Police 'find' author of notorious Gpcode virus

The infamous Gpcode "ransomware" virus  that hit computers in July was the work of a single person who is known to the authorities, a source close to the hunt for the attacker has told Techworld.

The individual is believed to be a Russian national, and has been in contact with at least one anti-malware company, Kaspersky Lab, in an attempt to sell a tool that could be used to decrypt victims' files.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Initially sceptical, the company was able to verify that the individual was the author of the latest Gpcode attack -- and probably earlier attacks in 2006 and 2007 -- using a variety of forensic evidence, not least that he was able to provide a tool containing the RC4 key able to decrypt the work of the malware on a single PC.

The 128-bit RC4 keys, used to encrypt the user's data, are unique for every attack. The part that had stymied researchers was that this key had, in turn, been encrypted using an effectively unbreakable 1,024-bit RSA public key, generated in tandem with the virus author's private key. But the tool did at least prove that the individual had access to the private "master" key and must therefore be genuine.

Kaspersky Lab set about locating the man by resolving the proxied IP addresses used to communicate with the world to their real addresses. The proxied addresses turned out to be zombie PCs in countries such as the United States, which pointed to the fact that Gpcode's author had almost certainly used compromised PCs from a single botnet to get Gpcode on to victim's machines.

Tracking down the owners of these PCs proved extremely difficult, with service provider Yahoo, for one, allegedly refusing to cooperate with the investigation on privacy grounds. Foreign police were informed, however, as were the Russian authorities. Armed with enough circumstantial evidence, "they were interested," the Kaspersky source confirmed.

To date, it is not clear what if any action the authorities plan to take.

For its part, Kaspersky Lab confirmed that it had been contact with a dozen victims from Russia, Hungary, and Slovakia, at whose populations the program appears to have been primarily aimed. Gpcode has since struck further afield, hitting a medical institution in Cuba and, unconfirmed rumors claim, government offices in the United States.

Gpcode has appeared in a number of variants since 2006, each using ever-stronger encryption. The program's approach is direct and frightening. Once on a system, it sets about encrypting all data files it finds with any one of 143 file extension types, rendering them inaccessible. Victims are then told they can recover the files by paying a ransom to the author, reachable through a Yahoo e-mail account.

The innovation of the latest Gpcode attack was that it generated keys to the RC4 stream cipher using 1,024-bit RSA, a much higher bit length than previous versions, which made it, to all practical intents and purposes, uncrackable.