WarGame’s Blog

After reading this advisory I went a bit deeper in the bug. Take a look at it

From Peter Ferrie:

Here I am at Microsoft, where I’ve spent a very pleasant nearly three months already, which seems to be one of the industry’s best kept secrets. It’s been a while since I last posted about the EOF/DoomRiderz/rRlf zine, and I’m still waiting for what is essentially the remaining formal virus-writing groups to release it. My previous post (Notes from the Underground) caused quite a stir among both the media (for example, here) and the groups themselves. The post was about how the traditional virus-writing groups are disappearing, as the members leave the scene, only to be replaced by criminals. The oldskool viruses are becoming a thing of the past, and money is the new motivation.

The image of the old groups disappearing certainly resonated within the media. It’s not quite as glamorous as the end of the Vikings or the Samurai, but some people might find some similarities. On the other hand, there were several posts on the EOF forum of the “let’s show them” type, all written of course by people who wouldn’t be doing the coding themselves.

Now the last hope for these formal virus-writing groups worldwide is diminished that much more, and the EOF/DoomRiderz/rRlf alliance is broken. rRlf has announced their withdrawal from the project “because of various reasons”, according to their website (which we can translate as “because all of our members are inactive and no-one wrote anything”).

The ambiguous phrasing on the EOF site regarding the contribution deadline could mean that either the actual deadline will be the end of June, or a future deadline will be _announced_ at the end of June. I suppose that they mean the former, but we will see. It’s been a month since that entry was added, and the EOF discussion forum has been dead for a week. It’s not looking good for them.

It’s a funny coincidence that EOF often stands for “End Of File”.

EOF

- Peter Ferrie

We do not care! The zine will be published!
Let’s code!

Thx to offensivecomputing I got a copy of gpcode.ak and I tested it in my virtualized WinXp.
Here some screenshots of it running:
before execution
after execution

It’s a very evil piece of code …

From kaspersky’s blog:

If you read Vitaly’s blogpost yesterday, you’ll know that on the 4th June 2008 we detected a new variant of Gpcode, a dangerous file encryptor. Details of the encryption algorithms used by the virus are all in Vitaly’s post and the description of Gpcode.ak.

Along with antivirus companies around the world, we’re faced with the task of cracking the RSA 1024-bit key. This is a huge cryptographic challenge. We estimate it would take around 15 million modern computers, running for about a year, to crack such a key.

Of course, we don’t have that type of computing power at our disposal. This is a case where we need to work together and apply all our collective knowledge and resources to the problem.

So we’re calling on you: crytographers, governmental and scientific institutions, antivirus companies, independent researchers…join with us to stop Gpcode. This is a unique project – uniting brain-power and resources out of ethical, rather than theoretical or malicious considerations.

Here are the public keys used by the authors of Gpcode.

The first is used for encryption in Windows XP and higher.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
c0c21d693223d68fb573c5318982595799d2d295ed37da38be41ac8486ef900a
ee78b4729668fc920ee15fe0b587d1b61894d1ee15f5793c18e2d2c8cc64b053
9e01d088e41e0eafd85055b6f55d232749ef48cfe6fe905011c197e4ac6498c0
e60567819eab1471cfa4f2f4a27e3275b62d4d1bf0c79c66546782b81e93f85d

The second is used for encryption in versions of Windows prior to XP.

Key type: RSA KeyExchange
bitlength: 1024
RSA exponent: 00010001
RSA modulus:
d6046ad6f2773df8dc98b4033a3205f21c44703da73d91631c6523fe73560724
7cc9a5e0f936ed75c75ac7ce5c6ef32fff996e94c01ed301289479d8d7d708b2
c030fb79d225a7e0be2a64e5e46e8336e03e0f6ced482939fc571514b8d7280a
b5f4045106b7a4b7fa6bd586c8d26dafb14b3de71ca521432d6538526f308afb

The RSA exponent for both keys is 0×10001 (65537).

The information above is sufficient to start factoring the key. A specially created utility could be of great help in factoring.

We’re happy to provide additional information to anyone involved in stopping Gpcode. To keep everyone up to date, we’ve set up a dedicated forum.

This variant of gpcode is very advanced if averz need help to crack its encryption schema, this ransomware uses the public crypto system of RSA in a very nasty way …

nepenthes2html is a web interface written in php that let you to better handle your nepenthes honeypot.
You can download it from the misc section!
Here a screenshot

Thx to cultofdeadcow to make me know about this sweety girl!

There is still time to contribute, check EOF’s site

The blacklists published by Debian and Ubuntu demonstrate just how small the key space is. When creating a new OpenSSH key, there are only 32,767 possible outcomes for a given architecture, key size, and key type. The reason is that the only “random” data being used by the PRNG is the ID of the process. In order to generate the actual keys that match these blacklists, we need a system containing the correct binaries for the target platform and a way to generate keys with a specific process ID.

You can never be sure!

More here

I have just created a small patch for the submit-file module of nepenthes, all you have to do is to patch the file submit-file.cpp:

wg_exe_patch.patch:

— submit-file_.cpp 2006-05-04 12:25:40.000000000 +0200
+++ submit-file.cpp 2008-05-13 18:52:54.000000000 +0200
@@ -98,7 +98,8 @@

void FileSubmitHandler::Submit(Download *down)
{
- string path = m_FilePath + down->getMD5Sum();
+ string exe = “.exe”;
+ string path = m_FilePath + down->getMD5Sum() + exe; // WarGame: add the .exe extension

struct stat s;
int32_t retval;

In few words it adds the ‘.exe’ extension to the samples, you will have (for example) 5534a558ff8e7491b671419439b34c0f.exe instead of 5534a558ff8e7491b671419439b34c0f.
Here the patch file

From rgod’s blog:

Hello everyone,
Thank you for your kind words. I am pleased to inform you that I am not dead. I have been the subject of a horrendous and difficult joke. Some hackers unknown to me have compromised my web server and email accounts making it impossible for me to access my site. They are falsely stating that I have died. Please ignore this statement until my services can be fixed.

– rgod

is this a stupid joke?