might take months before I realize they are corrupted -- and by that time, I've overwritten the last valid backup with the encrypted stuff.

Re:But were they smart, or stupid? (3, Funny)

Tenebrousedge (1226584) | more than 6 years ago | (#23675371)

Then we should paste a caption on you that says "Backups: Your doin it wrong."

Re:But were they smart, or stupid? (3, Informative)

Crazy Taco (1083423) | more than 6 years ago | (#23675545)

Unless you have space for infinite backups, his method is write. At some point, you'll run out of space and have to delete old backups to make room for the new ones.

Re:But were they smart, or stupid? (1, Redundant)

Crazy Taco (1083423) | more than 6 years ago | (#23675577)

... write.
*right

Re:But were they smart, or stupid? (4, Informative)

SanityInAnarchy (655584) | more than 6 years ago | (#23675635)

Given properly rolling backups, you don't just keep dailies for the past month. You keep dailies for a week, and weeklies for a month, and monthlies for however long you have space for.

And given that most people work in files which are essentially text or the moral equivalent (Word docs, etc), it's likely that you do, in fact, have enough space for a very, very large number of backups.

Re:But were they smart, or stupid? (4, Informative)

kesuki (321456) | more than 6 years ago | (#23675591)

"And how often do you roll through your backups? "

try 'never i use 1 time recordable optical media'

i realize some people use 'rewritable' media for backups, and have this 'roll over' issue, but the only part of my backup that does rollover is the redundant external HDD for 'critical' data that i don't trust entirely to a DVD media, even is i only buy grade 1 media...

I don't have a small data set either, I have over 1 TB of stuff on optical discs, but surprisingly only about 30 gigs that is important enough to go to a redundant hdd.

Re:But were they smart, or stupid? (1)

zx-15 (926808) | more than 6 years ago | (#23675641)

I have two words for you: Incremental Backups

Re:But were they smart, or stupid? (2, Informative)

Carnildo (712617) | more than 6 years ago | (#23675687)

And how often do you roll through your backups? Will you notice the encrypted files in time, or will you end up backing up the worthless files instead?

I don't know about most people, but my backups bear a strong resemblance to a versioned filesystem: it doesn't matter if the encrypted files wind up on the backup, because I can always roll back to a version before they were encrypted.

Re:But were they smart, or stupid? (1)

nurb432 (527695) | more than 6 years ago | (#23675727)

That is why i have a yearly backup that goes off site and is NEVER discarded.

Reminds me of... (3, Interesting)

vivin (671928) | more than 6 years ago | (#23675643)

...the Casino Virus [youtube.com] . Perhaps because of the similar concept of "holding data hostage".

The virus takes your FAT and stores it in RAM. Then lets you play a slot-machine game. If you win, you get your data back. If you lose, you lose your data. Some other combination of characters (in the slot machine) gives you the virus-writer's phone number.

Anti-Malware Response (1)

frosty_tsm (933163) | more than 6 years ago | (#23675049)

I wonder if there will be tools / services that would be able to hammer at (or otherwise crack) the 1024-bit encryption and find the key.

Does anyone know how bad this might be from a computational-power standpoint?

Re:Anti-Malware Response (4, Informative)

pclminion (145572) | more than 6 years ago | (#23675077)

Uh, if 1024-bit RSA was broken, the world of encryption security would collapse (at least for the short term). Could it happen? Sure, it's possible. Will it happen in time to save your pr0n collection? Highly unlikely.

For one thing, compromise of RSA encryption would render SSL useless.

Re:Anti-Malware Response (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23675527)

RSA keys should be 2048 bits long for a decent measure of security. Especially at smaller key sizes, it's not a very good encryption method.
http://en.wikipedia.org/wiki/RSA

As a side note:
At 128-bits, assuming the algorithm does not have a weakness, a brute force attack takes longer than the age of the universe. The amount of power that such an attack would require is also quite staggering.

