Extortion Virus Code Cracked 371
Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
What relief! (Score:5, Funny)
I was just looking for that. Thanks!
Re:What relief! (Score:2, Funny)
Re:What relief! (Score:4, Funny)
I take it you were dictating?
Re:What relief! (Score:5, Funny)
>
> I was just looking for that. Thanks!
What?! That's exactly the kind of combination a Slashdotter would use on his luggage!
Re:What relief! (Score:4, Funny)
Re:What relief! (Score:5, Funny)
Note to self: change luggage comnbination.
Re:What relief! (Score:5, Funny)
Re:What relief! (Score:4, Interesting)
Unfortunately, you cannot use it. To do so would be to circumvent an effective access control method. That, in turn, would put you in violation of the DMCA.
I'm not joking. I'm serious. You are breaking the law if you use this code without having gotten it from the virus writer. Draw your own conclusion about the DMCA from that.
I'm not a lawyer. This is not legal advice.
ummm (Score:5, Interesting)
Re:ummm (Score:5, Funny)
Actually I didn't see any fingers or toes in the password at all.
count again; it's 30 (Score:5, Funny)
Re:ummm (Score:2)
Re:ummm (Score:5, Funny)
Re:ummm (Score:2)
Re:ummm (Score:4, Funny)
You called?
Base 13 Jokes (Score:5, Funny)
"What do you get when you multiply six by nine?" "Forty-two".
Work it out in base 13.
Re:Base 13 Jokes (Score:3, Informative)
More info:
http://en.wikipedia.org/wiki/Base_13 [wikipedia.org]
Funny base joke (Score:5, Funny)
Re:Funny base joke (Score:3, Funny)
Now I understands what all the Americans are _really_ giving thanks for
Re:Base 13 Jokes (Score:5, Interesting)
Re:Base 13 Jokes (Score:3, Funny)
Re:ummm (Score:2, Funny)
Wait... (Score:5, Funny)
My Lord what are we coming to (Score:5, Funny)
Wow! (Score:3, Funny)
Re:Wow! (Score:4, Funny)
Re:Wow! (Score:2)
Re:Wow! (Score:5, Funny)
Re:Wow! (Score:3, Funny)
Just wait... (Score:5, Insightful)
Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)
Re:Just wait... (Score:5, Insightful)
Backing up your data would also work.
Notice how much this virus is like a proprietary file format? You can't get at your own data without paying for a license to the proprietary reader.
Re:Just wait... (Score:3, Funny)
(Mod me down to hide my post if you think I'm giving virus writers too many ideas.)
Actually, the author is even more stupid (Score:3, Insightful)
Wrong (Score:5, Informative)
Re:Wrong (Score:3, Interesting)
First up, a man in the middle attack requires that someone spotting the virus on its way to your computer, and re-writing the public key parts. So, not really an issue here. Mostly, the poster appears to be confused with using public keys for verifying identity.
Problem is, however, that the same private key would unlock all ransomed files. The virus actually needs to be able to get a new public key for each computer in infects, which means having a remote site accessible for it to regist
Re:Wrong (Score:3, Insightful)
No it doesn't. You've got the idea right, but your version is a bit more complicated than it needs to be.
Look at real-world implementations of public-key encryption systems. [I know PGPDisk does this. I don't know if PGP does it for other, smaller things. Almost all the encrypted network protocols I've studied do this too.]
Re:Wrong (Score:3, Insightful)
Easily avoided:
Re:Just wait... (Score:4, Interesting)
Re:Just wait... (Score:2, Insightful)
No.
Re:Just wait... (Score:2)
Re:Just wait... (Score:5, Informative)
Public key cryptography does not work against a man in the middle attack.
True, in general, though precautions can be taken. I fail to see how a MITM attack is even relevant here, though.
When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.
Why? Virus contains public key, generates random session key (ideally in memory-locked pages that cannot be swapped out), encrypts all your data with session key, encrypts session key with public key, writes encrypted session key to a file, wipes session key from memory, then shuts down.
Assuming you don't notice the virus before all of this happens, you're toast unless you can get a copy of the private key.
To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.
Did you mean decryption? If so, yes, the writer would have to have you ship your session key file to him so he could decrypt it and give you your unique decryption key. I don't think that activity is nearly as risky to the writer as trying to figure out how to collect the money, though. Following money trails is something the world's law enforcement agencies are very good at.
Re:Just wait... (Score:3, Insightful)
Yeah, I used to think that. But the fact that I get hundreds of emails every day from people hawking either pirated software and counterfeit/illegal pills has convinced me otherwise.
