Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Extortion Virus Code Cracked

Zonk posted more than 8 years ago | from the unlock-your-stuff dept.

371

Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

cancel ×

371 comments

Sorry! There are no comments related to the filter you selected.

What relief! (4, Funny)

AltGrendel (175092) | more than 8 years ago | (#15448013)

BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

I was just looking for that. Thanks!

Re:What relief! (1)

chargrilled (468628) | more than 8 years ago | (#15448045)

I can't tell if that's funny or sad!

Re:What relief! (2, Funny)

Anonymous Coward | more than 8 years ago | (#15448067)

Yeah me too. I was just trying aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagh8 and then the story appeared.

Re:What relief! (5, Funny)

Tackhead (54550) | more than 8 years ago | (#15448139)

> > BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
>
> I was just looking for that. Thanks!

What?! That's exactly the kind of combination a Slashdotter would use on his luggage!

Re:What relief! (-1, Redundant)

Anonymous Coward | more than 8 years ago | (#15448418)

What?! That's exactly the kind of combination a Slashdotter would use on his luggage!

Dark Helmet: So the combination is one, two, three, four, five. (Lifts helmet) That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!
Skroob: (Walking in) What's the combination?
Sandurz: One, two, three, four, five.
Skroob: One, two, three, four, five? That's amazing! I've got the same combination on my luggage!
(Sandurz and Dark Helmet give each other a look)
Skroob: Prepare Spaceball 1 for immediate departure!
Sandurz: Yes sir.
(All three begin walking out)
Skroob: And change the combination on my luggage!

Jim

ummm (5, Interesting)

geoffspear (692508) | more than 8 years ago | (#15448016)

Odd how that "30 digit password" has 38 characters, 13 of which are digits.

Re:ummm (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15448049)

Odd how you're a fucking retard.

Re:ummm (5, Funny)

honestmonkey (819408) | more than 8 years ago | (#15448131)

Maybe they meant 30 as in "any number that is greater than 29 and less than 40". You know, thirty. Thirty-ish. Mostly thirty. About thirty. Close to forty, but not quite. Good enough for government work. In Soviet Russia, YOU are 30. 30) Profit! 38 is the new 30.

Actually I didn't see any fingers or toes in the password at all.

Re:ummm (1)

Duodecimal (938540) | more than 8 years ago | (#15448200)

It's a shame that this was almost a base-13 joke. And they said no one makes base-13 jokes.

Re:ummm (1)

LunaticTippy (872397) | more than 8 years ago | (#15448304)

You mean tredecimal Duodecimal?

Re:ummm (1)

griffjon (14945) | more than 8 years ago | (#15448345)

I'm sure that when you're 38, you'll claim to be "30"

Re:ummm (1)

Pete Brubaker (35550) | more than 8 years ago | (#15448380)

Odd how you cant count either. It has 39 characters.

Wait... (5, Funny)

ImaLamer (260199) | more than 8 years ago | (#15448017)

We are all now victims of a DMCA lawsuit!

Re:Wait... (0)

Anonymous Coward | more than 8 years ago | (#15448143)

darn! you beat me to it!

My Lord what are we coming to (5, Funny)

Anonymous Coward | more than 8 years ago | (#15448025)

These days even the virus authors don't know anything about writing secure software :(

Wow! (3, Funny)

daivzhavue (176962) | more than 8 years ago | (#15448026)

That's the combination to my luggage!

Re:Wow! (4, Funny)

monkaduck (902823) | more than 8 years ago | (#15448090)

Hey, you too?

Re:Wow! (1)

creimer (824291) | more than 8 years ago | (#15448120)

Only a twit leaves the luggage combination in the front pocket. :P

Re:Wow! (5, Funny)

minusthink (218231) | more than 8 years ago | (#15448188)

You know you really should change the default on those types of things.

Obligatory Space Balls Joke (-1, Redundant)

gwayne (306174) | more than 8 years ago | (#15448232)

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]

Roland: One.

Dark Helmet: One.

Colonel Sandurz: One.

Roland: Two.

Dark Helmet: Two.

Colonel Sandurz: Two.

Roland: Three.

Dark Helmet: Three.

Colonel Sandurz: Three.

