Re: Ransomware
Marcos el Ruptor wrote: I've just looked at the virus. Just curious -- where were you able to download the virus from? -James - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On 12 Jun 2008, at 03:05, James Muir wrote: Just curious -- where were you able to download the virus from? www.offensivecomputing.net Just be careful. Do not run it. It does not spread itself, but it will encrypt all the sensitive files on all the drives and then self- destruct. If you want a disarmed harmless one to play with, I can e- mail you my decrypted and patched up variant. Marcos el Ruptor http://www.enrupt.com/ - Raising the bar. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Tue, Jun 10, 2008 at 11:41:56PM +0100, Dave Howe wrote: The key size would imply PKI; that being true, then the ransom may be for a session key (specific per machine) rather than the master key it is unwrapped with. Per the computerworld.com article: Kaspersky has the public key in hand ? it is included in the Trojan's code ? but not the associated private key necessary to unlock the encrypted files. http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 This would seem to imply they already verified the public key was constant in the trojan and didn't differ between machines (or that I'm giving Kaspersky's team too much credit with my assumptions). -- { IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657); SMTP([EMAIL PROTECTED]); IRC([EMAIL PROTECTED]); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER([EMAIL PROTECTED]); MUD([EMAIL PROTECTED]:6669); WWW(http://fungi.yuggoth.org/); } - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
Allen [EMAIL PROTECTED] wrote: Agreed, but..., well there is the small matter of figuring out /who/ is doing it and that just might require some small bit of technology. Certainly, it is not mutual exclusive. However factor an RSA key hardly can help with that. At least two defects in this thinking. A) How do we know *a* person did the coding? B) Who defines what is illegal code? A) All the authorities ever need is always *a* person, and then they can do the rest. In this particular case the *real* solution of the problem would be trace the money dropper and bust the chain. The only required cryptanalysis here is a thermo-rectal one. B) It not about legal or illegal code, it is not about a code at all. Blackmailing for ransom is a crime and demanding a ransom for digital assets does not make this any different. A crime must be addressed as a crime in a first place. Ilya -- http://www.literatecode.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
| The key size would imply PKI; that being true, then the ransom may | be for a session key (specific per machine) rather than the master | key it is unwrapped with. | | Per the computerworld.com article: | |Kaspersky has the public key in hand ? it is included in the |Trojan's code ? but not the associated private key necessary to |unlock the encrypted files. | | http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 | | This would seem to imply they already verified the public key was | constant in the trojan and didn't differ between machines (or that | I'm giving Kaspersky's team too much credit with my assumptions). Returning to the point of the earlier question - why doesn't someone pay the ransom once and then use the key to decrypt everyone's files: Assuming, as seems reasonable, that there is a session key created per machine and then encrypted with the public key, what you'd get for your ransom money is the decryption of that one session key. Enough to decrypt your files, not useful on any other machine. There's absolutely no reason the blackmailer should ever reveal the actual private key to anyone (short of rubber-hose treatment of some sort). -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Wed, Jun 11, 2008 at 11:53:54AM -0400, Leichter, Jerry wrote: Returning to the point of the earlier question - why doesn't someone pay the ransom once and then use the key to decrypt everyone's files: Assuming, as seems reasonable, that there is a session key created per machine and then encrypted with the public key, what you'd get for your ransom money is the decryption of that one session key. Enough to decrypt your files, not useful on any other machine. There's absolutely no reason the blackmailer should ever reveal the actual private key to anyone (short of rubber-hose treatment of some sort). Maybe I missed it in one of the articles, but was it stated that the blackmailer did reveal a private key? Couldn't they simply request the encrypted data and return the decrypted version? -- { IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657); SMTP([EMAIL PROTECTED]); IRC([EMAIL PROTECTED]); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER([EMAIL PROTECTED]); MUD([EMAIL PROTECTED]:6669); WWW(http://fungi.yuggoth.org/); } - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
