Researchers at Kaspersky Lab have identified a new and improved variant of the blackmailing Gpcode trojan, which encrypts files on a victim's computer and then demands payment in exchange for the keys.
"He [the author] makes an encrypted copy of the files and deletes the original files," Roel Schouwenberg, a senior anti-virus researcher at Kaspersky, told SCMagazineUS.com on Friday. "All that's left on the user's machine is an encrypted version of the files."
Experts first spotted this malware about three years ago, when the author used 660-bit encryption to hold victim's files -- including MP3s, photos, documents -- hostage until the user paid up, Schouwenberg said.
However, the Kaspersky team was able to crack the encryption and offer the key to its users; this time, the malware author is using a 1,024-bit RSA key, he said. It is unclear how widespread the infection rate is.
"The major difference between back then and now is that the author has seemed to learn from his mistakes," he said. "It's almost impossible to crack this key. We have been unable to track down any implementation errors."
In addition, the author is employing a number of different variants of Gpcode, each responding to a different public and private key, Schouwenberg said. That rules out the possibility of using brute force as a way to crack the key.
Researchers are unsure exactly how attackers seed the victim's machine with the trojan -- social engineering is the likeliest technique -- but users are encouraged to keep their anti-virus signatures up to date.
Schouwenberg warned, though, that if the attacker uses a yet-to-be-detected variant of the malware, only making regular backups will prevent the files from being harmed.
"The reason we are making such a big fuss about this is because if you don't have any recent backups, you basically can consider your files lost," he said.
That is, unless you agree to pay for the private key -- around US$100 -- although that is no guarantee the files will be safe, Schouwenberg said.
See original article on scmagazineus.com
Trojan holds victim's files for ransom
By Dan Kaplan on Jun 10, 2008 10:06AM