Zipacna

Kaspersky blogs today that it may be possible to decrypt the encrypted. The RSA private key hasn’t been found yet, if at all, but from a detailed analysis of the algorithm used by Gpcode to do the encryption, it has shown that the author has made an error which makes it possible to decrypt encryped files without the private key. However, they said that this can only be done under “certain circumstances” depending on a number of factors, beginning with the system that was attacked. This method should restore from 0% to 98% of all encrypted files on the computer, if even possible at all.

Kaspersky Lab researchers are currently working on creating a file restoration utility that will utilize this new method.

Gpcode propagates onto the victim machine with the help of another malicious program – a bot with Trojan-Downloader functionality. The victim machines had been infected with this malicious program well before Gpcode appeared on them. The bot also downloads a whole range of other Trojan programs in addition to the Gpcode virus.

I managed to find a copy of Gpcode on Offensive Computing. Usual you see malware packed or encrypted with programs like upx and aspack, these help to output a smaller file size and encrypt the content. Not gpcode though, which I found quite strange, but I guess the author had no reason too want to make the excutable smaller, as in the end once the files are encrypted your lifes over. Gpcode uses Microsoft Enhanced Cryptographic Provider v1.0, which is build into Windows, it creates an encrypted copy of each original file. The encrypted copy retains the original file name, with _CRYPT being added to the end of the file name

As Gpcode ends its cycle, its drop the following vbs file which deletes itself from the victims machine, and then causes a message box to be displayed.

set f=wscript.createobject(”script.filesystemobject”)
on error resume next
do while f.delete(”C:\Malware\7cd8e2fc5fe2dc351f24417cc1d23afa.exe”);
loop
do while true msgbox “Your files are encrypted with RSA-1024 algorithm. To recovery your files you need to buy our decryptor. To buy decryoting tool contact us at: saveinfo90@yahoo.com”, 4144, ” ATTENTION !”
loop

Gpcode is a file-encrypter, which encrypts over a hundred known file extensions. When it was first detected Kaspersky was able to neutralize the threat by deducing the private key needed to unlock the encrypted data. That was possible because the crooks used a 660-bit RSA key and made some critical mistakes when implementing the encryption algorithm. On 4th June 2008 they detected a new variant of Gpcode, but this time cryptographers won’t have as easy a task this time around. Gpcode uses a 1024-bit key and the algorithm seems to be sound, so brute-forcing the scheme will require about 15 million modern computers, and even then, it could take about a year. Due to the huge computing power needed, Kaspersky are calling on crytographers, governmental and scientific institutions, antivirus companies, independent researchers to join with them to stop Gpcode.

Here are the public keys used by the authors of Gpcode.

The first is used for encryption in Windows XP and higher.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900a
ee78b4729668fc920ee15fe0b587d1b61894d1ee15f5793c18e2d2c8cc64b053
9e01d088e41e0eafd85055b6f55d232749ef48cfe6fe905011c197e4ac6498c0
e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85d

The second is used for encryption in versions of Windows prior to XP.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe73560724
7cc9a5e0f936ed75c75ac7ce5c6ef32fff996e94c01ed301289479d8d7d708b2
c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced482939fc571514b8d7280a
b5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afb

The RSA exponent for both keys is 0×10001 (65537).

The information above is sufficient to start factoring the key. A specially created utility could be of great help in factoring.

To keep everyone up to date, they have set up a dedicated forum.