We are used to the typical malware hosted in mails. They are often based on basic human instincts such as lust or greed. How often are we proposed pictures of nude artists? By the way, this could be an excellent way to decide who is believed to be the sexiest woman in the world: Measure their occurrence in the malware mails. Normally, you should only use the most attractive ones.In view of my junk mails, it seems that Angelina Jolie is leading these last weeks.

Often these mails are so rudimentary that they may be spotted even by unaware people. Often wrong spelling and weak grammar are a good signature. Nevertheless, I received an interesting one, that was better elaborated than the usual ones. It is why I looked at it rather than deleting it immediately. It was titled customs, please read. Here is the text

Good day,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Frederick Shepard
Your Customs Service

Of course, the attached file was containing a Trojan named BKDR_AGENT.SHH. This Trojan is known for more than one year and detected
by anti viruses. Nevertheless, from the social engineering point of view, it was a nice piece:

• It presents itself as coming from customs. Customs are official entities, thus in theory trusted. You are always careful with customs.
• The address and the fax were supposed to be in the attached declaration form. Thus, you would have to open it, and trigger the malware.
• The email address was customs_service@bluejeanc.com.tr. Looks very official. Blue jean mail lead to believe that it is a selling site (this is not the case).

There is still one error. I am located in France. So why should a parcel sent from France need any custom clearance. Still some effort to do for the malware writers. But they progress.

Kapersky labs has given up their unrealistic tentative to guess the key used by Gpcode (see blog entry from 10th June). Their conclusion is that the best countermeasure is regular backup.

Nevertheless, thanks to a “common” mistake of the virus’s author, there may be some hope for careless users who did not backup. When encrypting the file, the virus creates a new files that it renames with the expected extension and then deletes the original file. The deletion is not secure. It is common knowledge (at least in the security community) that a simple deletion does not erase the file. It mainly erases the fields in the file system’s indexing tables. Thus, if the data are on the hard disk as long as they are not be overwritten by a new file. If there was not too much activity on the hard drive, typical recovery tools may retrieve the “deleted” files. Kapersky Labs proposes such a tool from the open source community.

No doubt that the author of the virus will add a secure deletion in the new already announced releases of Gpcode. The author claims that he will use stronger algorithm and new keys. Secure deletion is performed by overwriting every bytes of the file to delete with random data several times before removing it. Tools exist that perform such secure erasing

Two lessons:

• Backup, backup, and backup
• Developers if you want to delete a file, use a secure procedure.

The story continues.

Dving a little bit more in the available information. Gpcode is actually using RSA 1024. Kapersky labs have extracted the public keys. The virus uses two public keys depending on the version of the Operating System. The virus calls Microsoft cryptographic library.

Having the public key is useless. Kapersky labs is calling for the help of crypto community to help to crack the private key. In other words, they launch their own RSA-1024 challenge (See RSA number challenges that apply only to factorization). This is illusory. It would require too much power calculation (else it would have been decided that RSA 1024 is not anymore safe). And there are two keys to crack!!!

The only effective countermeasure against Gpcode is backup your data.

Thanks Alain for the link to the blog  :Wink:

Kapersky lab, the anti-virus editor, detected a variant of virus Gpcode. It encrypts some data files on the hard disk, renames them with extension ._CRYPT, and adds a file !_README_!.txt in the folder. Then, it displays a message announcing the encryption and giving a contact mail.

The virus claims to use RSA-1024. Thus, out of the possibility of brute force attack. Pirated person should contact the pirate, pay the ransom, and he will receive a decryption tool.

This type of attack is not new. Older virus used the same technique. More dangerously, attackers penetrated enterprise network and encrypted critical data. Later asking the ransom. This type of attack is not well advertised because enterprise look for discretion (bad reputation).

Should the victim of the virus pay?

• First of all, normally if the data are carefully daily back-up, then this attack is just painful but not lethal. Would the attack notification appear several days or weeks after infection, it may be more problematic. There are many files that you do not access daily. Some people, or SOHO do their backup on rewritable storage overwriting previous backup.
• What does guarantee that after payment, the pirate will provide the decryption tool? Would you trust your tormentor?

By teh way, does the virus really use RSA 1024? May be it just brags it and implements a lesser secure one. The advantage of using asymmetric crypto is that reverse engineering the virus will not leak the key (that may not be the case with symmetric crypto). It would be “funny” if the virus would just use a XOR with a long key, or even put random data (if the pirate does expect to extort money)