Slashdot Mirror
Extortion Virus Code Cracked
Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)
you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that? I wonder if this will now work like it should in the perfect open source community though, a bug is found, someone patches it, the new stuff is available within the day, maybe even better than before?
*''I can't believe it's not a hyperlink.''
If you are still betting on antivirus companies to keep you safe, you should consider this a warning. There is no technical reason why the password should be recoverable. Had the author used strong public key cryptography instead of a symmetric cypher, there would be no way to get the key without the help of the virus author. The only way to be safe is to not get infected and that means you have to use your brain.
If it's the same password for every infection, wouldn't it be likely that the first victim who actually paid for it would then release it to the wild to screw-over the extortionist ASAP?
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
The most interesting part of TFA: "Victims are only told the password if they buy drugs from one of three online pharmacies."
Are online pharmacies so unregulated that criminals can extort people as a means for advertising?
Wow.
Has this guy been arrested? It shouldn't have taken a genius law enforcement officer to make a payment for this and track it and then pick the guy up?
Personally, worst case I'd write a little algorithm to generate it (if I wanted a constant password that is).
More likely I'd write one that created a hashcode from the completed compression, encoded the hashcode in base64, told the user to enter it when he bought his drugs then used a second algorithm online to encode that result into a specific "key" that would only work for that one, umm, "Customer". If possible I'd write the algorithm in a custom bytecode language so that it wasn't just a straightforward decompile.
Of course, if I was going to go through all that effort I'd just write an online casino or something and steal my money the old fashion way.
That's odd. In my experience, the moderators tend to use "Offtopic" when they wish to say "Hey you, shut the fuck up and don't point out the truth unless it's what we want to hear." Other than the use of "Troll" instead of "Offtopic," believe me when I tell you that this is nothing new. This is simply one of the easier ways to abuse this particular system.
I see this going on often enough that I am heading towards the conclusion that meta-moderation is not a strong enough solution for this problem. Meta-moderation is great against mods who deliberately abuse their mod points, but it doesn't work so well against the no-regard-for-facts crowd, which is much larger by comparison. However, because a partial solution is superior to no solution at all in this case, I usually meta-moderate any chance I get and when doing so, I am swift to mark idiot moderations like this as "Unfair."
As to why the moderation is a shitty judgment call, I will give a hopefully adequate analogy: I do not blame Microsoft for producing half-ass products and profiting handsomely from it; I blame anyone who decides to reward their lack of quality with cold hard cash. By random chance, we ended up with an example of this named Microsft, but there is an entire world full of people with situational ethics waiting to exploit any situation where shit gets rewarded. If Microsoft had not so effectively capitalized on this situation, rest assured that another player would have done so. It's a giant whack-a-mole game until you address the actual problem, which is the decline of the discriminating customer. Therefore, it makes no sense to blame the guy who points out the fact that the Slashdot editors have a mediocre command of the English language. If you must place blame, this would belong to the editors for having a mediocre command of the English language combined with the audacity to still refer to themselves as "editors" because once this is established, it becomes a predictable eventuality that a user who actually cares about quality will point out their shortcomings.
Incidentally, "Overrated" is a pansy-ass way to express your disapproval with a post, because it allows you to make a claim (that the post deserves a negative sanction) without even giving so much as a hint of reasoning explaining why.
It is a miracle that curiosity survives formal education. - Einstein
Gee, why don't you STFU and stop giving these assholes ideas? ~:P
The virus actually needs to be able to get a new public key for each computer in infects, which means having a remote site accessible for it to register with, and request a new key from.
/dev/random, whatever], encrypts $HOME using it, encrypts the symmetric key with the extortionist's public key. It then destroys the information in $HOME and discards the unencrypted symmetric key. When you go to get your password, you have to give the extortionist the encrypted symmetric key. He decrypts it with his private key, and gives you the unencrypted key.
No it doesn't. You've got the idea right, but your version is a bit more complicated than it needs to be.
Look at real-world implementations of public-key encryption systems. [I know PGPDisk does this. I don't know if PGP does it for other, smaller things. Almost all the encrypted network protocols I've studied do this too.] You usually don't encrypt data with a public key; it's too performance consuming. What you do is generate a random key for a symmetric cypher, encrypt the data with that, then encrypt the generated key with the public key. In network protocols, this generated key is what you'll see called the session key. When your recipient gets the data, they'll decrypt the session key using their private key, then decrypt the data with their session key.
A virus like the one under discussion could implement this very easily. No need to mess with RSA on two levels, or generate another keypair, just a symmetric key. The virus generates a symmetric key [no need to log onto an external server to request one, just pull from the system clock,
The files aren't encrypted at all.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Easily avoided:
The only weakness here is that the victim must be able to contact the Black Hat, since otherwise he couldn't pay. But that's the weakness of every extortion scheme.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.