At 256-bits, brute-forcing would require being able to harness the entire output of a star (or stars) to power the computer needed to complete the task.

As long as no holes are present in the encryption method, a 1024 bit key is (in practice) unbreakable.

http://en.wikipedia.org/wiki/Brute_force_attack

Re:Anti-Malware Response (4, Informative)

AmiMoJo (196126) | more than 6 years ago | (#23675583)

The last version was eventually "cracked", because the virus used the same key for all the encrypted files so once someone paid up they could distribute the key.

Re:Anti-Malware Response (1)

Delwin (599872) | more than 6 years ago | (#23675103)

Without an efficient and functional quantum computer? millenia, maybe centuries depending on how computational power advances. Then again unless it's also randomizing the keys the first time they sell a decrypter (assuming they actually do and don't just take your money) the anti-virus companies will get their hands on it and plug that into the 'clean' function for this virus.

Re:Anti-Malware Response (1)

afidel (530433) | more than 6 years ago | (#23675175)

I assume they use the machine name as a salt for the encryption and so the decryptor takes that into account =)

Re:Anti-Malware Response (1)

somersault (912633) | more than 6 years ago | (#23675427)

or.. time of day, mac address, any number of other things.. how much faster would a brute force attack be even knowing what they used as salt? Probably not significantly different (ie I'm guessing it would still be more than your lifespan with current tech)

Re:Anti-Malware Response (1)

pclminion (145572) | more than 6 years ago | (#23675493)

I was not aware there was a proof that factorization can't be achieved without a quantum computer. Can you point me to your source?

Re:Anti-Malware Response (1)

Thiez (1281866) | more than 6 years ago | (#23675619)

You can factor large numbers, but it is very, very hard. For a 1024-bits number it will take a LONG time (you'll be long dead before you get the result, and the rest of mankind will probably be dead too.). Using a quantum computer would speed things up since they can factor large numbers more easily using a different algorithm.

Re:Anti-Malware Response (1)

Thiez (1281866) | more than 6 years ago | (#23675689)

Hmmn, it seems the above is incorrect. I cite wikipedia:

"RSA claims that 1024-bit keys are likely to become crackable some time between 2006 and 2010 and that 2048-bit keys are sufficient until 2030."

Re:Anti-Malware Response (1)

Delwin (599872) | more than 6 years ago | (#23675639)

linear time factorization cannot be achieved without a quantum computer. Without a linear time factorization algorithm a 1024-bit RSA encryption would take a government organization with millions in dedicated hardware decades to crack. http://www.rsa.com/rsalabs/node.asp?id=2007 [rsa.com]

Re:Anti-Malware Response (1)

mapsjanhere (1130359) | more than 6 years ago | (#23675115)

I think the big question is - does the virus carry it's own key around, or does it "phone home" to get a specific key for the infected machine?
In the first key someone will most likely find the key in the virus code, in the second case it's BAD. Sure the NSA can break a 1024 RSA key if they have to, but I haven't heard of a "simple" commercial tool to do it.

Re:Anti-Malware Response (1)

LabRat (8054) | more than 6 years ago | (#23675247)

It uses public-key encryption...so presumably it carries around the "public" portion of the key pair that is used to encrypt the files. The black-mailer has the private portion that is sold to the victim.

Re:Anti-Malware Response (1)

Loether (769074) | more than 6 years ago | (#23675309)

Sure the NSA can break a 1024 RSA key if they have to
Do you have a citation for that?

I don't see why the laws governing the ability to break such a key would change for the NSA. A 1024 bit key is MUCH more than twice as hard to crack as a 660 bit key. Maybe someone can help me with the math? something like 2^(1024 - 660) times harder to crack?

Re:Anti-Malware Response (1)

Darkness404 (1287218) | more than 6 years ago | (#23675447)

You forget though, the NSA has a large budget and access to super computers. What might take us years to crack may only take months or less for a few huge clusters of computers or some super computers to break. Plus, as everything the NSA does is "a matter of national security" they can request a super computer to do that.