Roland: Four.

Dark Helmet: Four.

Colonel Sandurz: Four.

Roland: Five.

Dark Helmet: Five.

Colonel Sandurz: Five.

Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

Dark Helmet: It worked, sir. We have the combination.

President Skroob: Great. Now we can take every last breath of fresh air from planet Druidia. What's the combination?

Dark Helmet: 1 2 3 4 5.

President Skroob: 1 2 3 4 5? That's amazing! I've got the same combination on my luggage! Prepare Spaceball 1 for immediate departure!

Re:Obligatory Space Balls Joke (0)

Anonymous Coward | more than 8 years ago | (#15448355)

don't forget!
President Skroob: ... and change the combination on my luggage!

Re:Obligatory Space Balls Joke (0, Flamebait)

Anonymous Coward | more than 8 years ago | (#15448451)

Did anyone ever tell you that a joke isn't funny when you're hearing it for the 800th time? Moron.

Just wait... (5, Insightful)

hanssprudel (323035) | more than 8 years ago | (#15448039)


Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)

Re:Just wait... (0)

Surt (22457) | more than 8 years ago | (#15448118)

Public key cryptography does not work against a man in the middle attack. When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable. To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.

Wrong (5, Informative)

Anonymous Coward | more than 8 years ago | (#15448171)

You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.

Re:Just wait... (3, Interesting)

mrchaotica (681592) | more than 8 years ago | (#15448206)

When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.
Unless it uses the Trusted Platform Module on new computers to do the encryption for it!

Re:Just wait... (1, Insightful)

cperciva (102828) | more than 8 years ago | (#15448213)

When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable. To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption...

No.

Re:Just wait... (1)

packetmon (977047) | more than 8 years ago | (#15448216)

I would think "exposure" is not a factor considering the author is demanding a ransom which can just as easily be tracked. As to your comment on PKC, what's to stop the next version from self installing GNUPG locally and creating a key in similar fashion.

Re:Just wait... (5, Informative)

swillden (191260) | more than 8 years ago | (#15448230)

Public key cryptography does not work against a man in the middle attack.

True, in general, though precautions can be taken. I fail to see how a MITM attack is even relevant here, though.

When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.

Why? Virus contains public key, generates random session key (ideally in memory-locked pages that cannot be swapped out), encrypts all your data with session key, encrypts session key with public key, writes encrypted session key to a file, wipes session key from memory, then shuts down.

Assuming you don't notice the virus before all of this happens, you're toast unless you can get a copy of the private key.

To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.

Did you mean decryption? If so, yes, the writer would have to have you ship your session key file to him so he could decrypt it and give you your unique decryption key. I don't think that activity is nearly as risky to the writer as trying to figure out how to collect the money, though. Following money trails is something the world's law enforcement agencies are very good at.

Re:Just wait... (2, Insightful)

BeBoxer (14448) | more than 8 years ago | (#15448307)

Following money trails is something the world's law enforcement agencies are very good at.

Yeah, I used to think that. But the fact that I get hundreds of emails every day from people hawking either pirated software and counterfeit/illegal pills has convinced me otherwise.

Re:Just wait... (1)

swillden (191260) | more than 8 years ago | (#15448367)

Yeah, I used to think that. But the fact that I get hundreds of emails every day from people hawking either pirated software and counterfeit/illegal pills has convinced me otherwise.

The fact the LE is good at following money doesn't mean they're actually interested in doing it in the cases you care about.

I once reported a guy who was selling hundreds of pirated movies on ebay to the FBI. They basically told me that they didn't care. Not in so many words, but it was clear they weren't going to do anything.

Follow this money trail: (1)

Opportunist (166417) | more than 8 years ago | (#15448442)

Scammer hires people with the prospect of letting them have some of the money to transfer. Of course not under the premise that it's laundering. They'll claim that they're some international company and need a money representative in the country.

Their "job" would be to have money transfered to their account and then send it via Western Union.

Now follow it if you can. Yes, you'll get the guy who has been hired (or con'ed, your choice) to have his account used in the laundering. But you won't catch the actual person you want to get.