Re:Just wait... (Score:2)
Yeah, I used to think that. But the fact that I get hundreds of emails every day from people hawking either pirated software and counterfeit/illegal pills has convinced me otherwise.
The fact the LE is good at following money doesn't mean they're actually interested in doing it in the cases you care about.
I once reported a guy who was selling hundreds of pirated movies on ebay to the FBI. They basically told me that they didn't care. Not in so many words, but it was clear they weren't going to do anyt
Re:Just wait... (Score:2)
Re:Just wait... (Score:5, Interesting)
As a loyal slashdot member, I had not bothered to read the article before posting. I actually did go back and read it, and you'll never guess how the ransom is paid. The victims are asked to go buy drugs at one of three online "pharmacies". Curious, eh?
Re:Just wait... (Score:4, Funny)
As a loyal slashdot member, I had not bothered to read the article before posting.
That goes without saying, good sir.
I actually did go back and read it
You what??? As an even more loyal slashdot member, I *still* have not read the article :-)
you'll never guess how the ransom is paid. The victims are asked to go buy drugs at one of three online "pharmacies". Curious, eh?
Very. So this virus is... advertising? Wow.
Follow this money trail: (Score:2)
Their "job" would be to have money transfered to their account and then send it via Western Union.
Now follow it if you can. Yes, you'll get the guy who has been hired (or con'ed, your choice) to have his account used in the laundering. But you won't catch the actual
Re:Just wait... (Score:3, Informative)
Have them send the money via Western Union under the name Boris Yeltson or some such. Western Union does not ask for ID and does not verify the identity of the person picking up the money (at least they didn't a year ago when I last paid attention to such scams). All you need is the confirmation code. They assume that if you show up at the right branch with the right string of numbers, you must be authorized. And
Re:Just wait... (Score:2)
Or, a more sensible method would be to
Infect PC
Generate a random password, P
Encrypt files with P
Encrypt P with public key, I, resulting in V the ciphertext version of the randomly generated password
Victim must provide V to the virus writer who decrypts V with his private key, which results in P
Re:Just wait... (Score:5, Interesting)
In fact the whole idea of cryptography revolves around the encryption algorithm telling you nothing about a method to decrypt the data it encrypts (At least without a certain key). These are called trapdoor one-way functions.
The most realistic way I can think of writing such a virus would be to provide and encryption algo in the virus and then provide a decryption program when the intended victim has paid you the money. Now aren't you glad I'm not writing viruses?
Wow... (Score:5, Funny)
It also works for new Windows XP Professional installs.
Strange.
umm... (Score:2, Funny)
News That's Old, Stuff that's Stale (Score:5, Informative)
Re:News That's Old, Stuff that's Stale (Score:5, Funny)
Nuff said.
hold on... (Score:5, Insightful)
Re:hold on... (Score:2)
Re:hold on... (Score:2)
Re:hold on... (Score:5, Insightful)
If you don't give the files back you remove the incentive for other infected users to pay up.
Re:hold on... (Score:4, Insightful)
Re:hold on... (Score:2)
And destroy their revenue stream? This way they can get people to pay up every time they get infected.
strings? (Score:4, Funny)
one of the best programs evar
Consider this a warning (Score:4, Insightful)
Re:Consider this a warning (Score:2, Interesting)
If it's the same password... (Score:5, Insightful)
Re:If it's the same password... (Score:2)
From the TFA (Score:5, Insightful)
Are online pharmacies so unregulated that criminals can extort people as a means for advertising?
Wow.
Re:From the TFA (Score:4, Insightful)
Re:From the TFA (Score:2)
Maybe I'm wrong. Has anybody ever actually gotten meds from one of these guys?
Erm call me stupid but . . . (Score:2)
How else are you supposed to do it? Or did TFA mean that it was stored in plaintext in the code?
Re:Erm call me stupid but . . . (Score:2)
Re:Erm call me stupid but . . . (Score:2)
Fortunately, most black hats are stupid.
Re:Erm call me stupid but . . . (Score:2)
Re:Erm call me stupid but . . . (Score:3, Insightful)
More likely I'd write one that created a hashcode from the completed compression, encoded the hashcode in base64, told the user to enter it when he bought his drugs then used a second algorithm online to encode that result into a specific "key" that would only work for that one, umm, "Customer". If possible I'd write the algorithm in a custom bytecode language so that it wasn't just a straightforwar
Re:Erm call me stupid but . . . (Score:5, Funny)
I was confused by that as well. I presume plaintext, since storing a hash and comparing a hash generated from user input seems standard practice... at least in the non-virus writting community.