The Fungi wrote: On Tue, Jun 10, 2008 at 11:41:56PM +0100, Dave Howe wrote: The key size would imply PKI; that being true, then the ransom may be for a session key (specific per machine) rather than the master key it is unwrapped with. Per the computerworld.com article: Kaspersky has the public key in hand ? it is included in the Trojan's code ? but not the associated private key necessary to unlock the encrypted files. http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 This would seem to imply they already verified the public key was constant in the trojan and didn't differ between machines (or that I'm giving Kaspersky's team too much credit with my assumptions). Sure. however, if the virus (once infecting the machine) generated a random session key, symmetric-encrypted the files, then encrypted the session key with the public key as part of the ransom note then that would allow a single public key to be used to issue multiple ransom demands, without the unlocking of any one machine revealing the master key that could unlock all of them. giving away your entire extortion capability to the first person to pay up doesn't seem sane, if you could as easily make each machine a unique proposition... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ransomware
Dave Howe wrote on 11 June 2008 19:13: The Fungi wrote: On Tue, Jun 10, 2008 at 11:41:56PM +0100, Dave Howe wrote: The key size would imply PKI; that being true, then the ransom may be for a session key (specific per machine) rather than the master key it is unwrapped with. Per the computerworld.com article: Kaspersky has the public key in hand ? it is included in the Trojan's code ? but not the associated private key necessary to unlock the encrypted files. http://www.computerworld.com/action/article.do?command=viewArticleBasicarti cleId=9094818 This would seem to imply they already verified the public key was constant in the trojan and didn't differ between machines (or that I'm giving Kaspersky's team too much credit with my assumptions). Sure. however, if the virus (once infecting the machine) generated a random session key, symmetric-encrypted the files, then encrypted the session key with the public key as part of the ransom note then that would allow a single public key to be used to issue multiple ransom demands, without the unlocking of any one machine revealing the master key that could unlock all of them. Why are we wasting time even considering trying to break the public key? If this thing generates only a single session key (rather, a host key) per machine, then why is it not trivial to break? The actual encryption algorithm used is RC4, so if they're using a constant key without a unique IV per file, it should be trivial to reconstruct the keystream by XORing any two large files that have been encrypted by the virus on the same machine. This thing ought to be as easy as WEP to break open, shouldn't it? cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ransomware
| Why are we wasting time even considering trying to break the public key? | | If this thing generates only a single session key (rather, a host key) | per machine, then why is it not trivial to break? The actual encryption | algorithm used is RC4, so if they're using a constant key without a unique | IV per file, it should be trivial to reconstruct the keystream by XORing any | two large files that have been encrypted by the virus on the same machine. This is the first time I've seen any mention of RC4. *If* they are using RC4, and *if* they are using it incorrectly - then yes, this would certainly work. Apparently earlier versions of the same malware made even more elementary cryptographic mistakes, and the encryption was easily broken. But they learned enough to avoid those mistakes this time around. Even if they screwed up on cipher and cipher mode this time - expect them to do better the next time. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: Ransomware
Leichter, Jerry wrote on 11 June 2008 20:04: Why are we wasting time even considering trying to break the public key? If this thing generates only a single session key (rather, a host key) per machine, then why is it not trivial to break? The actual encryption algorithm used is RC4, so if they're using a constant key without a unique IV per file, it should be trivial to reconstruct the keystream by XORing any two large files that have been encrypted by the virus on the same machine. This is the first time I've seen any mention of RC4. *If* they are using RC4, According to this entry at viruslist.com: http://www.viruslist.com/en/viruses/encyclopedia?virusid=313444 which I found linked from the analyst's diary blog, The virus uses Microsoft Enhanced Cryptographic Provider v1.0 (built into Windows) to encrypt files. Files are encrypted using the RC4 algorithm. The encryption key is then encrypted using an RSA public key 1024 bits in length which is in the body of the virus. According to this thread on the gpcode forum: http://forum.kaspersky.com/index.php?s=49bd69fb414610c700170b115d0730fashow topic=72322 the readme.txt files containing the ransom key are identical in every directory on the infected computer, suggesting that there is indeed a unique per-host RC4 key. According to http://forum.kaspersky.com/index.php?s=72050db4cb7d54c17e3b6b134d060269show topic=72409 every file encrypted by the virus grows by 8 bytes, so it looks like it uses an IV. But that didn't help with WEP... cheers, DaveK -- Can't think of a witty .sigline today - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On 11 Jun 2008, at 20:13, Dave Howe wrote: This would seem to imply they already verified the public key was constant in the trojan and didn't differ between machines (or that I'm giving Kaspersky's team too much credit with my assumptions). I've just looked at the virus. Upon invocation, it generates a random 128-bit RC4 key with CryptGenKey, then for each file it generates a random IV with a very weak generator only capable of producing 256 different 128-bit values for 99.9% of the files, prepends each file with its IV, then it encrypts that IV with the main RC4 key, hashes that with MD5 and that hash becomes the 128-bit RC4 encryption key for each file. It encrypts all the potentially valuable files like that while deleting the originals, then it encrypts the main RC4 key with one of its two hard-coded 1024-bit RSA public keys and saves it with one of the 4 e-mail addresses it comes with to contact the asshole who did this to you: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Not much can be done at this point as the executable terminates itself creating a script that deletes it and congratulates the user. It's not very different from the 90's hard drive formatting viruses except for the bold extortion that comes with it. A regular backup is your best friend. The only thing that could probably be done by the most desperate would be to find the largest files with known plaintext and for all the encrypted files with the same first 16 bytes (roughly 1/256 of them), the keystream will match. No cryptography to implement, only XOR. Good luck! Best regards, Marcos el Ruptor http://www.enrupt.com/ - Raising the bar. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
- Original Message - From: Jerry Leichter [EMAIL PROTECTED] To: Dave Korn [EMAIL PROTECTED] Cc: Email List - Cryptography cryptography@metzdowd.com Sent: Wednesday, June 11, 2008 12:04:21 PM (GMT-0800) America/Los_Angeles Subject: RE: Ransomware | Why are we wasting time even considering trying to break the public key? | | If this thing generates only a single session key (rather, a host key) | per machine, then why is it not trivial to break? The actual encryption | algorithm used is RC4, so if they're using a constant key without a unique | IV per file, it should be trivial to reconstruct the keystream by XORing any | two large files that have been encrypted by the virus on the same machine. This is the first time I've seen any mention of RC4. *If* they are using RC4, and *if* they are using it incorrectly - then yes, this would certainly work. It is interesting that Kaspersky Labs has not published the code to the disassembled virus. They want the whole world to stop what they're doing to factor a 1,024-bit key, but they are unwilling to publish details of the virus' mechanics. This is out of character for someone who is truly interested in solving the problem for the long-term. While their forum has the detail of the RSA key, they've categorically indicated that they will not explain the cryptography publicly, except to experts over e-mail. I presume this is how David learned of the RC4 algorithm? Arshad Noor StrongAuth, Inc. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
Leichter, Jerry [EMAIL PROTECTED] writes: Speculation about this kind of attack has made the rounds for years. It appears the speculations have now become reality. It's not speculation, encryption virii have been around for at least ten years, although the encryption used was pretty crude and easily broken. Even this particular variant (public-key encryption) is hardly new, if it's a PGPCoder derivative then it'd be at least two years old. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
Leichter, Jerry [EMAIL PROTECTED] wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 on a call from Kaspersky Labs for help breaking encryption used by some ransomeware: Code that infects a system, uses a public key embedded in This is ridiculous. It set a totally wrong message. Converting a plain vanilla crime into a geeky challenge for whatsoever marketing purposes is a dead end. A blackmailer demanding a ransom is not a technological issue but a matter of FBI/ Interpol/ FSB/ you name it. A person behind Gpcode must be tracked down to face criminal charges. Apart from setting an example to future morons, it will give all the necessary keys at once. Ilya -- http://www.literatecode.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Mon, 9 Jun 2008, Leichter, Jerry wrote: Even worse, targeted malwared could attack your backups. If it encrypted the data on the way to the backup device, it could survive silently for months, by which time encrypting the live data and demanding the ransom would be a very credible threat. I suspect that home users are the main target of such viruses, and such users usually do not make backups at all (I guess the people who value their data enough to make backups, are also diligent enough to do backup validation). -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
