Forgot your password?
typodupeerror

Extortion Virus Code Cracked 371

Posted by Zonk
from the unlock-your-stuff dept.
Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
This discussion has been archived. No new comments can be posted.

Extortion Virus Code Cracked

Comments Filter:
  • by AltGrendel (175092) <`su.0tixe' `ta' `todhsals-ga'> on Thursday June 01, 2006 @03:48PM (#15448013) Homepage
    BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

    I was just looking for that. Thanks!

  • ummm (Score:5, Interesting)

    by geoffspear (692508) on Thursday June 01, 2006 @03:49PM (#15448016) Homepage
    Odd how that "30 digit password" has 38 characters, 13 of which are digits.
  • Wait... (Score:5, Funny)

    by ImaLamer (260199) <{john.lamar} {at} {gmail.com}> on Thursday June 01, 2006 @03:49PM (#15448017) Homepage Journal
    We are all now victims of a DMCA lawsuit!
  • by Anonymous Coward on Thursday June 01, 2006 @03:50PM (#15448025)
    These days even the virus authors don't know anything about writing secure software :(
  • Wow! (Score:3, Funny)

    by daivzhavue (176962) on Thursday June 01, 2006 @03:50PM (#15448026)
    That's the combination to my luggage!
  • Just wait... (Score:5, Insightful)

    by hanssprudel (323035) on Thursday June 01, 2006 @03:51PM (#15448039)

    Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)
    • Re:Just wait... (Score:5, Insightful)

      by Beryllium Sphere(tm) (193358) on Thursday June 01, 2006 @03:58PM (#15448128) Homepage Journal
      >(or you could stop getting your computer infected with malware in the first place.)

      Backing up your data would also work.

      Notice how much this virus is like a proprietary file format? You can't get at your own data without paying for a license to the proprietary reader.
    • by Ken_g6 (775014)
      Or worse, a virus writer could just use a randomized one-time pad which makes the files unrecoverable, claim he has the password, and just make off with the dough!

      (Mod me down to hide my post if you think I'm giving virus writers too many ideas.)
  • Wow... (Score:5, Funny)

    by beheaderaswp (549877) * on Thursday June 01, 2006 @03:51PM (#15448046)
    Hmm...

    It also works for new Windows XP Professional installs.

    Strange.
  • umm... (Score:2, Funny)

    by Anonymous Coward
    seriously my next guess
  • by lbmouse (473316) on Thursday June 01, 2006 @03:53PM (#15448063) Homepage
    Hasn't this been around for a while? According to this page [symantec.com], the password has been know for at least a month.
  • hold on... (Score:5, Insightful)

    by joe 155 (937621) on Thursday June 01, 2006 @03:53PM (#15448065) Journal
    you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that? I wonder if this will now work like it should in the perfect open source community though, a bug is found, someone patches it, the new stuff is available within the day, maybe even better than before?
    • That's a very short term source of money. It'd save a lot of work writing software, but after a few BBC stories on spammers deleting files and pretending to offer them back for $whatever, it'd dry up pretty fast.
    • Re:hold on... (Score:5, Insightful)

      by venicebeach (702856) on Thursday June 01, 2006 @03:56PM (#15448109) Homepage Journal
      you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that

      If you don't give the files back you remove the incentive for other infected users to pay up.
      • Re:hold on... (Score:4, Insightful)

        by ThePyro (645161) on Thursday June 01, 2006 @05:07PM (#15448726)
        If you don't give the files back you remove the incentive for other infected users to pay up.
        But that assumes that other infected users are collaborating (how else would you hear about the deletions?). And if they were collaborating then they could just share the password (like what has just occurred in this article), and the money dries up anyway.
    • you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that?

      And destroy their revenue stream? This way they can get people to pay up every time they get infected.

