Extortion Virus Code Cracked

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday June 1, 2006 @07:47AM from the unlock-your-stuff dept.

Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

50 of 371 comments (clear)

Min score:

Reason:

Sort:

What relief! by AltGrendel · 2006-06-01 07:48 · Score: 4, Funny

BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
I was just looking for that. Thanks!

--
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
1. Re:What relief! by Tackhead · 2006-06-01 08:00 · Score: 5, Funny
  
  > > BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
  >
  > I was just looking for that. Thanks!
  What?! That's exactly the kind of combination a Slashdotter would use on his luggage!
2. Re:What relief! by wasimmer · 2006-06-01 08:55 · Score: 4, Funny
  
  That's amazing! I've got the same combination on my luggage!
3. Re:What relief! by Captain+Splendid · 2006-06-01 09:15 · Score: 4, Funny
  
  Geez, what a couple of noobs you guys are!
  Note to self: change luggage comnbination.
  
  --
  Linux, you magnificent bastard, I read the fucking manual!
4. Re:What relief! by Foobar+of+Borg · 2006-06-01 09:35 · Score: 3, Funny
  
  I was just trying aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagh8
  I take it you were dictating?
  
  --
  Similar to the upcoming US election results
5. Re:What relief! by caseydk · 2006-06-01 10:25 · Score: 4, Funny
  
  I just trademarked the Web mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw.0 conference.
6. Re:What relief! by ultranova · 2006-06-01 21:22 · Score: 3, Interesting
  
  I was just looking for that. Thanks!
  
  Unfortunately, you cannot use it. To do so would be to circumvent an effective access control method. That, in turn, would put you in violation of the DMCA.
  
  I'm not joking. I'm serious. You are breaking the law if you use this code without having gotten it from the virus writer. Draw your own conclusion about the DMCA from that.
  
  I'm not a lawyer. This is not legal advice.
  
  --
  Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
ummm by geoffspear · 2006-06-01 07:49 · Score: 5, Interesting

Odd how that "30 digit password" has 38 characters, 13 of which are digits.

--
Don't blame me; I'm never given mod points.
1. Re:ummm by honestmonkey · 2006-06-01 07:58 · Score: 5, Funny
  
  Maybe they meant 30 as in "any number that is greater than 29 and less than 40". You know, thirty. Thirty-ish. Mostly thirty. About thirty. Close to forty, but not quite. Good enough for government work. In Soviet Russia, YOU are 30. 30) Profit! 38 is the new 30.
  
  Actually I didn't see any fingers or toes in the password at all.
  
  --
  Everything you know is wrong, Just forget the words and sing along.
2. Re:ummm by darkmeridian · 2006-06-01 08:42 · Score: 5, Funny
  
  No, no. You have to pay the virus researchers to find out which eight characters to ignore. Thank god for the virus researchers, otherwise the virus ransomers would really have us, huh?
  
  --
  A NYC lawyer blogs. http://www.chuangblog.com/
3. Re:ummm by Negadecimal · 2006-06-01 08:49 · Score: 3, Funny
  
  You mean tredecimal Duodecimal?
  
  You called?
Wait... by ImaLamer · 2006-06-01 07:49 · Score: 5, Funny

We are all now victims of a DMCA lawsuit!

--
Get your Unix fortune now!
My Lord what are we coming to by Anonymous Coward · 2006-06-01 07:50 · Score: 5, Funny

These days even the virus authors don't know anything about writing secure software :(
Wow! by daivzhavue · 2006-06-01 07:50 · Score: 3, Funny

That's the combination to my luggage!

--
"A REAL computer has ONE speed and the only powersaving it permits is when you pull the power leads out of the back!"
1. Re:Wow! by monkaduck · 2006-06-01 07:55 · Score: 4, Funny
  
  Hey, you too?
  
