Extortion Virus Code Cracked

Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

News That's Old, Stuff that's Stale

[lbmouse]

Hasn't this been around for a while? According to this page, the password has been know for at least a month.

Wrong

You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.

Re:Wrong

[fizzup]

Ah, yes, the zero knowledge transfer of knowledge.

Black hat: "Give me $500 for the password to decrypt your data."
White hat posing as victim: "Okay." (gives $500)
Black hat: "mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw" (gives private key)
White hat: "Thanks, now I'm going to go tell the New York Times."
Black hat: "Nuts."

Re:Just wait...

[swillden]

Public key cryptography does not work against a man in the middle attack.

True, in general, though precautions can be taken. I fail to see how a MITM attack is even relevant here, though.

When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.

Why? Virus contains public key, generates random session key (ideally in memory-locked pages that cannot be swapped out), encrypts all your data with session key, encrypts session key with public key, writes encrypted session key to a file, wipes session key from memory, then shuts down.

Assuming you don't notice the virus before all of this happens, you're toast unless you can get a copy of the private key.

To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.

Did you mean decryption? If so, yes, the writer would have to have you ship your session key file to him so he could decrypt it and give you your unique decryption key. I don't think that activity is nearly as risky to the writer as trying to figure out how to collect the money, though. Following money trails is something the world's law enforcement agencies are very good at.

Re:Just wait...

[AK+Marc]

Following money trails is something the world's law enforcement agencies are very good at.

Have them send the money via Western Union under the name Boris Yeltson or some such. Western Union does not ask for ID and does not verify the identity of the person picking up the money (at least they didn't a year ago when I last paid attention to such scams). All you need is the confirmation code. They assume that if you show up at the right branch with the right string of numbers, you must be authorized. And once it is picked up, it is gone forever.

Re:Base 13 Jokes

[KlomDark]

Wow, I am REALLY slow on the draw. It's been near 25 years since I first read that and today is the first time I ever even 'did the math in my head' and realized that 6x9 != 42. (It's 54 for other slow thinkers... :) )

More info:
http://en.wikipedia.org/wiki/Base_13

No he didn't

[juletre]

When confronted with this at a press conference, mr Adams said "no one makes jokes in base 13". It is a coincidence.

(or so i've heard)