  • strings? (Score:4, Funny)

    by blinder (153117) * <blinder.daveNO@SPAMgmail.com> on Thursday June 01, 2006 @03:55PM (#15448087) Homepage Journal
    heh, is this strings to the rescue?

    one of the best programs evar :)
  • by Anonymous Coward on Thursday June 01, 2006 @03:56PM (#15448095)
    If you are still betting on antivirus companies to keep you safe, you should consider this a warning. There is no technical reason why the password should be recoverable. Had the author used strong public key cryptography instead of a symmetric cypher, there would be no way to get the key without the help of the virus author. The only way to be safe is to not get infected and that means you have to use your brain.
    • Which is why I just laugh when new viruses come out, it's only the idiots that will be infected (generally speaking). So long as you use your brain, your fine. If you somehow fail to use your brain then you deserve to lose your files. I in no way condone the actions of virus writers, but I don't lose sleep about it, and veiw the people who manage to contract the things as just as bad (though in a different sence).
  • by Nom du Keyboard (633989) on Thursday June 01, 2006 @03:56PM (#15448099)
    If it's the same password for every infection, wouldn't it be likely that the first victim who actually paid for it would then release it to the wild to screw-over the extortionist ASAP?
  • From the TFA (Score:5, Insightful)

    by BaltikaTroika (809862) on Thursday June 01, 2006 @03:56PM (#15448111)
    The most interesting part of TFA: "Victims are only told the password if they buy drugs from one of three online pharmacies."

    Are online pharmacies so unregulated that criminals can extort people as a means for advertising?

    Wow.
    • Re:From the TFA (Score:4, Insightful)

      by geoffspear (692508) on Thursday June 01, 2006 @04:04PM (#15448178) Homepage
      If they can get away with illegally selling prescription drugs without a prescription and sending out billions of emails advertising the fact (as well as hacking PCs to use as zombies to send out said emails), they can probably get away with a little extortion on top of it.
      • Or at least pretending to sell prescription drugs on the Internet. I can't imagine that any of them actually send out the illegal pharmaceuticals. It's not like they're expecting to maintain a long-term relationship with you.

        Maybe I'm wrong. Has anybody ever actually gotten meds from one of these guys?
  • placing the password in the code

    How else are you supposed to do it? Or did TFA mean that it was stored in plaintext in the code?
    • you could always do it as a math function.. where you proccess the inputed text to see if it is valid.. the trick is that most people just use known fucntions or arn't good at creating them
    • A more intelligent (or crypto-knowledgeable) virus author would have generated a symmetric key at encryption-time, and then encrypted that key using a public (e.g., RSA) key stored in the binary. The extortion would then work by selling access to the RSA-decryption oracle.

      Fortunately, most black hats are stupid.
    • By randomly generating the key at runtime and then sending it back to the virus author?
    • Personally, worst case I'd write a little algorithm to generate it (if I wanted a constant password that is).

      More likely I'd write one that created a hashcode from the completed compression, encoded the hashcode in base64, told the user to enter it when he bought his drugs then used a second algorithm online to encode that result into a specific "key" that would only work for that one, umm, "Customer". If possible I'd write the algorithm in a custom bytecode language so that it wasn't just a straightforwar
    • by grassy_knoll (412409) on Thursday June 01, 2006 @04:46PM (#15448524) Homepage
      How else are you supposed to do it? Or did TFA mean that it was stored in plaintext in the code?


      I was confused by that as well. I presume plaintext, since storing a hash and comparing a hash generated from user input seems standard practice... at least in the non-virus writting community.

      Ya think the writter had a PHB leaning on him to meet deadline?
  • weird (Score:5, Interesting)

    by mr_tommy (619972) * <tgraham AT gmail DOT com> on Thursday June 01, 2006 @03:57PM (#15448116) Journal
    Strike anyone else as odd that the BBC (et al.) ran this story big time - made the world service - on the same day that Microsoft announced their all in one security suite, that, by coincidence, protects against such virus'?
  • Profit! (Score:3, Funny)

    by insanechemist (323218) on Thursday June 01, 2006 @04:01PM (#15448147) Homepage
    1) Write ransom virus
    2) Release
    3) ....
    4) Profit!

    Wait - that actually works I think
  • by mypalmike (454265) on Thursday June 01, 2006 @04:04PM (#15448176) Homepage
    The virus writers could have used a GPL-based crypt library, but realized that there would be legal issues involved, requiring them to open-source the whole virus.
  • by avatar4d (192234) <avatar4d@gma i l . c om> on Thursday June 01, 2006 @04:05PM (#15448191)
    today's Sesame Street program has been brought to you by:

    mf2lro8sw03ufvnsq034jfowr18f3cszc20vm and w
  • by ch-chuck (9622)
    Wow, I can see it now. New user clicks on "check email", sees "I Love You!" and clicks on the attachment. A popup window with a gun pointing out the screen appears and the message: "Alright buddy, this is a stickup - Type your bank account password in the field below and click 'submit' or everything in My Documents gets deleted!! I'm not kidding!!! Do it NOW!!!!"

