RealTime IT News

Caligula Virus Exposes PGP Keys

A new of breed of macro virus that steals PGP keys has been reported in the wild. But experts disagree about its impact on Internet security.

PGP, or Pretty Good Privacy, is the defacto standard for encryption on the Internet and is widely thought of as invincible. But the new Caligula virus may shake that reputation. It's the latest of a new class of what some experts call espionage-enabled viruses. These are viruses designed to steal information from a user's computer.

Caligula gets into a PC from an infected Microsoft Word document. The macro virus then checks to see if a copy of PGP is installed on the machine. If the program is there, the user's private keyring, an essential PGP component for securing encrypted data, is silently uploaded to an ftp site on the Internet.

"If they gather a lot of keys, they could forge signatures, gain unauthorized access to systems, and read private documents," said Fred Cohen, an information security expert with Sandia Labs. Cohen recently posted one of the first reports of Caligula on an Internet security mailing list.

"It demonstrates a serious hole in how PGP works, and could damage the belief system that underlies the trust in PGP," he said.

Cohen says a few instances of the virus have been discovered in the wild, hidden in a Word document containing a list of URLs to pornography sites, along with usernames and passwords. If a PGP user takes the bait, his or her private keyring is uploaded to a server run by a group of virus writers called The Codebreakers.

Caligula's author, a Codebreaker member who goes by the handle of Opic, insists that he had no intent to impersonate anyone or compromise anyone's privacy.

"Caligula was never supposed to get out," he told InternetNews Radio. "It was a proof-of-concept virus. No one in our group actually spreads viruses. We only make them available to the programming underground and that's about it."

Opic says he wrote the virus only to expose security flaws in Microsoft's Windows, and to show that even strong cryptography programs like PGP can be compromised through those flaws.

According to Opic, "PGP claims to be a strong program, but it's not, because of the operating system it's running under. And those vulnerabilities are available to anyone who knows anything about programming."

Not true, says Sal Viveros, director of marketing for Network Associates Inc., which acquired PGP from creator Phil Zimmerman about a year ago. Viveros maintains that even if a PGP user's private keyring was stolen, his or her data would still be safe.

"If you're using a secure passphrase, you can't really break that stuff. The level of security by PGP users isn't really affected by this," said Viveros.

Cohen nonetheless says the Codebreakers should configure their server to block pgp keys from being uploaded by Caligula. And until they do, he suggests Internet users regard the Codebreakers as hostile.

"These people are not your friends. If everyone screams at them and says 'you are scum,' they'll stop," said Cohen. He also recommended that administrators configure their firewalls to refuse traffic to the codebreakers.org site.

Although scattered reports of the virus have appeared on the Internet since early January, no anti-virus software firms have yet posted customer bulletins about Caligula.

Network Associates Inc. has known about the virus for about three weeks, according to Viveros. He said NAI added detection and cleaning to its VirusScan product on January 23rd.