[ISN] Crypto malware close to being 'uncrackable'

From: InfoSec News (alerts@private)
Date: Tue Jul 25 2006 - 22:29:26 PDT


By John E. Dunn
July 25, 2006

File-encrypting Trojans are becoming so complex that the security
companies could soon be powerless to reverse their effects, a new
report from Kaspersky Lab has said.

The report notes the rapid evolution of the public key encryption used
by one family of crypto malware, Gpcode, which went from using 56-bit
to 660-bit RSA in a matter of weeks.

Commonly termed "ransomware," Trojans that encrypt data files on a
user's PC before demanding a payment in return for supplying the key
to unlock the files, have come from nowhere in recent months to become
a measurable problem.

At the time of the of its discovery in June Gpcode.ag -- which used a
formidable 660-bit key -- Kaspersky described the process required to
decrypt such a key as equivalent to setting a 2.2 GHz PC to work for
thirty years.

In the event, the company managed to work out the key using a
technique it was unwilling to reveal.

"We were able to decrypt 330 and 660-bit keys within a reasonably
short space of time," said Aleks Gostev of Kaspersky Lab. "But a new
variant with a longer key could appear at any time. If RSA, or any
other similar algorithm which uses a public key, were to be used in a
new virus, anti-virus companies might find themselves powerless, even
if maximum computing power was applied to decrypting the key," he

Gotsev raised the alarming possibility that victims could at some
point in the near future have their files encrypted in such a way that
the security industry would not be able to issue a fix. If this comes
to pass -- and Kaspersky's claims that the day is not far off are
plausible -- it will mark an important moment for the whole software
security industry.

The obvious answer could be simply not to allow ransomware on to a PC
in the first place, an approach that Gotsev and other security
companies will be keen to stress.

The other defense will have to be more assiduous pursuit of the
distributors of such products, or novel technical solutions that
prohibit the low-level interference with a computer's files-system
necessary for encryption to happen in the first place.

"Unfortunately, the authors behind the Gpcode, Cryzip, and Krotten
ransomware are still free. However, even if they are arrested, there’s
nothing to prevent other malicious users from implementing such
techniques in order to make money."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue Jul 25 2006 - 22:38:42 PDT