Gpcode update

17 Jun 2008

minute read

Authors

Vitaly Kamluk

Our StopGpcode project has attracted a lot of attention from individual researchers and organizations who are interested in solving the puzzle of the blackmailing virus. Thanks for all the feedback.

Among other things, we’ve been asked a lot about how the virus propagates. Having analyzed a number of infected computers we’ve come to the conclusion that the virus gets onto the victim machine with the help of another malicious program – a bot with Trojan-Downloader functionality. The victim machines had been infected with this malicious program well before Gpcode appeared on them; and the bot downloaded a whole range of other Trojan programs in addition to the Gpcode virus.

The RSA private key hasn’t been found, but some interesting ideas have surfaced. For instance, a detailed analysis of the algorithm used by Gpcode has shown that the author of the virus made an error which makes it possible (under certain circumstances) to decrypt encrypted files without the private key.

This method restores from 0% to 98% of all encrypted files on the computer. The results depend on a number of factors, beginning with the system that was attacked. At the moment it’s impossible to give an average number of files that could be recovered from a ‘typical’ computer.

Kaspersky Lab researchers are currently working on creating a file restoration utility that will utilize this new method.

Authors

Vitaly Kamluk

Gpcode update

Latest Posts

Latest Webinars

Reports

We continue to report on the APT group ToddyCat. This time, we’ll talk about traffic tunneling, constant access to a target infrastructure and data extraction from hosts.

New unattributed DuneQuixote campaign targeting entities in the Middle East employs droppers disguised as Total Commander installer and CR4T backdoor in C and Go.

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.

Gpcode update

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

Copy-paste heist or clipboard-injector attacks on cryptousers

Cybersecurity Research During the Coronavirus Outbreak and After

Bitscout – The Free Remote Digital Forensics Tool Builder

Simda’s Hide and Seek: Grown-up Games

Blockchain technology abuse: time to think about fixes

In search of the Triangulation: triangle_check utility

How to train your Ghidra

OpenTIP, command line edition

Extracting type information from Go binaries

GReAT thoughts: Awesome IDA Pro plugins

Latest Posts

DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware

SoumniBot: the new Android banker’s unique techniques

Using the LockBit builder to generate targeted ransomware

XZ backdoor story – Initial analysis

Latest Webinars

The Future of AI in cybersecurity: what to expect in 2024

Responding to a data breach: a step-by-step guide

2024 Advanced persistent threat predictions

Overview of modern car compromise techniques and methods of protection

Reports

ToddyCat is making holes in your infrastructure

DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware

HrServ – Previously unknown web shell used in APT attack

Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

Subscribe to our weekly e-mails