Slashdot Mirror

← Back to Stories (view on slashdot.org)

Extortion Virus Code Cracked

Posted by ryuzaki0 on from the unlock-your-stuff dept.

Billosaur writes "BBC News is reporting that the password to the dreaded Archiveus virus has been discovered and is now available to anyone who needs it. Archiveus is a 'ransomware' virus, which combines files from the My Documents folder on Windows machines and exchanges them for a single, password-protected file, which it will not unlock unless a password is given. The user would normally be required to pay the extortionist money in order to receive the password, but apparently the virus writer made one small, critical error in coding: placing the password in the code. BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."

17 of 371 comments (clear)

  1. ummm by geoffspear · · Score: 5, Interesting

    Odd how that "30 digit password" has 38 characters, 13 of which are digits.

    --
    Don't blame me; I'm never given mod points.
    1. Re:ummm by honestmonkey · · Score: 5, Funny

      Maybe they meant 30 as in "any number that is greater than 29 and less than 40". You know, thirty. Thirty-ish. Mostly thirty. About thirty. Close to forty, but not quite. Good enough for government work. In Soviet Russia, YOU are 30. 30) Profit! 38 is the new 30.

      Actually I didn't see any fingers or toes in the password at all.

      --
      Everything you know is wrong, Just forget the words and sing along.
    2. Re:ummm by darkmeridian · · Score: 5, Funny

      No, no. You have to pay the virus researchers to find out which eight characters to ignore. Thank god for the virus researchers, otherwise the virus ransomers would really have us, huh?

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
  2. Wait... by ImaLamer · · Score: 5, Funny

    We are all now victims of a DMCA lawsuit!

    --
    Get your Unix fortune now!
  3. My Lord what are we coming to by Anonymous Coward · · Score: 5, Funny

    These days even the virus authors don't know anything about writing secure software :(

  4. Just wait... by hanssprudel · · Score: 5, Insightful


    Next time it will be a virus writer who knows about public key cryptography, and then you'll just have to pony up the dough... (or you could stop getting your computer infected with malware in the first place.)

    1. Re:Just wait... by Beryllium+Sphere(tm) · · Score: 5, Insightful

      >(or you could stop getting your computer infected with malware in the first place.)

      Backing up your data would also work.

      Notice how much this virus is like a proprietary file format? You can't get at your own data without paying for a license to the proprietary reader.

    2. Re:Just wait... by swillden · · Score: 5, Informative

      Public key cryptography does not work against a man in the middle attack.

      True, in general, though precautions can be taken. I fail to see how a MITM attack is even relevant here, though.

      When the files are being encrypted by software running on your computer, such a virus is inevitably vulnerable.

      Why? Virus contains public key, generates random session key (ideally in memory-locked pages that cannot be swapped out), encrypts all your data with session key, encrypts session key with public key, writes encrypted session key to a file, wipes session key from memory, then shuts down.

      Assuming you don't notice the virus before all of this happens, you're toast unless you can get a copy of the private key.

      To overcome this flaw, the virus writer would have to send the files to a pre-known IP address for off-site encryption (which among other problems would probably be a pretty noticeable activity). Doing so would presumably also expose the author to risk that the computer in question (and presumably he himself) could be siezed.

      Did you mean decryption? If so, yes, the writer would have to have you ship your session key file to him so he could decrypt it and give you your unique decryption key. I don't think that activity is nearly as risky to the writer as trying to figure out how to collect the money, though. Following money trails is something the world's law enforcement agencies are very good at.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    3. Re:Just wait... by TikiTDO · · Score: 5, Interesting

      You are absolutely wrong. PKI was designed with the purpose of preventing man-in-the-middle attacks. The virus writer would include the public key in the virus with an associated encryption algorithm. The problem arised with decryption. In order to decrypt a file you would need an associated private key. Now if this key is available inside the virus it would be just as easy to find as the password within the article.

      In fact the whole idea of cryptography revolves around the encryption algorithm telling you nothing about a method to decrypt the data it encrypts (At least without a certain key). These are called trapdoor one-way functions.

      The most realistic way I can think of writing such a virus would be to provide and encryption algo in the virus and then provide a decryption program when the intended victim has paid you the money. Now aren't you glad I'm not writing viruses?

  5. Wow... by beheaderaswp · · Score: 5, Funny

    Hmm...

    It also works for new Windows XP Professional installs.

    Strange.

    --
    Another consultant who stuck it out.

    "We are the Priests, of the Temples of Syrinx..."
  6. News That's Old, Stuff that's Stale by lbmouse · · Score: 5, Informative

    Hasn't this been around for a while? According to this page, the password has been know for at least a month.

  7. If it's the same password... by Nom+du+Keyboard · · Score: 5, Insightful

    If it's the same password for every infection, wouldn't it be likely that the first victim who actually paid for it would then release it to the wild to screw-over the extortionist ASAP?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
  8. From the TFA by BaltikaTroika · · Score: 5, Insightful

    The most interesting part of TFA: "Victims are only told the password if they buy drugs from one of three online pharmacies."

    Are online pharmacies so unregulated that criminals can extort people as a means for advertising?

    Wow.

  9. Re:What relief! by Tackhead · · Score: 5, Funny
    > > BTW, the 30-digit password locking the files is mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw."
    >
    > I was just looking for that. Thanks!

    What?! That's exactly the kind of combination a Slashdotter would use on his luggage!

  10. Wrong by Anonymous Coward · · Score: 5, Informative

    You're wrong. You can cypher it with the public key and it can't be recovered without the private key, which is safe at his computer.

  11. Re:Wow! by minusthink · · Score: 5, Funny

    You know you really should change the default on those types of things.

    --
    "when life gets complicated, I like to take a nap in a tree and wait for dinner" - Hobbes.
  12. Drats. Time to change passwd on the server farm! by rjamestaylor · · Score: 5, Funny

    Um diddle diddle diddle um diddle ay
    Um diddle diddle diddle um diddle ay
    mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
    Even though the sound of it Is something quite atrocious
    If you say it loud enough
    You'll always sound precocious
    mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw !
    Um diddle diddle diddle um diddle ay
    Um diddle diddle diddle um diddle ay
    Because I was afraid to speak
    When I was just a lad My father gave me nose a tweak And told me I was bad
    But then one day I learned a word That saved me aching nose
    The biggest word I ever heard And this is how it goes:
    Oh, mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw!
    Even though the sound of it
    Is something quite atrocious
    If you say it loud enough
    You'll always sound precocious
    mf2lro8sw03ufvnsq034jfowr18f3cszc20vmw !

    --
    -- @rjamestaylor on Ello