Re:Anti-Malware Response (1)

solafide (845228) | more than 6 years ago | (#23675507)

And, who knows what specialized algorithms have been found in the NSA?

Re:Anti-Malware Response (1)

mapsjanhere (1130359) | more than 6 years ago | (#23675715)

My comment was based on the statement that it would take 30 years to break it on a PC. What let me to the conclusion that the NSA would have no problem doing it either by having 3000 PCs chewing on it or, more likely, having dedicated hardware that can do it in a day.
Sadly, there seems to be a limited number of slashdotters admitting to NSA capabilities from first hand experience.

Re:Anti-Malware Response (1)

Loether (769074) | more than 6 years ago | (#23675817)

I completely agree that they have access to super computers and as the article states what would take a standard pc 30 years to decrypt "660 bit key" would take the NSA significantly less time for sure. I'll give you they crack a 660 bit key over lunch. That's the old 660 bit key.

My point was that for a 1024 bit key (the one the new malware uses) they are screwed. Even if we say the nsa has the cpu power 1 Googol (1 followed by 100 zeros) times faster than the 2.2ghz pc quoted in TFA. According to my math again any help would be appreciated. 2 ^ (1024 -660) = 3e109 they would still need about 30^9 years to decrypt it. The math just doesn't work even for a govt agency with supercomputers that run trillions of times faster than the fastest "known" supercomputer.

Now as the GP Solafide points out it is possible they have found a weak link in the algorithm in which case all bets are off.

Re:Anti-Malware Response (1)

kipman725 (1248126) | more than 6 years ago | (#23675745)

The NSA will not crack RSA nor will anyone else no matter how bloated there budget due to the fudimental nature of cracking it. It involves the factorisation of prime numbers multiplied together. Factorisation has had no known short cuts found in thousands of years of mathmatics. Some people think it to be something that actualy has no short cuts. The quantum computer can complete every posible test to see if a number is a factor of a number in the same time it takes to do one test and so can factorise pretty much instantly. However a normal computer has to test every posible value which means for a 1024bit key aproximatly 1.797693134862315907729305190789e+308 divisions each which will take more than one proccesor cycle. But assuming we have a 3GHZ proccesor that can do one long division per cycle thats going to take 1.8988485973398018308630411171836e+288 YEARS to test every single value. DO you see now why the NSA cannot crack a 1024bit RSA key no matter how much computing power they throw at it?

Re:Anti-Malware Response (1)

Zironic (1112127) | more than 6 years ago | (#23675675)

the thing is, we're not talking years or months, we're talking centuries and milenia.

Re:Anti-Malware Response (1)

Torvaun (1040898) | more than 6 years ago | (#23675721)

Sure, but 1024 RSA doesn't take us years to crack. It doesn't even take us decades to crack. Our grandchildren won't be alive to see the code finish. The NSA is good, but they're living in the same universe as the rest of us.

Re:Anti-Malware Response (1)

Actually, I do RTFA (1058596) | more than 6 years ago | (#23675225)

I wonder if there will be tools / services that would be able to hammer at (or otherwise crack) the 1024-bit encryption and find the key.

Wouldn't one person be able to pay of the extortion, and then give out the key to everyone else?

Re:Anti-Malware Response (1)

SanityInAnarchy (655584) | more than 6 years ago | (#23675683)

Wouldn't one person be able to pay of the extortion, and then give out the key to everyone else?
All depends how it's implemented. One easy way would be to generate a random key, phone home with it, then destroy it on the local machine once the crypto is done -- so the key will be unique to the user.

Another way would be to have a finite (but still very large) number of keys to choose from, and store a checksum of the key on the local machine. If there were, say, a few thousand keys, it would still be enough to be unreasonable to try to "buy" them all, but it would also keep the payload down to maybe a few hundred kilobytes.

I kind of doubt that the key would be exactly the same for every instance of this.