Re:Just wait... (1)

XMyth (266414) | more than 8 years ago | (#15448239)

Why exactly couldn't the virus writer's public key be used to encrypt the files? Then he/she provides payers with his private key to decrypt them. How is that "inevitably vulnerable" ?

Or, a more sensible method would be to

Infect PC
Generate a random password, P
Encrypt files with P
Encrypt P with public key, I, resulting in V the ciphertext version of the randomly generated password
Victim must provide V to the virus writer who decrypts V with his private key, which results in P

Re:Just wait... (5, Interesting)

TikiTDO (759782) | more than 8 years ago | (#15448348)

You are absolutely wrong. PKI was designed with the purpose of preventing man-in-the-middle attacks. The virus writer would include the public key in the virus with an associated encryption algorithm. The problem arised with decryption. In order to decrypt a file you would need an associated private key. Now if this key is available inside the virus it would be just as easy to find as the password within the article.

In fact the whole idea of cryptography revolves around the encryption algorithm telling you nothing about a method to decrypt the data it encrypts (At least without a certain key). These are called trapdoor one-way functions.

The most realistic way I can think of writing such a virus would be to provide and encryption algo in the virus and then provide a decryption program when the intended victim has paid you the money. Now aren't you glad I'm not writing viruses?

Re:Just wait... (5, Insightful)

Beryllium Sphere(tm) (193358) | more than 8 years ago | (#15448128)

>(or you could stop getting your computer infected with malware in the first place.)

Backing up your data would also work.

Notice how much this virus is like a proprietary file format? You can't get at your own data without paying for a license to the proprietary reader.

Wow... (5, Funny)

beheaderaswp (549877) | more than 8 years ago | (#15448046)

Hmm...

It also works for new Windows XP Professional installs.

Strange.

MOD PARENT DOWN (0, Troll)

joeyspqr (629639) | more than 8 years ago | (#15448160)

-1 "WHERE YOU BEEN?"

he's just realized that Windows is the front end of a racket?

[full disclosure - posted from a cube on an XP install running Office+Publisher+Visio+Project]
[[will testify after placement in witness protection]]

umm... (2, Funny)

Anonymous Coward | more than 8 years ago | (#15448058)

seriously my next guess

News That's Old, Stuff that's Stale (5, Informative)

lbmouse (473316) | more than 8 years ago | (#15448063)

Hasn't this been around for a while? According to this page [symantec.com] , the password has been know for at least a month.

Re:News That's Old, Stuff that's Stale (-1, Flamebait)

Nate Fox (1271) | more than 8 years ago | (#15448254)

Hasn't this been around for a while? According to this page, the password has been know for at least a month.

You're new to slashdot, arent you? Dont worry, they'll rerun the breaking story of the wheel being invented later today.

Thank the editors (0)

Anonymous Coward | more than 8 years ago | (#15448272)

And probably /. readers have been posting this for about a month, and getting it rejected by the wonderful /. editors.

BTW (0, Troll)

linvir (970218) | more than 8 years ago | (#15448064)

BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw.
Very informative, but a txt abbreviation in the article summary brings us one step closer to the editorial quality of Digg. It should have been modified, or even better, cut.

It's not even "by the way" at all. It follows directly from the previous sentence, and is perfectly ontopic. Get your act together.

Re:BTW (1)

Cheapy (809643) | more than 8 years ago | (#15448126)

How odd, I didn't even notice that until you pointed it out. I knew that it said "by the way", but I didn't see the "BTW".

Re:BTW (1)

eggsurplus (631231) | more than 8 years ago | (#15448140)

If they got their act together you wouldn't have anything to complain about and then life would be boring. BTW - thanks for making my life not boring today.

Re:BTW (1)

linvir (970218) | more than 8 years ago | (#15448278)

So the moderators thought that that was a Troll... How about I demonstrate just how Underrated I am by actually producing an improved version instead:
The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password - mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw - in the code.

hold on... (4, Insightful)

joe 155 (937621) | more than 8 years ago | (#15448065)

you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that? I wonder if this will now work like it should in the perfect open source community though, a bug is found, someone patches it, the new stuff is available within the day, maybe even better than before?

