Gpcode

Discussion in 'other anti-virus software' started by emperordarius, Jun 5, 2008.

Thread Status:
Not open for further replies.
  1. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Recently Kaspersky Labs added an article about Gpcode

    GPCoder.h (McAfee)
    Backdoor:Win32/Kollah.D (Microsoft)
    TSPY_KOLLAH.F (TrendMicro)
    Virus.Win32.Gpcode.ai (Kaspersky)

    (according to McAfee)

    The full article is available here
    http://www.viruslist.com/en/weblog?weblogid=208187524


    Can any antivirus successfully recover crypted files? :blink:
     
  2. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    if someone created someone else can brake it.
     
  3. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    KL has issued an alert today about this threat, link
     
  4. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    If it's a 1024bit RSA Key, and the algorithm is properly implemented, chances are pretty slim for recovery.


    Taken from an RSA FAQ available at
    http://www.interesting-people.org/archives/interesting-people/200204/msg00109.html



    I sincerely doubt any of you has that much computing power under his hood ;) The only chance would probably be a concerted effort with government agencies (assuming they are able to break it in reasonable time with their vast computing ressources, which is not that unlikely but probably they're not too cooperative in such matters...). But i doubt that's going to happen.... or Kaspersky turns their users into the Worlds Biggest Distributed Computing Grid ;)
     
  5. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Kaspersky can finally utilize Kaspersky Security Network (KSN) in v2009 I guess... maybe a hidden feature :)
     
  6. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    There is a new subforum on the KL forums dedicated to stopping gpcode ;)
     
  7. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    In russian.:D
     
  8. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Multi language... english bits are coming soon.
     
  9. emperordarius

    emperordarius Registered Member

    Joined:
    Apr 27, 2008
    Posts:
    1,218
    Location:
    Who cares
    Of course :)
     
  10. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    English bits are there :)
    ... Dont think most users here will be able to help though (no disrespect... If anyone's offended, lets just assume I didnt include you in the "most users" category).

    I wonder how widespread this new variant is.
    Bit of a rat-and-mouse game... Kaspersky (and/or other AVs) crack the code, the author simply changes the code and we're back at square one.
    If Kaspersky manage to break into the virus instead of randomly guessing the code (as it done with previous variants), the author will simply fill in any gaps in the virus and make it even harder for AVs to break into and create a disinfection routine.

    The publicizing of AVs asking for help and/or requiring lots of time creating disinfection routines (like for Rustock.c) just makes you think about how difficult the fight against malware actually is and its not just about sending the malware to AVs and getting it added to detections and disinfecting it, but the R&D and knowledge required to fight malware and how hard the battle is getting; AV software is constantly getting developed and programmed to be stronger and beat more malware and prevent more infections and detect more malware, but at the same time, malware authors are also evolving and getting more and more knowledge and creating new and more stubborn or harder to detect malware infections.
    Gives a bit of a reality check on the state of the battle against malware.
     
  11. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Well it's definitely over my head, I think I'll stick to the home user section :D
     
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    well it the same for the defenders as it is for the attackers;)

    Anything that executes can be cracked!
     
  13. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Incorrect... Virus.Win32.Gpcode.ai was detected by Kaspersky nearly a year ago.
    This new one is Virus.Win32.Gpcode.ak; hence, the above aliases are incorrect.
     
  14. DjMaligno

    DjMaligno Hispasec/VirusTotal

    Joined:
    Feb 22, 2005
    Posts:
    63
    Location:
    Spain
    AVG, Win32.Generic.JV
    DrWeb, Trojan.Sespy.origin
    Ikarus, Virus.Win32.Gpcode.ak
    Kaspersky, Virus.Win32.Gpcode.ak
    Microsoft, Trojan:Win32/Gpcode.G
    Norman, W32/Malware
    Prevx1, Cloaked Malware
    Sophos, Troj/Gpcode-D
    Symantec,Trojan.Gpcoder.F
     
  15. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    AntiVir and avast! ?
     
