点饭的百度空间
银牌会员
积分 2315
发帖 2236
注册 2007-11-30
|
#1 卑鄙的新敲诈病毒,用1024位密钥加密文件 Virus.Win32.Gpcode.ak
(Gaim使用1024位密钥进行加密,这和网上银行的加密强度相同)
最近卡巴斯基发现了Gpcode病毒的新变种,使用1024位密钥RSA加密算法,加密不同的扩展名的文件(如.doc,txt,.pdf,.xls,.jpg,.png,.cpp,.h等)。病毒作者以前用的密钥长度为660位(一台2.2 Ghz的处理器需要30年才能破解),经过两年的改进,他用1024位密钥取代了660位密钥。当用户感染了病毒Virus.Win32.Gpcode.ak后,它就会把上述扩展名的文件改成._CRYPT,并且在同一文件夹内放置一个text文件!_READ_ME_!.txt,告诉受害者要解密这些文件必须付钱。他留下了下面这段信息:
“Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decrypting tool contact us at: ********@yahoo.com”。
卡巴斯基警告用户感染病毒后不要重启和关机,以免造成更严重的破坏。敲诈正在成为一种趋势?
Kaspersky Lab has detected a new variant of Gpcode – a dangerous file-encryptor. It encrypts a whole variety of user files, targeting files with extensions such as DOC, TXT, PDF, XLS, JPG, PNG, CPP, H etc. If you're a regular visitor to Viruslist, you might remember reading about Gpcode a couple of years ago.
We recently started getting reports from infected victims, analysed a sample, and added detection for Gpcode.ak to our antivirus databases yesterday, on June 4th. However, although we detect the virus itself, we can't currently decrypt files encrypted by Gpcode.ak – the RSA encryption implemented in the malware uses a very strong, 1024 bit key.
The RSA encryption algorithm uses two keys: a public key and a private key. Messages can be encrypted using the public key, but can only be decrypted using the private key. And this is how Gpcode works: it encrypts files on victim machines using the public key which is coded into its body. Once encrypted, files can only be decrypted by someone who has the private key – in this case, the author or the owner of the malicious program.
As I've said above, we've come across Gpcode before (see Blackmailer for the full story). Two years ago we were able to get the private key by detailed analysis of the data at our disposal. However, the maximum RSA key length we've been able to ‘crack’ to date is 660 bits. We were able to do this as the author had made some mistakes when implementing the encryption algorithm.
The author has bided his time, waiting almost two years before creating a new, improved variant of this file encryptor. Gpcode.ak doesn't not repeat the errors found in previous versions of the virus. Back in 2006 when we detected the first versions of Gpcode to use RSA, this sounded an alarm: we warned that we wouldn't be able to help decrypt encrypted files if the virus writer implemented the RSA encryption algorithm correctly. It would be a case for law enforcement; encrypting files in this way is tantamount to a cybercriminal copying user files to his own machine, and deleting them from the user's infected machine without consent – an illegal action.
Once the virus has encrypted a user's files, it leaves the following text message along with the files it has encrypted:
Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com»
Unfortunately, at the time of writing it's still not clear how the virus spreads. To protect your machine, you should enable all components of whatever anti-malware protection that you have installed.
ATTENTION! If you see the following message on your computer:
...Then, in all probability, you have been attacked by Gpcode.ak. In this case, try to contact us using another computer connected to the Internet. DO NOT RESTART or POWER DOWN the potentially infected machine.
Contact us by email stopgpcode@kaspersky.com and tell us the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected:
• which programs you have executed,
• which websites you have visited, etc.
We'll try and help you recover any data that has been encrypted.
Our analysts are continuing to analyze the virus code in search of a way of decrypting files without having the private key. In the meantime, do take extra care as you surf and read email. And if you see the above messages…do follow our instructions.
We'll be posting updates here when we have more news.
| |
※ ※ ※ 本文纯属【点饭的百度空间】个人意见,与【 微点交流论坛 】立场无关※ ※ ※
|
你的微笑 is 微点的骄傲!
http://hi.baidu.com/new/micropoint |
|
|
