File-encrypting Trojans are becoming so complex that the security companies could soon be powerless to reverse their effects, a new report from Kaspersky Lab has said.
The report, Malware Evolution: April – June 2006, Hidden Wars, notes the rapid evolution of the public key encryption used by one family of crypto malware, Gpcode, which went from using 56-bit to 660-bit RSA in a matter of weeks.
Commonly termed "ransomware", Trojans that encrypt data files on a user’s PC before demanding a payment in return for supplying the key to unlock the files, have come from nowhere in recent months to become a measurable problem.
At the time of the of its discovery in June Gpcode.ag - which used a formidable 660-bit key - Kaspersky described the process required to decrypt such a key as equivalent to setting a 2.2 GHz PC to work for thirty years.
In the event, the company managed to work out the key using a technique it was unwilling to reveal.
"We were able to decrypt 330 and 660-bit keys within a reasonably short space of time," said Aleks Gostev of Kaspersky Lab. "But a new variant with a longer key could appear at any time. If RSA, or any other similar algorithm which uses a public key, were to be used in a new virus, anti-virus companies might find themselves powerless, even if maximum computing power was applied to decrypting the key," he warned.
Gotsev raised the alarming possibility that victims could at some point in the near future have their files encrypted in such a way that the security industry would not be able to issue a fix. If this comes to pass – and Kaspersky’s claims that the day is not far off are plausible - it will mark an important moment for the whole software security industry.
The obvious answer could be simply not to allow ransomware on to a PC in the first place, an approach that Gotsev and other security companies will be keen to stress.
The other defence will have to be more assiduous pursuit of the distributors of such products, or novel technical solutions that prohibit the low-level interference with a computer’s files-system necessary for encryption to happen in the first place.
“Unfortunately, the authors behind the Gpcode, Cryzip, and Krotten ransomware are still free. However, even if they are arrested, there’s nothing to prevent other malicious users from implementing such techniques in order to make money.”