GPcode

The GPCODE.AK (also known as GPGCODE variation AK) holds the infected computers for ransom. It encrypts all the data files on a computer and tells the owner that they can get their files back with $100-$200.

It is an improvement on a virus that the AV industry has been fighting for years. Now instead of a flawed 660 bit key, they are using a much more secure 1,024 bit RSA key and no flaws have been found yet.

background
Kaspersky Lab has thwarted previous variants of Gpcode by "crack[ing] the private key after in-depth cryptographic analysis". The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660 bits.

Names

Kaskpersky	Virus:W32/Gpcode.AK
Trend Micro	TROJ_GPCODE.AD
Avira	TR/Gpcode.I
Sophos	Troj/Gpcode-D
Microsoft	Trojan:Win32/Gpcode.G
Symantec	Trojan.Gpcoder.F

footprint

Windows PE file
8030 bytes
W32 platform

avoidance

turn-off the cryptography service in Windows.
But this is not possible if you use Zone Alarm as the True Vector Monitor relies upon Cryptographic services.
backup data

recovery

contact Kaspersky at stopgpcode@kaspersky.com. Include details about the exact date and time of infection, as well everything you did on the computer in the 5 minutes before the machine was infected.
do not reboot
either: recover deleted files or restore backed up data

file recovery

Do not reboot
Use a utility to recover deleted files such as "PhotoRec". Be sure to download it from another computer. Your infected computer will not infect the clean one since it does not spread independently and is deleted from the system. Also, recover into another directory.
Run Kasperskies free utility, STOPGPCODE
Use the -r -i and -o options. The utility will attempt to rename the files in the directory created in step 1 according to the sizes of both the encrypted and recovered files, and it will put them in another directory. If the utility cannot determine the original file name, the file will be saved to a folder called "conflicted".

steps it takes

creates a mutex (_G_P_C)
scans all logical drives for files (see extension list below)
1. creates another file near it named with ._CRYPT at the end
  example: filename.txt becomes filename.txt._CRYPT
2. encrypts files into the new file using a Windows service with an RC4 key
  (Microsoft Enhanced Cryptographic Provider v1.0)
3. deletes the source file
4. drops a ransom note to each directory which contains encrypted files.
encrypts the RC4 key with an RSA-1024 public key
creates a VBS script to delete itself

technical notes

The virus does not register itself in the system registry.

possible weaknesses

It might seed the RNG with the files timestamp.
- a DSLREPORTS.COM blog

extensions it encrypts

abk

abd

acad

arh

arj

ace

arx

asm

bz2

bak

bcb

cdb

cdw

cdr

cer

cgi

chm

cnt

cpp

css

csv

db1

db2

db3

db4

dba

dbb

dbc

dbd

dbe

dbf

dbt

dbm

dbo

dbq

dbt

dbx

Djvu

doc

dok

dpr

dwg

dxf

ebd

eml

eni

ert

fax

flb

frm

frt

frx

frg

gtd

gzip

gfa

gfr

gfd

inc

igs

iges

jar

jad

Java

jpg

jpeg

Jfif

jpe

jsp

hpp

htm

html

key

kwm

Ldif

lst

lsp

lzh

lzw

ldr

man

mdb

mht

mmf

mns

mnb

mnu

msb

msg

mxl

old

p12

pak

pas

pdf

pem

pfx

php

php3

php4

prf

pgp

prx

pst

pwa

pwl

pwm

pm3

pm4

pm5

pm6

rar

rmr

rnd

rtf

Safe

sar

sig

sql

tar

tbb

tbk

tdf

tgz

tbb

txt

uue

vcf

wab

xls

xml

files it will not encrypt

Any file in the "Program Files" directory
Any file with the system or hidden attribute set.
Any file less than 10 bytes in size;
Any file larger than 734003200 bytes in size

ransom note:
!_READ_ME_!.txt

Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: [censored]@yahoo.com

Kaspersky's official annoucement:

"Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.

Of course, we don't have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem.

So we're calling on you: crytographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project - uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations.

... [technical details removed] ...

"The information above is sufficient to start factoring the key. A specially created utility could be of great help in factoring.

We're happy to provide additional information to anyone involved in stopping Gpcode. To keep everyone up to date, we've set up a dedicated forum (http://forum.kaspersky.com/index.php?showforum=90)

... [technical details removed]

"At present Kaspersky Lab is yet to provide verifiable evidence that the announced public keys are indeed those used by the virus. Moreover, even if the public keys are correctly extracted and reported (which seems very likely given Kaspersky Lab's reputation), we have not seen proof that the virus's author indeed knows the corresponding private keys. This leaves open a remote but troubling possibility: these 1024-bit RSA public keys may actually be copies of someone else's public keys. For example, they could be copies of a root signing key of a prominent certificate authority. Thus, a well-meaning cryptanalytic effort to break such keys in order to help the virus's victims may end up causing considerable harm."

public keys used

Windows XP and higher

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900aee78b4729668fc920ee15f
e0b587d1b61894d1ee15f5793c18e2d2c8cc64b0539e01d088e41e0eafd85055b6f55d232749ef48cfe6fe
905011c197e4ac6498c0e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85d

Windows prior to XP

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe735607247cc9a5e0f936ed75c75ac7
ce5c6ef32fff996e94c01ed301289479d8d7d708b2c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced48
2939fc571514b8d7280ab5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afb

emails used by the gpcode authors
content715@yahoo .com
saveinfo89@yahoo .com
cipher4000@yahoo .com
decrypt482@yahoo .com

virtual currency accounts used by the malware authors
Liberty Reserve - account U6890784
E-Gold - account - 5431725
E-Gold - account - 5437838

sample of the first response email
Next, you should send $100 to Liberty Reserve account U6890784 or E-Gold account 5431725 (www.e-gold.com) To buy E-currency you may use exchange service, see or any other. In the transfer description specify your e-mail. After receive your payment, we send decryptor to your e-mail. For check our guarantee you may send us one any encrypted file (with cipher key, specified in any !_READ_ME_!.txt file, being in the directorys with the encrypted files). We decrypt it and send to you originally decrypted file. Best Regards, Daniel Robertson

sample of the second response email
The price of decryptor is 200 USD. For payment you may use one of following variants: 1. Payment to E-Gold account 5437838 (www.e-gold.com). 2. Payment to Liberty Reserve account U6890784 (www.libertyreserve.com). 3. If you do not make one of this variants, contact us for decision it. For check our guarantee you may send us ONE any encrypted file. We decrypt it and send to you originally decrypted file. For any questions contact us via e-mail. Best regards. Paul Dyke

Note: this analysis is based on other sources and not on first hand research.

RDKsoftware and web development

computing notes

Navigation

Comments

Post new comment

Blogs

personal