Jim Youll wrote: If there's just one key, then Kaspersky could get maximum press by paying the ransom and publishing it. If there are many keys, then Kaspersky still has reached its press-coverage quota, just not as dramatically. The key size would imply PKI; that being true, then the ransom may be for a session key (specific per machine) rather than the master key it is unwrapped with. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Ransomware
Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 on a call from Kaspersky Labs for help breaking encryption used by some ransomeware: Code that infects a system, uses a public key embedded in the code to encrypt your files, then tells you you have to go to some web site and pay for the decryption key. Apparently earlier versions of this ransomware were broken because of a faulty implementation of the encryption. This one seems to get it right. It uses a 1024-bit RSA key. Vesselin Bontchev, a long-time antivirus developer at another company, claims that Kaspersky is just looking for publicity: The encryption in this case is done right and there's no real hope of breaking it. Speculation about this kind of attack has made the rounds for years. It appears the speculations have now become reality. -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
Leichter, Jerry wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 This is no different than suffering a disk crash. That's what backups are for. /ji PS: Oh, backups you say. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Jun 9, 2008, at 11:54 AM, Leichter, Jerry wrote: Computerworld reports: http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 [...] Apparently earlier versions of this ransomware were broken because of a faulty implementation of the encryption. This one seems to get it right. It uses a 1024-bit RSA key. Vesselin Bontchev, a long-time antivirus developer at another company, claims that Kaspersky is just looking for publicity: The encryption in this case is done right and there's no real hope of breaking it. If there's just one key, then Kaspersky could get maximum press by paying the ransom and publishing it. If there are many keys, then Kaspersky still has reached its press-coverage quota, just not as dramatically. Speculation about this kind of attack has made the rounds for years. It appears the speculations have now become reality. But press gambits from security companies have been in the realm of reality for quite some time! - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
On Mon, 9 Jun 2008, John Ioannidis wrote: | Date: Mon, 09 Jun 2008 15:08:03 -0400 | From: John Ioannidis [EMAIL PROTECTED] | To: Leichter, Jerry [EMAIL PROTECTED] | Cc: cryptography@metzdowd.com | Subject: Re: Ransomware | | Leichter, Jerry wrote: | Computerworld reports: | | http://www.computerworld.com/action/article.do?command=viewArticleBasicarticleId=9094818 | | | This is no different than suffering a disk crash. That's what backups are | for. | | /ji | | PS: Oh, backups you say. Bontochev's comment as well. Of course, there is one way this can be much worse than a disk crash: A clever bit of malware can sit there silently and encrypt files you don't seem to be using much. By the time it makes its ransom demands, you may find you have to go back days or even weeks in your backups to get valuable data back. Even worse, targeted malwared could attack your backups. If it encrypted the data on the way to the backup device, it could survive silently for months, by which time encrypting the live data and demanding the ransom would be a very credible threat. (Since many backup programs already offer encryption, hooking it might just involve changing the key. It's always so nice when your opponent provides the mechanisms needed to attack him) -- Jerry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Ransomware
John Ioannidis wrote: This is no different than suffering a disk crash. That's what backups are for. At Jim Gray's tribute on the 31st, Bruce Lindsay gave a talk about Jim's formalization of transaction processing enabled online transactions ... i.e. needed trust in the integrity of integrity of transaction as prerequisite to move from manual/paper processes. In the early 90s, when glasshouse and mainframes seeing significant downturn in their use ... with lots of stuff moving off to PCs, there was a study that half of the companies that had a disk failure involving (business) data that wasn't backed up ... filed for bankruptcy within 30 days. The issue was that glasshouse tended to have all sorts of business processes to backup business critical data. Disk failures that lost stuff like billing data had significant impact on cash flow (there was case of large telco that had bug in its nightly backup and when the disk crashed with customer billing data ... they found that there didn't have valid backups). Something similar also showed up in the Key Escrow meetings in the mid-90s with regard to business data that was normally kept in encrypted form ... i.e. would require replicated key backup/storage in order to retrieve data (countermeasure to single point of failure). part of the downfall of key escrow was that it seem to want all keys ... not just infrastructure where business needed to have replicated its own keys. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]