Fugitif
01.10.2008, 23:43
The Russian VXer who created the infamous Gpcode ransomware Trojan has been identified - but an early arrest isn't likely.
With cybercrime way down the priority list in Russia, the malware author - known to the police after security firm Kaspersky Labs winkled out a likely IP number for him - is liable to remain at large for some time.
The malicious code for which the suspect is wanted first materialised two years ago. Variants of Gpcode encrypt user files (word documents, spreadsheets, images and the like) on infected PCs using an encryption algorithm. Once the malware scrambles files, it is programmed to generate a text message in directories taunting victims that they need to pay for a "decryption utility" in order to see their files again. The scam attempts to extort between $100-200 from victims, typically payable through an e-gold account.
Since the Trojan's first appearance, variants of Gpcode have used progressively stronger encryption, culminating in a 1024-bit RSA key variant. It spurred the launch of a controversial code-cracking challenge by Russian security firm Kaspersky Labs back in June.
Brute force attacks against data scrambled using encryption of such strength are impractical, so the best advice is the twin track approach of backing up sensitive data and taking steps to avoid getting infected in the first place. Earlier versions of the malware, by contrast, have used custom encryption utilities that could be broken or made cryptographic errors that allowed at recovery of some (if not most) scrambled files. For example, one variant simply deleted user files.
Kaspersky Labs was recently contacted by someone claiming to offer a decryption tool for the latest variant of the malware, Techworld reports. This tool turned out to be genuine, establishing that the scammer had access to the master keys used by the malware. This, in turn, prompted Kaspersky analysts to search for the IP address of the author.
Although he used compromised machines and proxies, enough circumstantial evidence was obtained in order to pin down a probable suspect in Russia. Techworld reports that no action has been taken as yet.
Nobody from Kaspersky familiar with the investigation into the author of Gpcode was available for immediate comment. It may well be that they are over in Ottawa, Canada for the annual Virus Bulletin conference this week.
More:
http://www.theregister.co.uk/2008/10/01/gpcode_author_hunt/
With cybercrime way down the priority list in Russia, the malware author - known to the police after security firm Kaspersky Labs winkled out a likely IP number for him - is liable to remain at large for some time.
The malicious code for which the suspect is wanted first materialised two years ago. Variants of Gpcode encrypt user files (word documents, spreadsheets, images and the like) on infected PCs using an encryption algorithm. Once the malware scrambles files, it is programmed to generate a text message in directories taunting victims that they need to pay for a "decryption utility" in order to see their files again. The scam attempts to extort between $100-200 from victims, typically payable through an e-gold account.
Since the Trojan's first appearance, variants of Gpcode have used progressively stronger encryption, culminating in a 1024-bit RSA key variant. It spurred the launch of a controversial code-cracking challenge by Russian security firm Kaspersky Labs back in June.
Brute force attacks against data scrambled using encryption of such strength are impractical, so the best advice is the twin track approach of backing up sensitive data and taking steps to avoid getting infected in the first place. Earlier versions of the malware, by contrast, have used custom encryption utilities that could be broken or made cryptographic errors that allowed at recovery of some (if not most) scrambled files. For example, one variant simply deleted user files.
Kaspersky Labs was recently contacted by someone claiming to offer a decryption tool for the latest variant of the malware, Techworld reports. This tool turned out to be genuine, establishing that the scammer had access to the master keys used by the malware. This, in turn, prompted Kaspersky analysts to search for the IP address of the author.
Although he used compromised machines and proxies, enough circumstantial evidence was obtained in order to pin down a probable suspect in Russia. Techworld reports that no action has been taken as yet.
Nobody from Kaspersky familiar with the investigation into the author of Gpcode was available for immediate comment. It may well be that they are over in Ottawa, Canada for the annual Virus Bulletin conference this week.
More:
http://www.theregister.co.uk/2008/10/01/gpcode_author_hunt/