Ya think the writter had a PHB leaning on him to meet deadline?
Re:Erm call me stupid but . . . (Score:2)
Yea... NOONE gets the password this way, even the extortionist. That's quite some plan there, tiptone..
Re:Erm call me stupid but . . . (Score:2)
Not rocket science.
Re:Erm call me stupid but . . . (Score:2)
The answer to this problem is public key crypto...not hashing the password.
Re:Erm call me stupid but . . . (Score:2)
Re:Erm call me stupid but . . . (Score:2)
Store an md5 hash of the password...
Oh I get it pretty well, but what you're missing is the context. We're talking not a login scheme of a remote server, but encypting a file locally with a cryptographic key.
If you don't have key, you have nothing to encrypt it with. The program may try to request a login, but you can close it and seek the file with the actual data and parse it directly since it's not encrypted.
And if it's encrypted
Re:Erm call me stupid but . . . (Score:3, Funny)
You have a full-blown hand-made bytecode interpreter now? Let me guess how this is gonna continue:
ME: I whip out my advanced lexical analyzer and break your bytecode into well laid out PDF specification
YOU: I point a laser gun at you, and it's loaded.
ME: Batman comes through the window to help me.
YOU: Superman
Re:Erm call me stupid but . . . (Score:2)
Because, "buddy", the weakness we're discussing is that the password used is in the code and the same on all machines.
If it's randomly generated for each machine, the extortionist no longer knows the password. If it's not, then it's easy to break by analyzing the code, like it happened.
weird (Score:5, Interesting)
Profit! (Score:3, Funny)
2) Release
3)
4) Profit!
Wait - that actually works I think
Thank the GPL (Score:5, Funny)
Due to high oil prices... (Score:4, Funny)
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm and w
Extortionware ? (Score:2, Funny)
Arrest? (Score:4, Insightful)
Re:Arrest? (Score:2)
jwhois 218.93.168.80
Re:Arrest? (Score:3, Interesting)
When spammers send out e-mails they're not looking for respones, and don't particularly care if people can get back to them. They're pointing them to websites.
This guy was probably taking payment online via some online system. Depending where its based, its possible they could get the records and track this guy down.
Obvious problem (Score:5, Interesting)
Eventually you're gonna piss off the wrong person.
Imagine the DoD or the CIA getting hit with this. They lookup the registar of the sites you are supposed to buy the drugs from. They then go visit that registar's main office (borders, what borders? we're the CIA, we've never paid attention to soviernty in the past.). They politely ask the registar to hand over all information on the person paying for the domain name (for the definition of polite which involves pointing guns at and kicking people in the head). Once they know who is paying for the web sites (credit info/check info), they visit that person and politely ask for the password to unlock the virus (same definition of polite).
If it's the DoD which gets hit, replace CIA with a Navy SEAL team.
CIA (Score:3, Funny)
Our Documents (Score:2)
1) Only you and MS can open 'My Documents'
2) They haven't yet worked out how to really have spaces in file names lusers use. [cue: spinning hour glass]
DAMMIT! I'm screwed! (Score:4, Funny)
It happens a lot (Score:2)
Drats. Time to change passwd on the server farm! (Score:5, Funny)
Um diddle diddle diddle um diddle ay
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
Even though the sound of it Is something quite atrocious
If you say it loud enough
You'll always sound precocious
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm
Um diddle diddle diddle um diddle ay
Um diddle diddle diddle um diddle ay
Because I was afraid to speak
When I was just a lad My father gave me nose a tweak And told me I was bad
But then one day I learned a word That saved me aching nose
The biggest word I ever heard And this is how it goes:
Oh, mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
Even though the sound of it
Is something quite atrocious
If you say it loud enough
You'll always sound precocious
mf2lro8sw03ufvnsq034jfowr18f3cszc20vm
Big Bird chimes in (Score:3, Funny)
It's the most remarkable word I've ever seen!
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
I wish I knew exactly what I mean!
It starts out like an M word as anyone can see,
But somewhere in the middle it gets awful 4J to me!
mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
If I ever find out just what this word can mean,
I'll be the smartest bird the world has ever seen!
All your documents are belong to us! (Score:3, Funny)
Re:And Changing... (Score:2)
But rewriting the encryption wouldn't be too hard either, and a lot harder to counter.
Re:BTW (Score:2)
Re:BTW (Score:2)