Extortion Virus Code Cracked

Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

ummm

[geoffspear]

Odd how that "30 digit password" has 38 characters, 13 of which are digits.

weird

[mr_tommy]

Strike anyone else as odd that the BBC (et al.) ran this story big time - made the world service - on the same day that Microsoft announced their all in one security suite, that, by coincidence, protects against such virus'?

Re:Just wait...

[mrchaotica]

When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.

Unless it uses the Trusted Platform Module on new computers to do the encryption for it!

Re:Just wait...

[TikiTDO]

You are absolutely wrong. PKI was designed with the purpose of preventing man-in-the-middle attacks. The virus writer would include the public key in the virus with an associated encryption algorithm. The problem arised with decryption. In order to decrypt a file you would need an associated private key. Now if this key is available inside the virus it would be just as easy to find as the password within the article.

In fact the whole idea of cryptography revolves around the encryption algorithm telling you nothing about a method to decrypt the data it encrypts (At least without a certain key). These are called trapdoor one-way functions.

The most realistic way I can think of writing such a virus would be to provide and encryption algo in the virus and then provide a decryption program when the intended victim has paid you the money. Now aren't you glad I'm not writing viruses?

Obvious problem

[Sylver Dragon]

There seems to be one glaring problem with the idea of ransomware:
Eventually you're gonna piss off the wrong person.
Imagine the DoD or the CIA getting hit with this. They lookup the registar of the sites you are supposed to buy the drugs from. They then go visit that registar's main office (borders, what borders? we're the CIA, we've never paid attention to soviernty in the past.). They politely ask the registar to hand over all information on the person paying for the domain name (for the definition of polite which involves pointing guns at and kicking people in the head). Once they know who is paying for the web sites (credit info/check info), they visit that person and politely ask for the password to unlock the virus (same definition of polite).
If it's the DoD which gets hit, replace CIA with a Navy SEAL team.

Re:Consider this a warning

[Sir_Lewk]

Which is why I just laugh when new viruses come out, it's only the idiots that will be infected (generally speaking). So long as you use your brain, your fine. If you somehow fail to use your brain then you deserve to lose your files. I in no way condone the actions of virus writers, but I don't lose sleep about it, and veiw the people who manage to contract the things as just as bad (though in a different sence).

Re:Wrong

[Xugumad]

You're both wrong :)

First up, a man in the middle attack requires that someone spotting the virus on its way to your computer, and re-writing the public key parts. So, not really an issue here. Mostly, the poster appears to be confused with using public keys for verifying identity.

Problem is, however, that the same private key would unlock all ransomed files. The virus actually needs to be able to get a new public key for each computer in infects, which means having a remote site accessible for it to register with, and request a new key from.

I'm assuming fairly standard RSA here. There is the possibility that someone could make a more complex cipher; so you start with a private/public key, and the virus carries the public key. On arrival at a system, it generates another public/private key pair, from the public key, which it would encrypt the files with, then destroys the private key. The public key it just generated would then be sent back with payment, the virus author creates a unique decryption key from that public key, and their private key, and sends it in turn back. Hell, it may be possible to do this with RSA, I'm not that much into crypto.

Luckily, anyone bright enough to figure that all out can probably earn plenty of money legally :)

Going back to stuff I should be doing, now.

Re:Arrest?

[crossmr]

Following a payment is a lot easier than following a spam e-mail.

When spammers send out e-mails they're not looking for respones, and don't particularly care if people can get back to them. They're pointing them to websites.

This guy was probably taking payment online via some online system. Depending where its based, its possible they could get the records and track this guy down.

Re:Just wait...

[BeBoxer]

The fact the LE is good at following money doesn't mean they're actually interested in doing it in the cases you care about.

As a loyal slashdot member, I had not bothered to read the article before posting. I actually did go back and read it, and you'll never guess how the ransom is paid. The victims are asked to go buy drugs at one of three online "pharmacies". Curious, eh?

Re:Closed Systems & Encryption?

[Kijori]

Well, that meta-theorem is kind of included in the idea that, with sufficient time and money, almost any cipher can be broken. And isn't the system necessarily open, since the extotionist must collect the money? This would, I suspect, me much easier to trace than the private key being delivered, which could just be a disc in an envelope sent via the postal service.

Major flaw

[Vexorian]

There is a major flaw with the whole ransomware idea and it is that they are actually the most benign kind of virus. They just encrypt your files instead of deleting it? If someone's information is important enough to be worth paying for recovering it should already have a backup copy.

Then the real problem problem for the hacker is getting the money without losing his secret identity

Re:My Lord what are we coming to

[Ougarou]

They/He/She should have used a public key to encrypt it, and keep the other one private. He should also have used a special random code which is rehashed by the author to create a sort of license key. They should make a .NET library to help these guys with propper DRM.

Well, that's how I would have done it (or tried to do it). For that matter: why isn't GPG as mainstream as milk?

Re:Base 13 Jokes

[It'sYerMam]

The quote above, "no-one writes jokes in base 13" is a quote from DNA himself, upon hearing this theory about the question on a newsgroup, I believe.

Re:What relief!

[ultranova]

I was just looking for that. Thanks!

Unfortunately, you cannot use it. To do so would be to circumvent an effective access control method. That, in turn, would put you in violation of the DMCA.

I'm not joking. I'm serious. You are breaking the law if you use this code without having gotten it from the virus writer. Draw your own conclusion about the DMCA from that.

I'm not a lawyer. This is not legal advice.