Re:Anti-Malware Response (1)

Goaway (82658) | more than 6 years ago | (#23675291)

Does anyone know how bad this might be from a computational-power standpoint?
Not happening.

Re:Anti-Malware Response (0)

Anonymous Coward | more than 6 years ago | (#23675305)

If they remember a bit of the files contents it would be VERY easy. And in order for the decryption program to work, it must use a single key, otherwise, how would they know what key to decrypt it with. In any case, make a file with content you know and intentionally infect a computer with it on it. From there it would be very easy to solve...

Re:Anti-Malware Response (1)

DriedClexler (814907) | more than 6 years ago | (#23675333)

How about recommending solutions that require LESS than the age of the universe to work?

LET'S HOPE SO (4, Insightful)

blair1q (305137) | more than 6 years ago | (#23675051)

Seriously. In order for extortion to work, money has to change hands. Money can be traced, easily (don't believe what they say about Western Union). This is a great way to track down and capture the people who are spreading the virus. And the people whose files are encrypted could as easily have seen those files deleted, or worse. So it's no difference to them, except that they now have a hand in putting a crook behind bars.

The virus tossers are actually making their situation worse by turning to extortion. But they weren't all that bright to start with.

Re:LET'S HOPE SO (4, Insightful)

frosty_tsm (933163) | more than 6 years ago | (#23675079)

What happens when the virus writer is in another country? What if that country doesn't care?

Step 4 (1)

argent (18001) | more than 6 years ago | (#23675553)

What if that country doesn't care?

1. Create hoax crypto extortion virus
2. Call for trade sanctions against Lower Bananastan
3. Ram the "criminalize crypto and authorize panoptic surveillance" (CCRAP) treaty through the G8
4. Profit^H^H^H^H^H^HAll our base belong to whitehouse.gov.

Re:LET'S HOPE SO (2, Informative)

Osurak (1013927) | more than 6 years ago | (#23675089)

Nah, the scammers will just route it through some mule, like they do with the stuff they buy through credit card fraud.

Re:LET'S HOPE SO (0)

Anonymous Coward | more than 6 years ago | (#23675339)

That gave me the idea of using already compromised, but as of yet unreported, identities for this. Or in slashdot lingo:

1. Steal identity
2. Use stolen identity as extortion virus drop point
3. ????
4. PROFIT!

Re:LET'S HOPE SO (1)

gnuman99 (746007) | more than 6 years ago | (#23675503)

Unless they withdraw the cash by some mule, they will be recorded and/or traced. Maybe if they wire money to some 3rd world country and pay off corruption personnel, I mean police.

Re:LET'S HOPE SO (0)

Anonymous Coward | more than 6 years ago | (#23675629)

Unless they withdraw the cash by some mule, they will be recorded and/or traced.
That's why they use mules to withdraw the cash. Mules are easy to find and hardly worth arresting.

Re:LET'S HOPE SO (1)

Penguinisto (415985) | more than 6 years ago | (#23675743)

The mule has to send the dough somewhere... and the trail picks up from there. Not saying it's always guaranteed an ultimate end, but money laundering always gets to the point of diminishing returns for the scammer after x number of middlemen, so the money trail usually isn't too gawdawful long or convoluted. Otherwise the scammer would be making less than a half-penny on the dollar (or Euro, or...?)



The rest just depends on how badly the law agency in question wants to track down the ultimate destination of said money.


Like I said - not perfect, but more often than not, it's pretty easy to pick up the scammer, or at least find out who he/she is. The only real variable is how much time the scammer has to get enough returns to make it profitable, then bug the hell out before the law catches up to him/her.

/P

Re:LET'S HOPE SO (1)

brit74 (831798) | more than 6 years ago | (#23675815)

"In order for extortion to work, money has to change hands. Money can be traced, easily..."

I don't know, but it seems to work for Nigerian scams (okay, they ask for you banking information), apartment scams (I'll send you a fake cashiers check, you "send me back" some of that money via Western Union), and also dating scams (I need money for a plane ticket to come see you). It seems to work in those cases.