  --
  Napalm is nature's toothpaste
2. Re:Wow! by minusthink · 2006-06-01 08:05 · Score: 5, Funny
  
  You know you really should change the default on those types of things.
  
  --
  "when life gets complicated, I like to take a nap in a tree and wait for dinner" - Hobbes.
Just wait... by hanssprudel · 2006-06-01 07:51 · Score: 5, Insightful

Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)
1. Re:Just wait... by Beryllium+Sphere(tm) · 2006-06-01 07:58 · Score: 5, Insightful
  
  >(or you could stop getting your computer infected with malware in the first place.)
  
  Backing up your data would also work.
  
  Notice how much this virus is like a proprietary file format? You can't get at your own data without paying for a license to the proprietary reader.
2. Re:Just wait... by mrchaotica · 2006-06-01 08:07 · Score: 3, Interesting
  
  When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.
  Unless it uses the Trusted Platform Module on new computers to do the encryption for it!
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
3. Re:Just wait... by swillden · 2006-06-01 08:11 · Score: 5, Informative
  
  Public key cryptography does not work against a man in the middle attack.
  True, in general, though precautions can be taken. I fail to see how a MITM attack is even relevant here, though.
  When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.
  Why? Virus contains public key, generates random session key (ideally in memory-locked pages that cannot be swapped out), encrypts all your data with session key, encrypts session key with public key, writes encrypted session key to a file, wipes session key from memory, then shuts down.
  Assuming you don't notice the virus before all of this happens, you're toast unless you can get a copy of the private key.
  To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.
  Did you mean decryption? If so, yes, the writer would have to have you ship your session key file to him so he could decrypt it and give you your unique decryption key. I don't think that activity is nearly as risky to the writer as trying to figure out how to collect the money, though. Following money trails is something the world's law enforcement agencies are very good at.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
4. Re:Just wait... by TikiTDO · 2006-06-01 08:26 · Score: 5, Interesting
  
  You are absolutely wrong. PKI was designed with the purpose of preventing man-in-the-middle attacks. The virus writer would include the public key in the virus with an associated encryption algorithm. The problem arised with decryption. In order to decrypt a file you would need an associated private key. Now if this key is available inside the virus it would be just as easy to find as the password within the article.
  
  In fact the whole idea of cryptography revolves around the encryption algorithm telling you nothing about a method to decrypt the data it encrypts (At least without a certain key). These are called trapdoor one-way functions.
  
  The most realistic way I can think of writing such a virus would be to provide and encryption algo in the virus and then provide a decryption program when the intended victim has paid you the money. Now aren't you glad I'm not writing viruses?
5. Re:Just wait... by Ken_g6 · 2006-06-01 09:00 · Score: 3, Funny
  
  Or worse, a virus writer could just use a randomized one-time pad which makes the files unrecoverable, claim he has the password, and just make off with the dough!
  
  (Mod me down to hide my post if you think I'm giving virus writers too many ideas.)
  
  --
  (T>t && O(n)--) == sqrt(666)
6. Re:Just wait... by BeBoxer · 2006-06-01 09:01 · Score: 4, Interesting
  
  The fact the LE is good at following money doesn't mean they're actually interested in doing it in the cases you care about.
  
  As a loyal slashdot member, I had not bothered to read the article before posting. I actually did go back and read it, and you'll never guess how the ransom is paid. The victims are asked to go buy drugs at one of three online "pharmacies". Curious, eh?
7. Re:Just wait... by swillden · 2006-06-01 09:11 · Score: 3, Funny
  
  As a loyal slashdot member, I had not bothered to read the article before posting.
  That goes without saying, good sir.
  I actually did go back and read it
  You what??? As an even more loyal slashdot member, I *still* have not read the article :-)
  you'll never guess how the ransom is paid. The victims are asked to go buy drugs at one of three online "pharmacies". Curious, eh?
  Very. So this virus is... advertising? Wow.
  
  --
  Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Wow... by beheaderaswp · 2006-06-01 07:51 · Score: 5, Funny

Hmm...