Re:hold on... (1)

linvir (970218) | more than 8 years ago | (#15448088)

That's a very short term source of money. It'd save a lot of work writing software, but after a few BBC stories on spammers deleting files and pretending to offer them back for $whatever, it'd dry up pretty fast.

Re:hold on... (4, Insightful)

venicebeach (702856) | more than 8 years ago | (#15448109)

you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that

If you don't give the files back you remove the incentive for other infected users to pay up.

Re:hold on... (1)

MrSquirrel (976630) | more than 8 years ago | (#15448173)

Because then they would feel bad about lying and wouldn't be able to sleep at night. Just because they're HUGE MISLEADING BAGS 'O DOUCHE doesn't mean they don't care. Honest.

Whoops ! (0)

Anonymous Coward | more than 8 years ago | (#15448071)

""apparently the virus writer made one small, critical error in coding: placing the password in the code""
    Well, now they won't make that mistake again.
sometimes, leaving someting out, [ Like how they screwed up ] may make the rest of us a little safer.

And Changing... (0)

Nom du Keyboard (633989) | more than 8 years ago | (#15448078)

And changing the virus's password is how hard again?

Re:And Changing... (1)

linvir (970218) | more than 8 years ago | (#15448122)

If the distributors simply change the string in the source code and recompile in response, someone will produce a program that extracts the password from the binary.

But rewriting the encryption wouldn't be too hard either, and a lot harder to counter.

strings? (3, Funny)

blinder (153117) | more than 8 years ago | (#15448087)

heh, is this strings to the rescue?

one of the best programs evar :)

Consider this a warning (4, Insightful)

Anonymous Coward | more than 8 years ago | (#15448095)

If you are still betting on antivirus companies to keep you safe, you should consider this a warning. There is no technical reason why the password should be recoverable. Had the author used strong public key cryptography instead of a symmetric cypher, there would be no way to get the key without the help of the virus author. The only way to be safe is to not get infected and that means you have to use your brain.

Re:Consider this a warning (2, Interesting)

Sir_Lewk (967686) | more than 8 years ago | (#15448450)

Which is why I just laugh when new viruses come out, it's only the idiots that will be infected (generally speaking). So long as you use your brain, your fine. If you somehow fail to use your brain then you deserve to lose your files. I in no way condone the actions of virus writers, but I don't lose sleep about it, and veiw the people who manage to contract the things as just as bad (though in a different sence).

If it's the same password... (5, Insightful)

Nom du Keyboard (633989) | more than 8 years ago | (#15448099)

If it's the same password for every infection, wouldn't it be likely that the first victim who actually paid for it would then release it to the wild to screw-over the extortionist ASAP?

Re:If it's the same password... (1)

Spad (470073) | more than 8 years ago | (#15448161)

Only if they *knew* that the password is the same for everyone, which they didn't - until now.

From the TFA (5, Insightful)

BaltikaTroika (809862) | more than 8 years ago | (#15448111)

The most interesting part of TFA: "Victims are only told the password if they buy drugs from one of three online pharmacies."

Are online pharmacies so unregulated that criminals can extort people as a means for advertising?

Wow.

Re:From the TFA (3, Insightful)

geoffspear (692508) | more than 8 years ago | (#15448178)

If they can get away with illegally selling prescription drugs without a prescription and sending out billions of emails advertising the fact (as well as hacking PCs to use as zombies to send out said emails), they can probably get away with a little extortion on top of it.

Re:From the TFA (1)

jfengel (409917) | more than 8 years ago | (#15448310)

Or at least pretending to sell prescription drugs on the Internet. I can't imagine that any of them actually send out the illegal pharmaceuticals. It's not like they're expecting to maintain a long-term relationship with you.

Maybe I'm wrong. Has anybody ever actually gotten meds from one of these guys?