Is this the future? (5, Funny)

Anonymous Coward | more than 6 years ago | (#23675055)

Is this a look into the future where the majority of malware will function based on extortion?

I don't know! Stop asking me those questions all the time. Is it obligatory to end every blurb with a question, or what?

Re:Is this the future? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23675191)

I wonder, wasn't that just a rhetorical question?

Re:Is this the future? (3, Funny)

DriedClexler (814907) | more than 6 years ago | (#23675389)

Goddamnit, who keeps sending self-aware chatbots to access Slashdot?

Re:Is this the future? (0)

Anonymous Coward | more than 6 years ago | (#23675403)

I think the point of ending Slashdot articles with questions is that Slashdot is not a news site. It's a news DISCUSSION site. By adding the questions, they point the discussion, creating a 'nucleation' site for such discussions to form.

Either that, or they think it makes good filler.

Time will tell!

They think they're pretty clever. (5, Insightful)

Anonymous Coward | more than 6 years ago | (#23675081)

The fundamental problems with hairbrained schemes like these is that the money has to change hands somehow, and there's a fundamental trust issue. First, if money gets transferred to you then you are susceptible to being caught.

The trust issue is that there is fundamentally no reason for the person receiving the money to follow through and send you the private keys to decrypt the data. If it was a known person, they'd be arrested, and since they're unknown there is no "reputational" factor that would make people more likely to pay based on the experience of others.

Just another moron criminal scheme from some douchebag who thinks he's found a get rich scheme. Just like other "genius" criminals, the fact is that the professionals in the field are smarter than the criminals.

Re:They think they're pretty clever. (1)

tahuti (744415) | more than 6 years ago | (#23675369)

It would be easy to tweak business model.
  1. Make virus creator tookit
  2. Spread it, let other people create virus
  3. Open company that sells virus removal/decryptor

This has been done before (5, Informative)

mrbill1234 (715607) | more than 6 years ago | (#23675085)

This same thing happened in the late 80's (or maybe early 90's). Some hackers mailed a 5.25 inch floppy with some "free" software on it to thousands of people around the world. When you installed the software, it would hijack your PC and encrypt various files and you had to pay a ransom to get it back. There was a EULA and everything with the disk (which of course nobody read) which made it clear what would happen if you installed the disk. Perhaps someone can remember what it was called.

Re:This has been done before (5, Funny)

Daimanta (1140543) | more than 6 years ago | (#23675165)

MS-DOS 6.22

Re:This has been done before (1, Funny)

Anonymous Coward | more than 6 years ago | (#23675177)

It was called *$&&^$(VG(^I^, now pay up for the decrypted name.

Re:This has been done before (1)

Helen Keller (842669) | more than 6 years ago | (#23675187)

WinGnnmwmmndows?

Re:This has been done before (4, Informative)

gad_zuki! (70830) | more than 6 years ago | (#23675243)

This was done recently, perhaps two or three years ago. I believe it encrypted everything in My Documents and asked for payment to unencrypt it. Turns out they used the same key every time. Article from 2006 here.

http://news.bbc.co.uk/2/hi/technology/5038330.stm [bbc.co.uk]

The magic key is:

mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw

Re:This has been done before (4, Interesting)

Ethanol-fueled (1125189) | more than 6 years ago | (#23675387)

Do people still keep stuff in "My documents?". Ya'd think that after all of the very public worms, viruses, malware, and phoning-home that people would learn to make their own "My Stuff" folder(if not regularly back up and/or encrypt their important data).

Re:This has been done before (0)

Anonymous Coward | more than 6 years ago | (#23675585)

I just moved the "My documents" folder to a different place on my hard drive. They'll never find it then!

Re:This has been done before (4, Funny)

ColdWetDog (752185) | more than 6 years ago | (#23675279)

Perhaps someone can remember what it was called.