  16. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    fcukdat: Wrong. That's the whole point of public/private key encryption schemes. You don't have to include the decryption key in the binary, it is completely irrelevant for encryption. Public and private keys are mathematically dependant on each other, but finding out the correlation between them is computationally expensive.

    In practice, most successful attacks will likely be aimed at insecure implementations and at the key management stages of an RSA system. This includes for example bad random number generators and things like that.

    However, if implemented correctly, breaking a 1024 bit RSA cipher is still relatively hard. Hard as in: The NSA or some other Secret Service is able to break it for sure. But certainly not someone without access to _considerable_ computing power.
    Finding the correlation (the prime used for calculating the public/private keys) for a 1024 bit key (308 decimal digits) requires around 10 million mips-years. An Intel Core2Extreme QX9770 has almost 60.000 MIPS so it would take around 166 years to break ONE key using that system, which is probably one of the fastest availble for normal users today.

    Food for thought:
    -What is keeping the author of gpcode to create a thousand variants all using different keys, so for each user a different key has to be cracked?

    -What is keeping the author from using for example a 2048 bit key, which would require 10^14 mips-years? If you could harness the power of 10 million computers with the above specs, you could break ONE key in 200 years!

    Unless the author made a mistake, the outlook of recovering user files is pretty bleak. And then, maybe next time he'll do it right.
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Antivir yes, avast! dunno.

    BTW, this emphasizes why backups are important, especially offline and even better on non-writable media, like DVDs.

    Mrk
     
  18. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    KL is asking crytographers, governmental and scientific institutions, antivirus companies, and independent researchers to join in with any help they can give to cracking this key:

    http://www.viruslist.com/en/weblog?weblogid=208187528

    And I second the point about backing up your data.
     
  19. RejZoR

    RejZoR Registered Member

    Joined:
    May 31, 2004
    Posts:
    6,426
    This could technically mean if they manage to crack GPcode, they can also crack pretty much any encryption.
     
  20. FRug

    FRug Registered Member

    Joined:
    Feb 7, 2006
    Posts:
    309
    Gee, people really are jumping to conclusions in this thread...
     
  21. berng

    berng Registered Member

    Joined:
    Sep 11, 2005
    Posts:
    246
    Location:
    NJ, USA
    I don't know why that blog exists. Its not feasible to decrypt this and there's actually no point in even trying.

     
  22. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    That is not true. Depends on how it is cracked.

    The most computer intensive way is to brute force (try all the combinations). The estimates for time was given in the post above. Cracking it this way will have no significant effect on the RSA cipher, other implementations of the RSA cipher or encryption in practice. This is not happening as the virus writer can just create more key pairs.

    Instead they are probably trying to look for a mistake in the implementation in the virus. This means that all data encrypted by the virus can be broken.This has no effect on on the RSA cipher, other implementations of the RSA cipher or encryption in practice.

    The only scenario where there will be some effect on cryptography is if the research finds the the RSA cipher is insecure and can be cracked more efficiently than brute forcing. This would mean that only the cryptosystems using RSA will be 'cracked'.
     
  23. Dwarden

    Dwarden Registered Member

    Joined:
    Apr 11, 2003
    Posts:
    176
    Location:
    Czech Republic
    there are several problems
    like what if the private key is in fact some security / software firm key
    cracking it would mean problem for the 'victim' company which key was used by GPcode author

    also if there is flaw in gpcode which allows break the key what prevents author just to analyze the 'break' and release e.g. 2048bit key ?

    at certain point only solutions become just to loose the data or pay the ransom price
    or catch the author and torture him to release keys :argh:
     
  24. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    I'm not too sure what you mean here. Key pairs can be just generated. If the malware writer uses a company's public key to encrypt, the company can use the private key to decrypt it.

    Because the break is in the implementation. S/he will have to redesign the virus, not just generate a new key pair.

    Depends on how good the malware writer is at implementing crypto. It could well be broken.
     
  25. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What's the logic in this statement? I can find none.
     
Thread Status:
Not open for further replies.