Re:From the TFA (1)

MrSquirrel (976630) | more than 8 years ago | (#15448365)

YESYESYES I DO I get my ADHD meds from these sites and they ship it so faaaaaaaaaassssst weeeeeeeeeeeee... and for some reason I don't get all depresssssed like when I'm on my regular meds weeeeeeeeeee yay!!!!!01!10!11!!100!!!101!!!110!!111!!!1000!!! weee, counting in binary weeeeee!! weeeeee!!! *dies*

Re:From the TFA (0)

Anonymous Coward | more than 8 years ago | (#15448433)

erm, yes, sure. you see, I *had* to buy all those penis enlargement pills or they wouldn't let me have access to my files. I mean, it was that or the hair loss stuff and we all know that just doesn't work. :-)

Erm call me stupid but . . . (1)

OverlordQ (264228) | more than 8 years ago | (#15448112)

placing the password in the code

How else are you supposed to do it? Or did TFA mean that it was stored in plaintext in the code?

Re:Erm call me stupid but . . . (1)

Amouth (879122) | more than 8 years ago | (#15448159)

you could always do it as a math function.. where you proccess the inputed text to see if it is valid.. the trick is that most people just use known fucntions or arn't good at creating them

Re:Erm call me stupid but . . . (1)

cperciva (102828) | more than 8 years ago | (#15448169)

A more intelligent (or crypto-knowledgeable) virus author would have generated a symmetric key at encryption-time, and then encrypted that key using a public (e.g., RSA) key stored in the binary. The extortion would then work by selling access to the RSA-decryption oracle.

Fortunately, most black hats are stupid.

Re:Erm call me stupid but . . . (1)

Spad (470073) | more than 8 years ago | (#15448179)

By randomly generating the key at runtime and then sending it back to the virus author?

Re:Erm call me stupid but . . . (1)

LnxAddct (679316) | more than 8 years ago | (#15448187)

I believe the password wasn't hashed or anything, it is rooky mistake.

Re:Erm call me stupid but . . . (0)

Anonymous Coward | more than 8 years ago | (#15448189)

There exist functions that no one knows how to invert. So you store f(password) precomputed in the code. The code would look like "if (f(guess) == f_password)..."

Re:Erm call me stupid but . . . (1)

tiptone (729456) | more than 8 years ago | (#15448208)

Store an md5 hash of the password, then hash the input and compare it to the stored hash. No visible password or easy method to reverse the hash to get the password.

Re:Erm call me stupid but . . . (1)

suv4x4 (956391) | more than 8 years ago | (#15448233)

Store an md5 hash of the password, then hash the input and compare it to the stored hash. No visible password or easy method to reverse the hash to get the password.

Yea... NOONE gets the password this way, even the extortionist. That's quite some plan there, tiptone.. :)

Re:Erm call me stupid but . . . (1)

znaps (470170) | more than 8 years ago | (#15448294)

Err, the extortionist has the plain text password all along, in his head. He MD5s it and places that in the code, which also does an MD5 hash of what the user enters, and compares the two.

Not rocket science.

Re:Erm call me stupid but . . . (1)

XMyth (266414) | more than 8 years ago | (#15448306)

Heh....how exactly does the virus encrypt the files using this password it doesn't know?

The answer to this problem is public key crypto...not hashing the password.

Re:Erm call me stupid but . . . (1)

tiptone (729456) | more than 8 years ago | (#15448302)

You clearly didn't get it, go back and read again, the big hint comes here:

Store an md5 hash of the password...

You see how the extortionist already had the password and used it to to get the md5 hash? Actually that is some plan, and also how most username/password schemes work. No need to keep the password around and no way to get the password from the hash (recently discovered collisons aside).

Re:Erm call me stupid but . . . (1)

suv4x4 (956391) | more than 8 years ago | (#15448399)

You clearly didn't get it, go back and read again, the big hint comes here:

Store an md5 hash of the password...


Oh I get it pretty well, but what you're missing is the context. We're talking not a login scheme of a remote server, but encypting a file locally with a cryptographic key.

If you don't have key, you have nothing to encrypt it with. The program may try to request a login, but you can close it and seek the file with the actual data and parse it directly since it's not encrypted.

And if it's encrypted, you can't encrypt data with a password using just its hd5 hash. Or if you would use the hash itself.. then there's no point in hashing it at all.

Re:Erm call me stupid but . . . (0)

Anonymous Coward | more than 8 years ago | (#15448323)

Just a wild observation there buddy, but mighn't the extortionist already know the password? Why would he need to get it from the virus?

