[ISN] Police 'find' author of notorious virus

From: InfoSec News <alerts_at_private>
Date: Wed, 1 Oct 2008 04:05:18 -0500 (CDT)

By John E. Dunn
30 September 2008

The infamous Gpcode 'ransomware' virus that hit computers in July was 
the work of a single person who is known to the authorities, a source 
close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in 
contact with at least one anti-malware company, Kaspersky Lab, in an 
attempt to sell a tool that could be used to decrypt victims' files.

Initially sceptical, the company was able to verify that the individual 
was the author of the latest Gpcode attack - and probably earlier 
attacks in 2006 and 2007 - using a variety of forensic evidence, not 
least that he was able to provide a tool containing the RC4 key able to 
decrypt the work of the malware on a single PC.

The 128-bit RC4 keys, used to encrypt the user's data, are unique for 
every attack. The part that had stymied researchers was that this key 
had, in turn, been encrypted using an effectively unbreakable 1024-bit 
RSA public key, generated in tandem with the virus author's private key. 
But the tool did at least prove that the individual had access to the 
private 'master' key and must therefore be genuine.


Register now for HITBSecConf2008 - Malaysia! With 
a new triple-track conference featuring 4 keynote 
speakers and over 35 international experts, this 
is the largest network security event in Asia and 
the Middle East! 
Received on Wed Oct 01 2008 - 02:05:18 PDT

This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 02:11:03 PDT