Gpcode 'ransomware' virus was the work of a single person believed to be a Russian national

The infamous Gpcode 'ransomware' virus that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.

Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack - and probably earlier attacks in 2006 and 2007 - using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.

The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private 'master' key and must therefore be genuine.

Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the US, which pointed to the fact that GPcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines.

Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.

To date, it is not clear what if any action the authorities plan to take.

For its part, Kaspersky Lab confirmed that it had been contact with a dozen victims from Russia, Hungary and Slovakia, at whose populations the program appears to have been primarily aimed. Gpcode has since struck further afield, hitting a medical institution in Cuba and, unconfirmed rumors claim, government offices in the US.

Gpcode has appeared in a number of variants since 2006, each using ever-stronger encryption. The program's approach is direct and frightening. Once on a system, it sets about encrypting all data files it finds with any one of 143 file extension types, rendering them inaccessible. Victims are then told they can recover the files by paying a ransom to the author, reachable through a Yahoo email account.

The innovation of the latest Gpcode attack was that it generated keys to the RC4 stream cipher using 1,024-bit RSA, a much higher bit length than previous versions, which made it, to all practical intents and purposes, uncrackable.

Luckily, on this occasion, Gpcode's author had made a number of more basic programming errors that allowed researchers to construct a method for recovering files. It turned out that while encrypting data, the original files had been 'deleted' using the Windows file system. This meant that although invisible to the operating system, the files were still on the disk and could be recovered using available tools.

Posted by Justin Payton in Adware, Spyware and Trojans at 16:09

Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.

The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.


"We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist," Washington Attorney General Rob McKenna said. "We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."

Paula Selis, who heads the attorney general's consumer protection unit, said Registry Cleaner found the same 43 "critical" errors on each PC they used to examine the software, while consumers who purchased the product were told their machines were instantly rid of the imaginary threats.

Selis said that in addition to handing their name, address and credit card numbers to someone "who is obviously a fraudster," consumers who purchased the software may have been lulled into a false sense of security, thinking the bogus software would protect them from future threats.

"We're absolutely certain that consumers across the country have been deeply affected by this," Selis said.

Posted by Justin Payton in Adware, Spyware and Trojans at 09:55

Have you ever imagined how frustrating it could be if you needed information badly from your computer, but you could not access that information because your computer had just cut a bug.

What can you say of a situation where an application on your system has suddenly refused to work, and you need to carry out an assignment within a short period?

What if you just installed an antivirus software on your system, and you were indeed sure that you had no cause to be scared of any threatening virus, but only to realise that the protection or immunity you hitherto thought you had was a mirage after a virus had infected your system destroying all information that meant so much to you or your company.

These are the experiences you will have if you patronise pirated or fake software.

In the world information technology, there are no shortcuts to getting things right. It is either you are getting things right or you are not, and following laid down procedures is key to realising needed results.

For instance, original Microsoft software comes with the assurance that it is not infected with any viruses, and updates and security patches to the Windows Vista Operating System or Microsoft Office 2007 are only available to customers who have original Microsoft software.

These updates ensure that your system is up-to-date thereby boosting performance and protecting from any viruses or spyware; and retail packs of original Microsoft software come with a 90-day free support accessible at any time.

There are many global business standards. Registration as a corporate entity, audited accounts, filing of taxes and personnel policies alignment with law, among others. Original software is also one such business standard that is an integral part of a company’s success story.

From desktop operating systems to office productivity, from databases to server software, adopting original software means choosing a best practice adopted by industry-leading businesses across the world. Embracing original software means embracing a global business standard that brings with it several advantages.

The Chief Executive Director, Crossbridges Global Network Limited, Mrs. Sharon Odinaka, says that the use of pirated software will generate challenges that may not have solutions because they are not authorised.

Posted by Justin Payton in Adware, Spyware and Trojans at 17:48

Genuine warning boxes pop up on our computer screens for a good reason. They interrupt the scintillating on-screen action to tell us that we should probably read the contents of the warning box and consider the various options (usually yes, no or cancel) before we proceed any further with our task. But rather than considering these popups as watchful observers, gallantly protecting us from making colossal errors of judgement, a recent study showed that all we're really interested in is getting the box to disappear – which has alarming implications for online security.

A report on the study over at Ars Technica concludes that "most users are idiots"; a bit harsh, perhaps – but it's interesting that our compulsion to browse the web uninterrupted makes us treat warning boxes as irritants, rather than, well, warnings. And the fact that we're so complacent about them makes the warning box a prime route for a virus into the inner workings of our computers.

Posted by Justin Payton in Adware, Spyware and Trojans at 14:47