  • Arrest? (Score:4, Insightful)

    by crossmr (957846) on Thursday June 01, 2006 @04:21PM (#15448312) Journal
    Has this guy been arrested? It shouldn't have taken a genius law enforcement officer to make a payment for this and track it and then pick the guy up?
    • You're a genius. Why hasn't anyone thought of this before? OK, here's the trail for the last pharmacy spam I received. Go get him!

      jwhois 218.93.168.80
      role - Chinanet Jiangsu
      address - No.268,Hanzhong Road,Nanjing 210029
      country - CN
      phone - 86-25-6588783
      fax-no - 86-25-6588740
      e-mail - ip@jsinfo.net
      remarks - www.jsinfo.net
      notify - ip@jsinfo.net
      mnt-by - MAINT-CHINANET-JS
      source - APNIC
      • Re:Arrest? (Score:3, Interesting)

        by crossmr (957846)
        Following a payment is a lot easier than following a spam e-mail.

        When spammers send out e-mails they're not looking for respones, and don't particularly care if people can get back to them. They're pointing them to websites.

        This guy was probably taking payment online via some online system. Depending where its based, its possible they could get the records and track this guy down.

  • Obvious problem (Score:5, Interesting)

    by Sylver Dragon (445237) on Thursday June 01, 2006 @04:30PM (#15448382) Journal
    There seems to be one glaring problem with the idea of ransomware:
    Eventually you're gonna piss off the wrong person.
    Imagine the DoD or the CIA getting hit with this. They lookup the registar of the sites you are supposed to buy the drugs from. They then go visit that registar's main office (borders, what borders? we're the CIA, we've never paid attention to soviernty in the past.). They politely ask the registar to hand over all information on the person paying for the domain name (for the definition of polite which involves pointing guns at and kicking people in the head). Once they know who is paying for the web sites (credit info/check info), they visit that person and politely ask for the password to unlock the virus (same definition of polite).
    If it's the DoD which gets hit, replace CIA with a Navy SEAL team.
    • CIA (Score:3, Funny)

      by Anonymous Coward
      The CIA won't have a problem taking down an online pharmacy or two, they really hate it when people interfere with their drug trade anyway.
  • I am pretty sure that 'mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw' is a registry key for 'My Documents'. It had to be encrypted for 2 reasons:

    1) Only you and MS can open 'My Documents'
    2) They haven't yet worked out how to really have spaces in file names lusers use. [cue: spinning hour glass]
  • by martinultima (832468) <martinultima@gmail.com> on Thursday June 01, 2006 @04:32PM (#15448404) Homepage Journal
    How'd that guy find out my root password!?
  • Using a string constant to hold an encryption key is pretty common among programmers new to encryption. It doesn't occur to them that someone is going to look at the string table and spot the key. A simple way to raise the bar is to construct the key on execution. The key can still be determined but it takes a lot more work.
  • Um diddle diddle diddle um diddle ay
    Um diddle diddle diddle um diddle ay
    mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
    Even though the sound of it Is something quite atrocious
    If you say it loud enough
    You'll always sound precocious
    mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw !
    Um diddle diddle diddle um diddle ay
    Um diddle diddle diddle um diddle ay
    Because I was afraid to speak
    When I was just a lad My father gave me nose a tweak And told me I was bad
    But then one day I learned a word That saved me aching nose
    The biggest word I ever heard And this is how it goes:
    Oh, mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
    Even though the sound of it
    Is something quite atrocious
    If you say it loud enough
    You'll always sound precocious
    mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw !
    • mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
      It's the most remarkable word I've ever seen!
      mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
      I wish I knew exactly what I mean!
      It starts out like an M word as anyone can see,
      But somewhere in the middle it gets awful 4J to me!
      mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw
      If I ever find out just what this word can mean,
      I'll be the smartest bird the world has ever seen!
  • by blueZ3 (744446) on Thursday June 01, 2006 @05:24PM (#15448851) Homepage
    Had to be said, karma be damned

Life. Don't talk to me about life. - Marvin the Paranoid Anroid

Working...