America On Line?

Re:This has been done before (1)

darkgemini333 (934916) | more than 6 years ago | (#23675807)

I thought that was AOL...

I glad (1)

notthepainter (759494) | more than 6 years ago | (#23675099)

At least know the owners of bot controlled machines will have a clue that their machines are bot controlled. And maybe we'll see fewer bot controlled machines.

One can only hope.

The future? Maybe the past... (1)

Mozk (844858) | more than 6 years ago | (#23675111)

Have people not heard of this before? I'm not trying to be an ass, but it's not like this is new.

Only an idiot doesn't backup. (1)

pclminion (145572) | more than 6 years ago | (#23675137)

If you back up regularly (and if you don't, what the hell are you thinking -- hard drives last forever?) then this is a non-issue. Yawn.

Re:Only an idiot doesn't backup. (1)

LukEluk (783038) | more than 6 years ago | (#23675233)

Backup's not even necessary... modern file systems will let you roll back to the previous version of a file. And I bet most users don't even care loosing a file. How big is the chance that a file that you absolutely can't miss gets encrypted?

Re:Only an idiot doesn't backup. (1)

Janek Kozicki (722688) | more than 6 years ago | (#23675487)

huh? HDDs don't last forever, you can't argue with that.

What "modern file systems" are you talking about? Bundling rollback inside a filesystem is one of the stupidest things that could be done to fs. How many inodes would that eat up after a year, especially since some temporary files change hundreds times per day? Version control software and/or backups are designed for this purpose - and are filesystem agnostic (work with whatever fs suits your needs).

Personally I like the idea of such a virus, it could become another nail to the coffin of some certain woefully insecure OS.

Re:Only an idiot doesn't backup. (2, Informative)

SanityInAnarchy (655584) | more than 6 years ago | (#23675767)

Bundling rollback inside a filesystem is one of the stupidest things that could be done to fs.
Ok, you're right that the GP is stupid -- no filesystem a desktop user runs will have that transparent rollback. The closest might be "volume shadow copy", but I think that has to be done explicitly for every change you want to record.

But seriously, have you looked at FUSE lately? There's a filesystem for everything... And, historically, there are log-structured filesystems, which can, indeed, roll back any change that hasn't already been overwritten. That approach has nothing to do with inodes -- in fact, not all filesystems even have inodes.

A little knowledge is a dangerous thing.

Version control software and/or backups are designed for this purpose - and are filesystem agnostic (work with whatever fs suits your needs).
As a philosophy, yes, they're FS agnostic. In reality, it depends very much on which you choose. What you probably want is incremental backups -- version control is nice, too, but it's mostly to protect you from yourself.

Mod parent way the frig up! (1)

Penguinisto (415985) | more than 6 years ago | (#23675519)

Seriously - any business worth a damn is going to have backups (the ones that don't? they kinda deserve it IMHO...)



Home users have CD/DVD-R's, external disk backups, stuff stashed across multiple machines, System Restore, Time Machine (wait... OSX isn't affected by this, ne'ermind), things of that nature.


I suspect the script kiddies know this as well, since only someone who would fall for such a scheme would not have their vital files backed-up somewhere... even if it's stashed on another box somewhere in the house.

/P

This is why backups are good (1)

Drinking Bleach (975757) | more than 6 years ago | (#23675145)

The virus can't encrypt the files stored on a DVD-R :)

Although since I use Linux, I'm still too lazy/dumb to follow the backup advice (and trust me, I've been hit badly before simply for having no recent backups, no lectures needed).

Re:This is why backups are good (2, Insightful)

rickb928 (945187) | more than 6 years ago | (#23675381)

This will probably be seen as flamebait, but using Linux makes you no more or less susceptible to data loss. Only the time and expense of recovery differs.

And not as much as it would seem.

ps - this is why I have three copies of everything important to me and my wife, in two different locations, rarely more than 2 days out. She doesn't question me about this for a few weeks after she askes "Honey, I can't find........". She still doesn't understand about 12 years of email archives... Go figure.

