New tool for GPcode trojan victims from Kaspersky
Anti-virus vendor Kaspersky has released StopGpcode2 – a tool which may be able to recover most of the data encrypted by the GPcode.ak trojan. According to the developers, the Windows program requires pairs of encrypted files and unencrypted copies of the same files – the more the merrier. These may be obtainable from backups or by using software such as PhotoRec that can reconstruct files deleted by the trojan from hard disk sectors.
The success rate is said to be up to 80 per cent, but is dependent on unspecified characteristics of the infected system. Affected users may be able to avoid having to buy the 'official' decryption tool offered by the blackmailers. Predecessors of the GPcode.ak trojan such as GPcode.ai and the earlier PGPcode.A could readily be cracked due to their weak encryption systems. The new version uses a hybrid of RC4 and RSA, however, which is taking cryptographers much longer to crack – the trojan creates an RC4 session key for each file from a randomly generated master key. It saves an RSA encrypted version of the master key on the infected system.
Brute force attacks on the blackmailers' RSA key in order to decipher the master key have so far proved unsuccessful. Kaspersky's specialists appear to now be using a plain text attack on the session keys. Although RC4 also forms the basis of the insecure WEP encryption protocol, which can be cracked very quickly, the algorithm is not intrinsically weak. WEP's weak point is the method it uses to create the session key for individual network packets from the master key (WEP password).
- Another way of restoring files after a Gpcode attack, Kaspersky blog entry