Re:Erm call me stupid but . . . (1)

suv4x4 (956391) | more than 8 years ago | (#15448416)

Just a wild observation there buddy, but mighn't the extortionist already know the password? Why would he need to get it from the virus?

Because, "buddy", the weakness we're discussing is that the password used is in the code and the same on all machines.

If it's randomly generated for each machine, the extortionist no longer knows the password. If it's not, then it's easy to break by analyzing the code, like it happened.

Re:Erm call me stupid but . . . (1)

LunaticTippy (872397) | more than 8 years ago | (#15448374)

GP was suggesting a less-lame way to hardcode a password. The extortionist knows the password, having hardcoded it. The password isn't sitting in the binary easily read. Still vulnerable to posting this password on the ubernet once bought or bruteforced, which explains the better algorithms being discussed.

Re:Erm call me stupid but . . . (2, Insightful)

bill_kress (99356) | more than 8 years ago | (#15448369)

Personally, worst case I'd write a little algorithm to generate it (if I wanted a constant password that is).

More likely I'd write one that created a hashcode from the completed compression, encoded the hashcode in base64, told the user to enter it when he bought his drugs then used a second algorithm online to encode that result into a specific "key" that would only work for that one, umm, "Customer". If possible I'd write the algorithm in a custom bytecode language so that it wasn't just a straightforward decompile.

Of course, if I was going to go through all that effort I'd just write an online casino or something and steal my money the old fashion way.

weird (4, Interesting)

mr_tommy (619972) | more than 8 years ago | (#15448116)

Strike anyone else as odd that the BBC (et al.) ran this story big time - made the world service - on the same day that Microsoft announced their all in one security suite, that, by coincidence, protects against such virus'?

Re:weird (1)

PrescriptionWarning (932687) | more than 8 years ago | (#15448356)

oh, you mean the 50 dollar a year service that you have to pay to Microsoft in addition to the cost of their OS just to keep it free of viruses? Nah, its just a coincidence, they've been figuring out how to make more money from everyone for a long while now, they only just now figured they could use their own vulnerabilities as a strong selling point for another product.

Profit! (3, Funny)

insanechemist (323218) | more than 8 years ago | (#15448147)

1) Write ransom virus
2) Release
3) ....
4) Profit!

Wait - that actually works I think

How effective can this really be? (0)

Anonymous Coward | more than 8 years ago | (#15448158)

Even if the virus writer had used public/private key encryption, once the key was given to one victim after the ransom was paid, the key would almost definately be all over the net.
      If he had used a different key-pair per infected user, then everytime the virus was infecting a new machine it would have to contact the source to save the new key-pair and a marker to identify the machine it had just infected, to be able to associate the right key-pair with the victim. This by itself is not a great idea because the source could then be identified by the cops and action could be taken.
      As far as the the mode of paying the ransom is concerned I wonder which these parmacy sites are and why action cannot be taken against them.
How can this possibly be fool-proof?

Re:How effective can this really be? (0)

Anonymous Coward | more than 8 years ago | (#15448408)

The virus does this:
- Generate random symmetric key A
- Use A to encrypt files
- Use stored public key B to encrypt A to C
- Store C along with the encrypted files
- Send extortion message asking for money and C
- Exit (removing all traces of A)

The criminal does this:
- Wait for money and C
- Use private key to decrypt C to A
- Send A to user

The user does this:
- Pay
- Send C to criminal
- Wait for A (useless to other victims)
- Use A to decrypt files

When someone does this, all decryption challenge screensavers will have something worthy of the CPU time...

password entry (0)

Anonymous Coward | more than 8 years ago | (#15448167)

Does anyone know how I can put in this password using the archive utility built in to OS X? Oh, wait! I don't have the virus! I'm running OS X!

Thank the GPL (4, Funny)

mypalmike (454265) | more than 8 years ago | (#15448176)

The virus writers could have used a GPL-based crypt library, but realized that there would be legal issues involved, requiring them to open-source the whole virus.

Re:Thank the GPL (0)

Anonymous Coward | more than 8 years ago | (#15448435)

Don't joke, some of the bot code that is used to infect 1000's of PCs and form bot nets is GPL licenced!.

