Revision as of 16:44, 30 September 2008 edit Underpants (talk \| contribs) 1,235 edits +"Kaspersky Lab has been able to make contact with the author of the program"... ← Previous edit		Revision as of 16:59, 30 September 2008 edit undo Underpants (talk \| contribs) 1,235 edits No edit summary Next edit →
Line 16: The blackmail is completed with the trojan dropping a text file in each directory, with instructions to the victim of what to do. An email address is supplied through which users are supposed to request for their files to be released after paying a ransom of $200. While a few Gpcode variants have been successfully implemented<ref>{{cite web\|url=http://www.kaspersky.com/news?id=207575651\|title=Kaspersky Lab announces the launch of Stop Gpcode, an international initiative against the blackmailer virus\|date=2008-06-09}}</ref>, many variants have flaws that allow users to recover data without paying the ransom fee. The first versions of Gpcode used a custom-written encryption routine that was easily broken.<ref>{{cite web\|url=http://www.viruslist.com/en/analysis?pubid=189678219\|title=Blackmailer: the story of Gpcode\|date=2006-07-26\|publisher=Kaspersky Labs}}</ref> Variant Gpcode.ak writes the encrypted file to a new ___location, and deletes the unencrypted file., and ~~This~~this allows an [[undeletion\|undeletion utility]] to recover some of the files. Once some encrypted+unencrypted pairs have been found, this sometimes gives enough information to decrypt other files.<ref>{{cite web\|url=http://support.kaspersky.com/faq/?qid=208279822\|title=Utilities which fight Virus.Win32.Gpcode.ak\|date=2008-06-25\|publisher=Kaspersky Lab}}</ref><ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187531\|title=Restoring files attacked by Gpcode.ak\|publisher=Kaspersky Labs\|date=2008-06-13}}</ref> ~~Once some encrypted+unencrypted pairs have been found, this sometimes gives enough information to decrypt other files.~~<ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187538\|title=Another way of restoring files after a Gpcode attack\|date=2008-06-26}}</ref> Variant Gpcode.am uses symmetric encryption, which made decryption very easy.<ref>{{cite web\|url=http://www.viruslist.com/en/weblog?weblogid=208187565\|title=New Gpcode - mostly hot air\|date=2008-08-14\|publisher=Kaspersky Labs}}</ref> Kaspersky Lab has been able to make contact with the author of the program, and verify that they are the real author, but have so far been unable to determine his real world identity.<ref>{{cite web\|url=http://www.techworld.com/security/news/index.cfm?newsid=105043\|title=Police 'find' author of notorious virus\|date=2008-09-30\|publisher=TechWorld}}</ref> Line 24: ==External links== * Kaspersky Lab [http://www.kaspersky.com/find?words=gpcode&search=Search Kaspersky Lab blog posts] [http://forum.kaspersky.com/index.php?showforum=91 Kaspersky Lab forum dedicated to GPCode] * [http://people.csail.mit.edu/tromer/gpcode/ Gpcode.ak Cryptographic Challenge] ** [http://www.viruslist.com/en/find?search_mode=virus&words=Gpcode&x=9&y=5 Kaspersky ~~Labs~~Lab virus descriptions]▼ * Virus description databases▼ [http://downloads1.kaspersky-labs.com/utils/stopgpcode/ StopGPCode trojan removal utilties] ▲ [http://www.viruslist.com/en/find?search_mode=virus&words=Gpcode&x=9&y=5 Kaspersky Labs] ▲* ~~Virus~~Other virus description databases [http://www.f-secure.com/v-descs/gpcode.shtml F-Secure] [http://www.symantec.com/security_response/writeup.jsp?docid=2005-052215-5723-99 Symantec]

PGPCoder: Difference between revisions