Re:This is why backups are good (2, Informative)

Penguinisto (415985) | more than 6 years ago | (#23675617)

Not 100% sure... In theory you;re correct (that is, no OS is 100% safe from such a thing), but in practice, it would be almost trivial to defend against. It wouldn't take much to rig a partition full of vital stuff as read-only, then carefully going over any data you want backed up to it once a week or so (remount it read-write for long enough to do the backup, then remount it back to read-only. No sweat. You still have that window of opportunity, but you'll likely find out that your non-protected data got horked long before you open your archives to back things up to 'em).


Also, this is one of the benefits of a journaling filesystem (or in OSX, "Time Machine"), among other things. Roll it back, and *poof* - no more encrypted files.

/P

Re:This is why backups are good (0)

Anonymous Coward | more than 6 years ago | (#23675803)

But it can overwrite stuff backed up on external drives when you cannot afford more than one copy of your data.

!_READ_ME_!.txt (0)

Anonymous Coward | more than 6 years ago | (#23675149)

Give us one million dollars or you never see C:\WINDOWS\system32\sol.exe again!!!

Re:!_READ_ME_!.txt (0, Offtopic)

Jor-Al (1298017) | more than 6 years ago | (#23675181)

[darth vader voice]nnnnnnnnnnnnnnnNNNNNNNNNNNNNNNNNNNNNNNO OOOOOOOOOOOOOOOOOOOOooooooooooooooooooooooooo[/darth vader voice]

All your dataz (5, Funny)

Anonymous Coward | more than 6 years ago | (#23675153)

Joe User: Someone set us up the encryption. We get no data. Readme file turn on.
Jack Hacker: How are you gentlemen? All your data are belong to us.

Re:All your dataz (-1, Offtopic)

TCP-mHz (606294) | more than 6 years ago | (#23675463)

I wish I had mod points right now.

Gonna be ok (4, Funny)

Joebert (946227) | more than 6 years ago | (#23675365)

I'm not going to worry about this.
I'm sure the fine folks of our Government are watching everything that happens on my computer & will promptly decrypt my files for me using their built-in back doors.

I got infected by this virus (5, Funny)

Anonymous Coward | more than 6 years ago | (#23675367)

My computer was infected by this virus... luckily all my files were already encrypted so all it did was make plain-text versions of everything and leave me a file asking for a donation

I know who is behind this scam.... (1, Funny)

zappepcs (820751) | more than 6 years ago | (#23675393)

Maybe it will not surprise you to know that Geek Squad is behind this scam. They will never try to collect extortion money as their real target revenue is the 65 dollar check-up fee they will get when consumers bring their computers in to find out what has gone wrong. Of course, the fee is higher if you don't have extended warranty, or if you installed your own antivirus software.

Of course I could be wrong.... but it's a thought

Bravo (1)

iamacat (583406) | more than 6 years ago | (#23675399)

Viruses up to date have been using conventional encryption, with the obvious problem that the key is found in the virus. If only general population improves their computer literacy in proportion to malware writers, headlines such as this one will become the thing of the past.

I am however disappointed that the author used only 1024 bit key length, which is no longer recognized as unconditionally secure. Hopefully he or she at least generated a secure random seed for the key pair.

Re:Bravo (1)

v1 (525388) | more than 6 years ago | (#23675537)

The key to decrypt the data does not need to be in the virus. And each person's machine could be encrypted with a different randomly generated key, transmitted to the attacker. Even if someone did eventually break the key, it would only help one victim.

Even if the key is static, I'd be counting on the fraudster to be rolling up a new key every two weeks along with the latest bugfixes and enhancements to the worm.

The large botnets are currently using signatures on their C&C traffic to prevent their botnet from being hijacked (or ordered to self-destruct, etc) and they are using high bitcount also. If there ever was a target for cracking, don't you think that would be it, and we'd truly know if mass efforts to defeat a single strong key were practical?

