New malware may lock you out of your computer. Forever.

Trent Ernst, Editor


Don’t click that link.

That’s the word from security expert Steve Gibson, head of Gibson Research Corporation and co-host of the Security Now podcast.

While he’s been saying that for a while now, his message has taken on a new sense of urgency.

Last month, a new form of malware (malicious software, including, but not limited to computer viruses) has been released that locks a user’s home folder using extremely strong encryption.

Encryption is a form of security which allows you to encode information in a way that it cannot be read without having a password, known as the key. It is typically used by people to protect the information on their own computer.

However, in this latest scheme, a malicious program is disguised as something appealing. A link from your bank, for instance, or a pdf file. Instead, the link opens up the program, which locks down your computer using a key that you don’t have access to. A message is displayed saying if you want to see your information again, you have 72 hours to pay.

While there have been similar schemes before (enough that there is an entire category of malware to describe this type of program, called Ransomware), and even ones that used a similar tactic of encrypting a person’s information, this is the first one to use such a strong encrypting technique, making it virtually impossible to repair. “Historically, viruses have been an annoyance,” says Gibson. “But this is different. No expert, truly no one, not even the NSA is able to remove this.”

“We’ve been on borrowed time with Malware,” said Gibson on last week’s episode of Security Now Podcast. “It hasn’t been really evil. Years ago there was a piece of really evil malware called the Chernobyl (CIH) virus. It wiped out the first megabyte of your hard drive.”

Gibson was able to write a program that was able to recover that information. “That was just pure malice. It didn’t make any money. And it tended to kill its host, so it wasn’t able to propagate.” Even so, experts estimate that it infected about 60 million computers, causing a billion dollars in damages.

This latest malware, called cryptolocker, says Gibson, has only been around for a few weeks, but “it is bad.”

How do you get infected? Gibson says spammers are sending out emails that “look reasonable to people. They will click on a link, and it will be an executable file.”

Gibson says the easiest way to prevent becoming infected by this malware is to not click on unknown links: in email, in Facebook or anywhere online.

The malware installs itself on your computer, and adds itself to the Windows Autorun list. It uploads what is basically a personal identifier for your computer to a server, which then generates an encryption key pair, one that is sent back to your computer, one of which is held on the server. “This is perfect cryptography,” says Gibson. “It’s evil, but perfectly executed.”

The key is sent to the user’s computer, and used to lock all the user’s data: documents, photos, videos etc. Once that has been accomplished, the key is destroyed.

The only remaining copy of the key is held on a server somewhere on the internet. The data can only be unlocked when the ransom is paid. In order to get the key, the user has to send money (typically $300 in either bitcoin or Moneypaks), to an anonymous site on the internet.

Cryptolocker uses 2048 bit encryption, which means that the key is 2048 characters long. While it is possible to use a computer to guess what that number is, it would take about 6.4 quadrillion years to run through every variation and combination, which is slightly longer than the 72 hours they give you to pay.

For most, paying the $300 is by far the preferred option. However, even that isn’t assured, as law enforcement have located some servers and shut them down, destroying the private key forever.

While most antivirus software has yet to be updated to block Cryptolocker, there is a program called CryptoBlocker that will help block Cryptolocker. Note that CryptoBlocker is an inoculation, not a cure, in that it needs to be installed before you become infected. Also, in order to get around CryptoBlocker, the virus author just needs to change a few lines of code.

So what’s the solution. “Be very careful clicking on links in email,” says Gibson. “Have a backup of all your data, just in case. One of the best bits of advice is, if you did not go seeking it, don’t do it. Manually go to the bank’s website that you believe sent you email. You initiate the action.”