Due to high oil prices... (5, Funny)

avatar4d (192234) | more than 8 years ago | (#15448191)

today's Sesame Street program has been brought to you by:

mf2lro8sw03ufvnsq034jfowr18f3cszc20vm and w

Extortionware ? (2, Funny)

ch-chuck (9622) | more than 8 years ago | (#15448207)

Wow, I can see it now. New user clicks on "check email", sees "I Love You!" and clicks on the attachment. A popup window with a gun pointing out the screen appears and the message: "Alright buddy, this is a stickup - Type your bank account password in the field below and click 'submit' or everything in My Documents gets deleted!! I'm not kidding!!! Do it NOW!!!!"

Re:Extortionware ? (1)

pxuongl (758399) | more than 8 years ago | (#15448261)

geeze... if that happens, just pull the plug on your computer, take out the hard drive, mount it in linux or something, and backup your files...

Arrest? (3, Insightful)

crossmr (957846) | more than 8 years ago | (#15448312)

Has this guy been arrested? It shouldn't have taken a genius law enforcement officer to make a payment for this and track it and then pick the guy up?

Re:Arrest? (1)

hisstory student (745582) | more than 8 years ago | (#15448389)

Exactly. Sheesh. Why wasn't this the very first comment?

DMCA Violation (1)

alcmaeon (684971) | more than 8 years ago | (#15448361)

Technically, I would say this virus is encrypted, so wouldn't broadcasting a way to "crack" the virus on slashdot be a violation of the DMCA?

Obvious problem (4, Interesting)

Sylver Dragon (445237) | more than 8 years ago | (#15448382)

There seems to be one glaring problem with the idea of ransomware:
Eventually you're gonna piss off the wrong person.
Imagine the DoD or the CIA getting hit with this. They lookup the registar of the sites you are supposed to buy the drugs from. They then go visit that registar's main office (borders, what borders? we're the CIA, we've never paid attention to soviernty in the past.). They politely ask the registar to hand over all information on the person paying for the domain name (for the definition of polite which involves pointing guns at and kicking people in the head). Once they know who is paying for the web sites (credit info/check info), they visit that person and politely ask for the password to unlock the virus (same definition of polite).
If it's the DoD which gets hit, replace CIA with a Navy SEAL team.

Our Documents (2)

Skiron (735617) | more than 8 years ago | (#15448392)

I am pretty sure that 'mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw' is a registry key for 'My Documents'. It had to be encrypted for 2 reasons:

1) Only you and MS can open 'My Documents'
2) They haven't yet worked out how to really have spaces in file names lusers use. [cue: spinning hour glass]

DAMMIT! I'm screwed! (4, Funny)

martinultima (832468) | more than 8 years ago | (#15448404)

How'd that guy find out my root password!?

n00b (0)

Anonymous Coward | more than 8 years ago | (#15448407)

b3 g1ad h3 wa$n'7 l33t 0r u'd b3 p0wn3d sux0r!

Realtime Protection? (1)

presentt (863462) | more than 8 years ago | (#15448409)

Could antivirus software's realtime protection work against this virus as well?

It could stop activity such as batch file manipulations as they occur, and prompt the user whether or not (s)he wants the action to continue. It would be similar to the "Worm Activity" warning I get from McAfee when I send emails using a distrubution list with a large number of people on it--McAfee AV stops the mail from sending until I explicitly allow it. Thus, the AV protection for this extortion virus could stop mass file manipulations until explicit consent is given.

It happens a lot (1)

Chazmyrr (145612) | more than 8 years ago | (#15448412)

Using a string constant to hold an encryption key is pretty common among programmers new to encryption. It doesn't occur to them that someone is going to look at the string table and spot the key. A simple way to raise the bar is to construct the key on execution. The key can still be determined but it takes a lot more work.

Just wondering... (1)

rez_rat (1618) | more than 8 years ago | (#15448441)

This may be a little off-topic, but,...

How many of you out there actually save your stuff in the "My Documents" folder?

I throw all my stuff out to a network share.

S-

Duh (1)

PapaPatat (978582) | more than 8 years ago | (#15448452)

Anyone used google before? Results 1 - 10 of about 76 for mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. (0.10 seconds) Word's been out forever
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>