Plain cruelty: Boffins flay Linux ransomware for the third time Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats. The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned …
"Like anything Microsoft actually has protection against malware?"
I know you probably haven't looked at Windows since 2003, but the world has actually moved on since then.
Microsoft Security Essentials and Windows Defender are actually pretty good (not as good as they were a couple of years back, but still much, much better than any comparable in-built anti-malware). There's even examples of big-name malware (including certain suspected nation-state backed cyberweapons) which checked if MSE was installed on a system and just didn't bother attacking it if it found it.Even now, when it's fallen behind software from dedicated security companies, MSE blocks most known malware and the majority of zero-days. That's pretty impressive for a non-infosec outfit.
But yes, the best way to stop malware is by aggressive information sharing with thousands of eyes on the case - it's the ideal circumstance for open source, and most AV companies share virus signatures with each other freely. While they keep their code proprietary, they have a lot of incentive to share data.
RE Naselus:-
You don't work in security do you....
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-17153/hasexp-1/Microsoft-Windows-7.html
https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-23546/year-2013/Microsoft-Windows-Server-2012.html
"You don't work in security do you...."
I guess you don't either:
https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html
"OpenOffice/LibreOffice has way more features"
Nope - way fewer features. MS Office has many times the features / functions of Open Office. It's a vast product in comparison.
>Microsoft Security Essentials and Windows Defender are actually pretty good
You must be kidding ? Seriously, YOU MUST BE KIDDING!
Malware dances around that crap! I have had multiple computers that I had to fix, up-to-date with latest malware removal tools, defender had latest definitions, however, boxore and a bunch of other malware was happily doing its work.Worst thing is, I found the exact same malware on different machines, 6 months apart. So they are not even updating their definitions!!!! Waste of CPU time.
"I guess if Microsoft Windows actually was any good then it would qualify as suitable for mission critical systems out of the box without having to enter into any special (read as expensive) extended support."
You mean like for instance military command and control systems (SMCS-NG) that control weapons?
"IIS/Apache"
Current versions of IIS are faster than apache on the same hardware and scale better - and it has had far fewer security vulnerabilities over the past decade.
"Internet Explorer/Firefox etc."
Every IE release has been faster at point of release than the current version of Firefox since IE9. For security holes IE is on average patched faster too.
OpenOffice/LibreOffice have way more developers than MS Office, besides, it supports many more languages in its macro-framework, for example. OpenOffice/LibreOffice has way more features, like DocBook support, SVG support, stuff like that ... MS Office has way more testers, though ... I grant you that.
Dear AC,
as I am sure you aware MS' coding practices that none of their Applications or Operating Systems have ever had any bugs or never need to be patched...
Well fuck a duck, it's amazing the amount of 'updates' that my Win 8 box tells me are needed to fix apparent issues...
Do us all a favour and climb back under your rock eh??
Regards.
jay
Dear El Reg,
It would be really good if you could highlight the specific vulnerability here in the article.
I think you did it in the previous article ("the code is spreading at the moment using a critical flaw in the CMS Magento. A patch was released for this on October 31")
..but you know what a lazy cow I am.
Lots of love,
A sub-critical friend.
In the sense that the malware in question targets systems running Linux, and not Windows/MacOS. Reel in your penguins of wrath.
It's not a 'Linux issue' as in some kind of vulnerability in the OS that mean Linux is automatically shit. It's a Linux issue in the sense that malware can be written for any platform and this one happens to be written to run on net-facing Linux servers.
It's a Linux issue in /exactly the same way/ that thousands of posters over 2 decades have derided MS Windows as being the core problem of /any/ malware attack or luser failure.
And it would be either cheap and dishonest, or merely ignorant, to pretend that wasn't the case.
Unless I'm misunderstanding something, that twitter suggestion seems much more sarcasm than suggestion. The initial problem was that they took a known and knowable quantity (the time when the encryption was done, preserved as the modification time of the encrypted file) and used it to generate the encryption key: once you know what the seed for the random function was, it's not random at all and anyone can find the key again later using the same seed. That means that hashing that time changes NOTHING, the seed is still known, now you just have to hash the modification time of the encrypted file before using it as random seed if you want to find the "new" key; in other words, as long as they start from "time()" it doesn't matter what they do to it to make the key as long as we know what that time was and what exactly they did to it. Failing to grasp that is what the sarcasm targets, as an utterly useless piece of advice.
What does matter is that this time they _preserve_ the original file timestamp while encrypting the file, which means we no longer know later what their "time()" seed was as we no longer know when exactly they modified the file. Thankfully, as I understand it, they do need to store the key they used somewhere in order to decrypt the file if ransom is paid, so they embed it in an encrypted form into the file itself - except they f###ed up the key encryption part, so the key is embedded into the file IN PLAINTEXT... making it ridiculously easy to decrypt.
This post has been deleted by its author
Jibe against them all you like but I'd work on the basis of not telling the opposition coders _anything_ that would steer them towards an improved product. And that includes case errors, misspelling variables...