It also works for new Windows XP Professional installs.

Strange.

--
Another consultant who stuck it out.

"We are the Priests, of the Temples of Syrinx..."
News That's Old, Stuff that's Stale by lbmouse · 2006-06-01 07:53 · Score: 5, Informative

Hasn't this been around for a while? According to this page, the password has been know for at least a month.
1. Re:News That's Old, Stuff that's Stale by ajs · 2006-06-01 08:56 · Score: 4, Funny
  
  "Results 1 - 10 of about 69 for mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw. (0.17 seconds)"
  
  Nuff said.
hold on... by joe+155 · 2006-06-01 07:53 · Score: 4, Insightful

you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that? I wonder if this will now work like it should in the perfect open source community though, a bug is found, someone patches it, the new stuff is available within the day, maybe even better than before?

--
*''I can't believe it's not a hyperlink.''
1. Re:hold on... by venicebeach · 2006-06-01 07:56 · Score: 4, Insightful
  
  you mean that when they pay up the people actually let them get their files back? you would think any criminal would just delete them, say that they would give them back and then just take off with the money; they are already breaking the law, whats another one added to that
  
  If you don't give the files back you remove the incentive for other infected users to pay up.
2. Re:hold on... by ThePyro · 2006-06-01 09:07 · Score: 3, Insightful
  
  If you don't give the files back you remove the incentive for other infected users to pay up.
  But that assumes that other infected users are collaborating (how else would you hear about the deletions?). And if they were collaborating then they could just share the password (like what has just occurred in this article), and the money dries up anyway.
strings? by blinder · 2006-06-01 07:55 · Score: 3, Funny

heh, is this strings to the rescue?

one of the best programs evar :)

--
sad robot making broken music
Consider this a warning by Anonymous Coward · 2006-06-01 07:56 · Score: 4, Insightful

If you are still betting on antivirus companies to keep you safe, you should consider this a warning. There is no technical reason why the password should be recoverable. Had the author used strong public key cryptography instead of a symmetric cypher, there would be no way to get the key without the help of the virus author. The only way to be safe is to not get infected and that means you have to use your brain.
If it's the same password... by Nom+du+Keyboard · 2006-06-01 07:56 · Score: 5, Insightful

If it's the same password for every infection, wouldn't it be likely that the first victim who actually paid for it would then release it to the wild to screw-over the extortionist ASAP?

--
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
From the TFA by BaltikaTroika · 2006-06-01 07:56 · Score: 5, Insightful

The most interesting part of TFA: "Victims are only told the password if they buy drugs from one of three online pharmacies."

Are online pharmacies so unregulated that criminals can extort people as a means for advertising?

Wow.
1. Re:From the TFA by geoffspear · 2006-06-01 08:04 · Score: 3, Insightful
  
  If they can get away with illegally selling prescription drugs without a prescription and sending out billions of emails advertising the fact (as well as hacking PCs to use as zombies to send out said emails), they can probably get away with a little extortion on top of it.
  
  --
  Don't blame me; I'm never given mod points.
weird by mr_tommy · 2006-06-01 07:57 · Score: 4, Interesting

Strike anyone else as odd that the BBC (et al.) ran this story big time - made the world service - on the same day that Microsoft announced their all in one security suite, that, by coincidence, protects against such virus'?
Profit! by insanechemist · 2006-06-01 08:01 · Score: 3, Funny

1) Write ransom virus
2) Release
3) ....
4) Profit!

Wait - that actually works I think

--
I thought it was a good idea
Wrong by Anonymous Coward · 2006-06-01 08:04 · Score: 5, Informative

You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.
Thank the GPL by mypalmike · 2006-06-01 08:04 · Score: 4, Funny

The virus writers could have used a GPL-based crypt library, but realized that there would be legal issues involved, requiring them to open-source the whole virus.

