Gpcode gets bigger and better with 1024-bit key

by Steve Ragan - Jun 9 2008, 17:59

Kaspersky Lab is reporting on a new version of an old trick. The Gpcode virus, a nasty bit of work that holds files for ransom after it has encrypted them, has gotten an upgrade from its author. The old version used a 660-bit encryption and had a few errors, now after two years in existence, the blackmail virus has better code and an RSA standard 1024-bit encryption key.

Kaspersky located stronger version of Gpcode -- wants help to crack it. (IMG: J.Anderson)

To be blunt, if you are infected with this nasty bit of Malware, you are up the proverbial creek without a paddle. Gpcode encrypts files with various extensions including, .doc, .txt, .pdf, .xls, .jpg, .png, .cpp, .h and more using an RSA encryption algorithm with a 1024-bit key. Kaspersky Lab succeeded in thwarting previous variants of Gpcode, when Kaspersky virus researchers were able to crack the private key after in-depth cryptographic analysis. The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660 bits.“Once the virus has encrypted a user's files, it leaves the following text message along with the files it has encrypted:Your files are encrypted with RSA-1024 algorithm.
To recovery your files you need to buy our decryptor.
To buy decrypting tool contact us at: ********@yahoo.com»,” Kaspersky says.Kaspersky is doing research and hopes to get some method of cracking the key and releasing encrypted files, but they need help.“Along with antivirus companies around the world, we're faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key. Of course, we don't have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem. So we're calling on you: cryptographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations.”If you want to help, and try to take on this mammoth task, Kaspersky offers the public keys for your research.(Taken from: http://www.viruslist.com/en/weblog?calendar=2008-06)The first is used for encryption in Windows XP and higher.
Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900a
ee78b4729668fc920ee15fe0b587d1b61894d1ee15f5793c18e2d2c8cc64b053
9e01d088e41e0eafd85055b6f55d232749ef48cfe6fe905011c197e4ac6498c0
e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85dThe second is used for encryption in versions of Windows prior to XP.
Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe73560724
7cc9a5e0f936ed75c75ac7ce5c6ef32fff996e94c01ed301289479d8d7d708b2
c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced482939fc571514b8d7280a
b5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afbThe RSA exponent for both keys is 0x10001 (65537).If you can get involved, it will help people sure, but for research alone it would be worth the while to some of you.