Gpcode

Recently Kaspersky Labs added an article about Gpcode

GPCoder.h (McAfee)
Backdoor:Win32/Kollah.D (Microsoft)
TSPY_KOLLAH.F (TrendMicro)
Virus.Win32.Gpcode.ai (Kaspersky)

(according to McAfee)

The full article is available here
http://www.viruslist.com/en/weblog?weblogid=208187524

Can any antivirus successfully recover crypted files?

 

if someone created someone else can brake it.

 

KL has issued an alert today about this threat, link

 

If it's a 1024bit RSA Key, and the algorithm is properly implemented, chances are pretty slim for recovery.


Taken from an RSA FAQ available at
http://www.interesting-people.org/archives/interesting-people/200204/msg00109.html

I sincerely doubt any of you has that much computing power under his hood The only chance would probably be a concerted effort with government agencies (assuming they are able to break it in reasonable time with their vast computing ressources, which is not that unlikely but probably they're not too cooperative in such matters...). But i doubt that's going to happen.... or Kaspersky turns their users into the Worlds Biggest Distributed Computing Grid

 

Kaspersky can finally utilize Kaspersky Security Network (KSN) in v2009 I guess... maybe a hidden feature

 

There is a new subforum on the KL forums dedicated to stopping gpcode

 

In russian.

 

Multi language... english bits are coming soon.

 

Of course

 

English bits are there
... Dont think most users here will be able to help though (no disrespect... If anyone's offended, lets just assume I didnt include you in the "most users" category).

I wonder how widespread this new variant is.
Bit of a rat-and-mouse game... Kaspersky (and/or other AVs) crack the code, the author simply changes the code and we're back at square one.
If Kaspersky manage to break into the virus instead of randomly guessing the code (as it done with previous variants), the author will simply fill in any gaps in the virus and make it even harder for AVs to break into and create a disinfection routine.

The publicizing of AVs asking for help and/or requiring lots of time creating disinfection routines (like for Rustock.c) just makes you think about how difficult the fight against malware actually is and its not just about sending the malware to AVs and getting it added to detections and disinfecting it, but the R&D and knowledge required to fight malware and how hard the battle is getting; AV software is constantly getting developed and programmed to be stronger and beat more malware and prevent more infections and detect more malware, but at the same time, malware authors are also evolving and getting more and more knowledge and creating new and more stubborn or harder to detect malware infections.
Gives a bit of a reality check on the state of the battle against malware.

 

Well it's definitely over my head, I think I'll stick to the home user section

 

well it the same for the defenders as it is for the attackers

Anything that executes can be cracked!

 

Incorrect... Virus.Win32.Gpcode.ai was detected by Kaspersky nearly a year ago.
This new one is Virus.Win32.Gpcode.ak; hence, the above aliases are incorrect.

 

AVG, Win32.Generic.JV
DrWeb, Trojan.Sespy.origin
Ikarus, Virus.Win32.Gpcode.ak
Kaspersky, Virus.Win32.Gpcode.ak
Microsoft, Trojan:Win32/Gpcode.G
Norman, W32/Malware
Prevx1, Cloaked Malware
Sophos, Troj/Gpcode-D
Symantec,Trojan.Gpcoder.F

 

AntiVir and avast! ?

 

fcukdat: Wrong. That's the whole point of public/private key encryption schemes. You don't have to include the decryption key in the binary, it is completely irrelevant for encryption. Public and private keys are mathematically dependant on each other, but finding out the correlation between them is computationally expensive.

In practice, most successful attacks will likely be aimed at insecure implementations and at the key management stages of an RSA system. This includes for example bad random number generators and things like that.

However, if implemented correctly, breaking a 1024 bit RSA cipher is still relatively hard. Hard as in: The NSA or some other Secret Service is able to break it for sure. But certainly not someone without access to _considerable_ computing power.
Finding the correlation (the prime used for calculating the public/private keys) for a 1024 bit key (308 decimal digits) requires around 10 million mips-years. An Intel Core2Extreme QX9770 has almost 60.000 MIPS so it would take around 166 years to break ONE key using that system, which is probably one of the fastest availble for normal users today.

Food for thought:
-What is keeping the author of gpcode to create a thousand variants all using different keys, so for each user a different key has to be cracked?

-What is keeping the author from using for example a 2048 bit key, which would require 10^14 mips-years? If you could harness the power of 10 million computers with the above specs, you could break ONE key in 200 years!

Unless the author made a mistake, the outlook of recovering user files is pretty bleak. And then, maybe next time he'll do it right.

 

Hello,

Antivir yes, avast! dunno.

BTW, this emphasizes why backups are important, especially offline and even better on non-writable media, like DVDs.

Mrk

 

KL is asking crytographers, governmental and scientific institutions, antivirus companies, and independent researchers to join in with any help they can give to cracking this key:

http://www.viruslist.com/en/weblog?weblogid=208187528

And I second the point about backing up your data.

 

This could technically mean if they manage to crack GPcode, they can also crack pretty much any encryption.

 

Gee, people really are jumping to conclusions in this thread...

 

I don't know why that blog exists. Its not feasible to decrypt this and there's actually no point in even trying.

 

That is not true. Depends on how it is cracked.

The most computer intensive way is to brute force (try all the combinations). The estimates for time was given in the post above. Cracking it this way will have no significant effect on the RSA cipher, other implementations of the RSA cipher or encryption in practice. This is not happening as the virus writer can just create more key pairs.

Instead they are probably trying to look for a mistake in the implementation in the virus. This means that all data encrypted by the virus can be broken.This has no effect on on the RSA cipher, other implementations of the RSA cipher or encryption in practice.

The only scenario where there will be some effect on cryptography is if the research finds the the RSA cipher is insecure and can be cracked more efficiently than brute forcing. This would mean that only the cryptosystems using RSA will be 'cracked'.

 

there are several problems
like what if the private key is in fact some security / software firm key
cracking it would mean problem for the 'victim' company which key was used by GPcode author

also if there is flaw in gpcode which allows break the key what prevents author just to analyze the 'break' and release e.g. 2048bit key ?

at certain point only solutions become just to loose the data or pay the ransom price
or catch the author and torture him to release keys

 

I'm not too sure what you mean here. Key pairs can be just generated. If the malware writer uses a company's public key to encrypt, the company can use the private key to decrypt it.

Because the break is in the implementation. S/he will have to redesign the virus, not just generate a new key pair.

Depends on how good the malware writer is at implementing crypto. It could well be broken.

 

What's the logic in this statement? I can find none.