--
There are 0x40000000 types of people: those who understand 32-bit IEEE 754 floating point, and those who don't.
Due to high oil prices... by avatar4d · 2006-06-01 08:05 · Score: 4, Funny

today's Sesame Street program has been brought to you by:

mf2lro8sw03ufvnsq034jfowr18f3cszc20vm and w

--
Confucius say: "Man who associates with smarter men than himself is smarter than the men he associates with."
Arrest? by crossmr · 2006-06-01 08:21 · Score: 3, Insightful

Has this guy been arrested? It shouldn't have taken a genius law enforcement officer to make a payment for this and track it and then pick the guy up?
Obvious problem by Sylver+Dragon · 2006-06-01 08:30 · Score: 4, Interesting

There seems to be one glaring problem with the idea of ransomware:
Eventually you're gonna piss off the wrong person.
Imagine the DoD or the CIA getting hit with this. They lookup the registar of the sites you are supposed to buy the drugs from. They then go visit that registar's main office (borders, what borders? we're the CIA, we've never paid attention to soviernty in the past.). They politely ask the registar to hand over all information on the person paying for the domain name (for the definition of polite which involves pointing guns at and kicking people in the head). Once they know who is paying for the web sites (credit info/check info), they visit that person and politely ask for the password to unlock the virus (same definition of polite).
If it's the DoD which gets hit, replace CIA with a Navy SEAL team.

--
Necessity is the mother of invention.
Laziness is the father.
DAMMIT! I'm screwed! by martinultima · 2006-06-01 08:32 · Score: 4, Funny

How'd that guy find out my root password!?

--
Creative misinterpretation is your friend.
Drats. Time to change passwd on the server farm! by rjamestaylor · 2006-06-01 08:40 · Score: 5, Funny

Um diddle diddle diddle um diddle ay Um diddle diddle diddle um diddle ay mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw! Even though the sound of it Is something quite atrocious If you say it loud enough You'll always sound precocious mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw ! Um diddle diddle diddle um diddle ay Um diddle diddle diddle um diddle ay Because I was afraid to speak When I was just a lad My father gave me nose a tweak And told me I was bad But then one day I learned a word That saved me aching nose The biggest word I ever heard And this is how it goes: Oh, mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw! Even though the sound of it Is something quite atrocious If you say it loud enough You'll always sound precocious mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw !

--
-- @rjamestaylor on Ello
Base 13 Jokes by sconeu · 2006-06-01 08:41 · Score: 4, Funny

Douglas Adams made one....

"What do you get when you multiply six by nine?" "Forty-two".

Work it out in base 13.

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
1. Re:Base 13 Jokes by It'sYerMam · 2006-06-01 10:49 · Score: 4, Interesting
  
  The quote above, "no-one writes jokes in base 13" is a quote from DNA himself, upon hearing this theory about the question on a newsgroup, I believe.
  
  --
  im in ur .sig, writin ur memes.
Re:Erm call me stupid but . . . by grassy_knoll · 2006-06-01 08:46 · Score: 4, Funny

How else are you supposed to do it? Or did TFA mean that it was stored in plaintext in the code?

I was confused by that as well. I presume plaintext, since storing a hash and comparing a hash generated from user input seems standard practice... at least in the non-virus writting community.

Ya think the writter had a PHB leaning on him to meet deadline?

--
A Human Right
count again; it's 30 by commodoresloat · 2006-06-01 09:24 · Score: 4, Funny

(for exceptionally high values of 30.)
CIA by Anonymous Coward · 2006-06-01 10:36 · Score: 3, Funny

The CIA won't have a problem taking down an online pharmacy or two, they really hate it when people interfere with their drug trade anyway.
Funny base joke by totallygeek · 2006-06-01 15:08 · Score: 4, Funny

You know why computer programmers get Thanksgiving and Christmas confused? Cuz OCT 31 == DEC 25.

--
Click here or here.