Cryptovirus (1)

kvezach (1199717) | more than 6 years ago | (#23675409)

This sounds like a straightforward implementation of cryptoviral extortion [cryptovirology.com] . Hopefully, the authors made some stupid mistake (like using the same key everywhere, or encrypting the data directly instead of doing it indirectly through a symmetric crypto key).

Still, the basic strategy remains viable, so the best opposing strategy would be to harden systems. Unix permissions won't help you here, since you usually have rights to write or alter permissions to stuff in your home directory. Backups would work (but only if you didn't change anything after the last backup), and so would default sandboxing/fine-grained security, or just not running suspicious apps (which amounts to a sort of "whitelist based security" where whatever not on the list gets zero privileges).

Yeah, sure, *that'll* work.. (5, Insightful)

Duncan Blackthorne (1095849) | more than 6 years ago | (#23675425)

*ransom note received composed of random letters clipped from newspaper*

"We have encrypted your illegally copied music files. Put $5000 in unmarked bills in a plain brown paper sack and mail it to: RIAA Washington, D.C. no later than midnight tonight or you'll never listen to your music again"

..but seriously, folks, this starts to sound like some sort of wierd 419 scam. They're not going to decypt your files even if you pay them, and I'll bet you a whole DOLLAR that if you're stupid enough to contact them, they accept only CREDIT CARDS as payment. Chances are that the data isn't even really encrypted, it's just plain overwritten and GONE, copied over with gobbledegook random data, and you'll just get your identity stolen on top of never getting your files back. On the other hand they think they're being really clever, I'm sure, and the ones that think they're clever are usually the ones that get caught quickly and go to jail for a long, long time.

Can't wait for the criminal trials... (1)

argent (18001) | more than 6 years ago | (#23675435)

Oh, this is going to be rich. These guys have read too much William Gibson. Unless the whole thing is a Joe-job trying to get some innocent (ish) third party in trouble, these folks are going to find it pretty damn hard to collect any money without being traced, and this is more than commonly illegal.

If they have a bagged copy of the virus (1)

earthforce_1 (454968) | more than 6 years ago | (#23675473)

They can reverse engineer it, find out how it generates the encryption keys and reverse the algorithm - and crank out a utility that does it automatically. (Assuming it doesn't just write randomized data into the _CRYPT file and sucker you into sending them $ in hope of recovering what you lost, but at least then they would know the file is unrecoverable)

Re:If they have a bagged copy of the virus (1)

ettlz (639203) | more than 6 years ago | (#23675561)

Better off trying to get hold of the attacker-supplied decryptor and then publishing the private key within it. Then again, it might just write noise.

Major weak link--Yahoo.com e-mail address... (1)

BUL2294 (1081735) | more than 6 years ago | (#23675475)

If you look at the screen prints from the article, the stupid author decided to use a "@yahoo.com" e-mail address. Call me crazy but Yahoo is probably already monitoring that e-mail box after the AV vendors let them know--long before any $$$ changes hands.

Unfortunately, 2 years from now, some poor soul will get bit by this... By then the Yahoo e-mail address will be long-dead, and the key might still be known only to the author...

Well that brings phase two (1)

eneville (745111) | more than 6 years ago | (#23675569)

Phase two, would be paying for a botnet to do the number crunching to decrypt. It's 1024bit right, so with a large enough botnet that could be worked out in maybe a month - that's if every computer in the world was infected.

I've heard of companies getting their databases infected by viruses, and that's the sort of company that provides electronic transactions, so this seems like it has the potential to really screw some people over, obviously.

data ransom != blackmail (4, Informative)

Deanalator (806515) | more than 6 years ago | (#23675719)

This is data ransom, not blackmail.

Vista solution? (1)

DAldredge (2353) | more than 6 years ago | (#23675801)

Wouldn't shadow copies under Vista (Ultimate/Business) allow one to revert the changes?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?