A new of breed of macro virus that steals PGP keys has been reported in the
wild. But experts disagree about its impact on Internet security.
PGP, or Pretty Good Privacy, is the defacto standard for encryption on the
Internet and is widely thought of as invincible. But the new Caligula virus
may shake that reputation. It’s the latest of a new class of what some
experts call espionage-enabled viruses. These are viruses designed to steal
information from a user’s computer.
Caligula gets into a PC from an infected Microsoft Word document. The macro
virus then checks to see if a copy of PGP is installed on the machine. If
the program is there, the user’s private keyring, an essential PGP
component for securing encrypted data, is silently uploaded to an ftp site
on the Internet.
“If they gather a lot of keys, they could forge signatures, gain
unauthorized access to systems, and read private documents,” said Fred
Cohen, an information security expert with Sandia Labs. Cohen recently
posted one of the first reports of Caligula on an Internet security mailing
list.
“It demonstrates a serious hole in how PGP works, and could damage the
belief system that underlies the trust in PGP,” he said.
Cohen says a few instances of the virus have been discovered in the wild,
hidden in a Word document containing a list of URLs to pornography sites,
along with usernames and passwords. If a PGP user takes the bait, his or
her private keyring is uploaded to a server run by a group of virus writers
called The Codebreakers.
Caligula’s author, a Codebreaker member who goes by the handle of Opic,
insists that he had no intent to impersonate anyone or compromise anyone’s
privacy.
“Caligula was never supposed to get out,” he told InternetNews Radio. “It
was a proof-of-concept virus. No one in our group actually spreads viruses.
We only make them available to the programming underground and that’s about
it.”
Opic says he wrote the virus only to expose security flaws in Microsoft’s
Windows, and to show that even strong cryptography programs like PGP can be
compromised through those flaws.
According to Opic, “PGP claims to be a strong program, but it’s not,
because of the operating system it’s running under. And those
vulnerabilities are available to anyone who knows anything about programming.”
Not true, says Sal Viveros, director of marketing for Network Associates
Inc., which acquired PGP from creator Phil Zimmerman about a year ago.
Viveros maintains that even if a PGP user’s private keyring was stolen, his
or her data would still be safe.
“If you’re using a secure passphrase, you can’t really break that stuff.
The level of security by PGP users isn’t really affected by this,” said
Viveros.
Cohen nonetheless says the Codebreakers should configure their server to
block pgp keys from being uploaded by Caligula. And until they do, he
suggests Internet users regard the Codebreakers as hostile.
“These people are not your friends. If everyone screams at them and says
‘you are scum,’ they’ll stop,” said Cohen. He also recommended that
administrators configure their firewalls to refuse traffic to the
codebreakers.org site.
Although scattered reports of the virus have appeared on the Internet since
early January, no anti-virus software firms have yet posted customer
bulletins about Caligula.
Network Associates Inc. has known about the virus for about three weeks,
according to Viveros. He said NAI added detection and cleaning to its
VirusScan product on January 23rd.