How to write a better extortion virus

| Comments (1) |
BBC reports that the Archiveus extortion virus has been cracked. The way that Archiveus works is that it infects your computer and then encrypts your files. In order to get the encryption key (password, whatever) you are instructed to go buy drugs from a particular web site to get the decryption password. Anyway, it turns out that the virus uses a static key for everyone and someone has recovered that key. 1.

One way to think of an extortion virus is as a particularly pernicious form of involuntary DRM. As with standard DRM systems, you want to design such a system so that it doesn't have catastrophic failure modes where compromise of a single instance leads to compromise of the entire system. Having a single symmetric key that does all the encryption is clearly a loser as far as this is concerned, as we saw with CSS. Even better, we'd prefer that reverse engineering the virus didn't buy you anything. On the other hand, you'd really like all of the virus copies to be the same.

Luckily, modern cryptography comes to the rescue in the form of public key cryptography. What you do is generate a public key pair and embed the public key (Kpub) in the virus. The virus author keeps the private key (Kpriv). When the virus goes to encrypt your files, it generates a random symmetric key (Ksym) and encrypts the files under Ksym. It encrypts the Ksym under Kpub (E(Kpub,Ksym)) and stores the result on the disk somewhere and then erases Ksym.2 At this point, the only person who can recover Ksym (and hence your files is the person who has Kpriv). No amount of analysis of the binary can recover Kpriv because the virus doesn't know it, and if it's written correctly, Ksym is long gone.

Of course, this design has one downside: because Ksym is different for each victim, you somehow need to get ahold of E(Kpub,Ksym) in order to recover Ksym. Given this particular method of recovering the money, the obvious approach is to require the user to cut-and-paste the value into some field in the order form, which kind of screws up plausible deniability for the vendor who's collecting the money, assuming they had any in the first place. An alternative approach is to have the virus send a copy of E(Kpub,Ksym) to the virus author along with your e-mail address. Then, when you order the drugs they look up your e-mail address and send you Ksym. Of course, if you're going to do things this way, then you don't really need public key at all: just send Ksym in the clear and assume (almost certainly rightly) that the victim isn't running a traffic recorder on their network and so won't capture it.

1. Come to think of it, it's not clear why this took analysis. If it gives the same password to everyone, surely this is something you could detect without any kind of reverse engineering.
2. When I first heard about extortion viruses a few years back from Paul Kocher, this was the technique he described.


I had a go trying to work out how this works. I agree that the crypto is flawed but the much bigger flaw in the scheme is how to cash out without being caught in a repeatable, scalable way.

Best idea they have had so far is to use E-Gold but I can't see that working for very long at all. If there is any volume of extorted money flowing through E-Gold then the regulators will shut it down pronto. Anyway, full article on my blog

Leave a comment