This is not a case of shaking their hand and saying "A gallant attempt Fritz, but you know if you'd just made a run for your own lines you'd have been alright. I'd nearly run out of bally fuel." No room for honour or respect for the enemy here.
Well that depends on the advice now, doesn't it.
Note that the improvement suggested is to take the MD5 hash of the seed candidate and use that as the actual seed. That'll be the same known vulnerable MD5 function mentioned elsewhere here as something nobody in their right mind should be still using, right? Note also that the use of the known time as the seed candidate is preserved, making deriving the hash and thus the key later a somewhat trivial task.
When it comes to staying ahead of the scrotes, there's only one thing better than knowing the fuckup they made this time around and that's knowing the one they're going to make next time.........
No it doesn't depend, at least from my window seat.
No hints, not even sarcastic ones, because you never know when a new member of the team will have a sarcasm detector that works, and your own side is well-populated with people who don't have one who will be only too eager to wade in and "fix" your suggestion in a blaze of overly focussed oneupmanship
Hints dont hurt. How hard can it be to generate a random number? god knows how they got it wrong 3 times. I'd have thought the hard part in this enterprise is covering your tracks and collecting bitcoins , and infecting servers not "think of a number".
Off the top of of my head, if it were me , i'd try basing the seed on something more truly random , like keypresses (unlikely on a server tho)
or look at cpu / mem usage and base it on those numbers .
Or time between page requests if its a web server.
Or farm out to some true random genrator on the net and get one from that
presumably they only have to have one key per machine hijacked , I dont see why they do it per file.
the malware could spend a good long while thinking of a suitably random seed and then encrypt all the files with the same key - after all if user pays up he's paying for all the files right?
So i'd patch your servers - i doubt they'll fuck up a 4th time
"How hard can it be to generate a random number?"
Moderately difficult. Now, being able to REMEMBER that number AND still hide it from the victim. That's another matter. If the malware's designed to be online, then a public key infrastructure can be used so that only the public encryption key stays with the victim (fat lot of good it'll do them). But if the malware has to be able to work offline, then you've got a problem: how to hide it so that the victim can't find it BUT be able to yourself find it later.
How long before some A**ehole of a US lawyer decides to offer his services to the scum to help hem to sue the pants off the white hats for the lost profits due to unauthorised reverse engineering of their "product"?
In the bizarre institutions which pass for courts in some parts of Texas, they'd probably win!
The fact that the (sarcastic) suggested fix was no better than the original is not the point at all. The point is that it accurately identified the exact nature of the vulnerability. Had the principle of operation of the free decryption application not been revealed, the black-hats may well have remained ignorant of their mistake.
I currently run an XP machine with no firewall or virus detector. Removing the firewall made the machine actually work for updating some web sites. Removing the virus detector made the machine run 2-5 times faster. I used to run both of these and my machine got infected a couple of times so they provided no benefit to me. I am behind a router so incoming connection attempts don't get anywhere.
I have a second machine running ubuntu linux which I use for computation-intensive work. There is an unprivileged account on the linux machine that I log into from my XP machine to do my web surfing. An attacker would have to break out of the web browser, break out of the unprivileged account to damage my linux machine or subvert the X protocol to damage my XP machine. So far, no problems. (I would like to use a virtual machine on the linux box but too lazy to set it up yet.)
Security depends on being really careful. I also backup on several machines and off-site - just in case. So far so good.
Sometimes, even being careful doesn't work. That's why drive-by attacks on mainstream sites got so much attention. As for your defenses, combine a drive-by web browser exploit with a privilege-escalation attack and your Linux box is pwned. Once there, they'll be able to see your XP machine and attack it via the Linux box. And BTW, they can also decide to lay low and let the malware get into your backups before attacking so that by the time you realize you need to pull them out, they're infected, too.
Wouldn't it make a lot more sense to not generate the keys locally?
If I were to write ransomware, I'd have the software generate RSA keys, open an encrypted connection to the C&C server, which uses a true hardware RNG to generate a good encryption key or seed, which is then sent to the client, to be stored in RAM only (and in the C&C database).
Sure, that makes the malware vulnerable to having the key read out of memory while it's running, but when the malware is done and cleans up after itself in the memory, you'll have a much harder time...
That's assuming your malware can get online to call back to the server to hide the private key (the public key doesn't matter). But what if you have to assume you're working offline (such as in an airgapped machine)? Now you have to generate your own key, be able to hide it somewhere the victim can't find it, AND still be able to recall it later to do your dirty work. It's a "hiding in plain sight" scenario.
You have to wonder why, for an article on Linux malware, so many people are slagging Windows in passing.
Which well deserves slagging, and provides ample opportunity to do so on a pretty steady basis. But Windows is not at all involved in this little story. Even the bit about the open source software being so awesome seems strange... surely the malware isn't sitting on github waiting to be taken apart? Seems to me the same competent efforts by the white hats to nix the encryption could have taken place in the, vastly more likely, event of a Windows-based malware.
Does go to show that you can't rely on an OS, even a fairly secure one, to totally mitigate badly written applications and/or incompetent users or admins. And that, as usual, we can't collectively step out of our partisanship.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
