back to article Thanks for playing: New Linux ransomware decrypted, pwns itself

Ransomware targeting Linux servers has been thwarted by hard working security boffins, with help from the software itself, mere days after its existence was made public. The Linux.Encoder.1 ransomware seeks Linux systems to encrypt and like others of its ilk demands owners pay BitCoins to have files decrypted. But the first …

  1. jzl
    Trollface

    On Linux?

    I thought that was secure?

    (joke. JOKE...)

    1. Anonymous Coward
      Anonymous Coward

      Re: On Linux?

      "I thought that was secure?"

      As you hinted at, it's not news that over recent years there have been far more holes in commercial Linux distributions that on average take longer to get patched (more days at risk) than current Windows versions. Whilst Windows is a worse world for malware on the desktop where user interaction is involved, If you look at hacks of internet facing servers where user interaction is not involved, you are statistically roughly 4 times more likely to get successfully hacked running Linux than Windows Server...So standby for likely lots more of these server side attacks on Linux with every new zero day vulnerability!

      1. James Hughes 1

        Re: On Linux?

        Much as I hate to say it, but

        Citation.

      2. Anonymous Coward
        Anonymous Coward

        Re: On Linux?

        "you are statistically roughly 4 times more likely to get successfully hacked running Linux than Windows Server."

        This is roughly in line with the ratio of Microsoft vs Non Microsoft web servers out there on the internet, so the lesson really is - if you run a web server, chances are you're gonna get hacked at some point no matter which web server or OS you're running, unless you're one of the rare breed who are able to securely lock down your environment.

        1. Anonymous Coward
          Anonymous Coward

          Re: On Linux?

          "This is roughly in line with the ratio of Microsoft vs Non Microsoft web servers out there on the internet"

          It's not. According to Netcraft, Microsoft have over 30% of the webserver market. The 4 times mentioned above is already adjusted for relative market share.

          Here are some similar stats:

          http://zone-h.org/news/id/4737?zh=1

          Oper­a­tive System Defacements

          Linux 1126987

          Win­dows 2003 197822

          FreeBSD 46992

          Win 2008 15083

          F5 Big-​IP* 14000

          Unknown 7840

          Win 2000 6097

          Solaris 9⁄10 2373

          MacOSX 1038

        2. Anonymous Coward
          Anonymous Coward

          Re: On Linux?

          > unless you're one of the rare breed who are able to securely lock down your environment.

          Or run a web server with stuff on that nobody cares about (and doesn't do PHP, flash, run any sort of CMS and isn't using apache..).

          What's that you say Skippy? The webserver has fallen down the well?

  2. kryptylomese

    Are you listening Window's users?

    1. sabroni Silver badge
      Windows

      re: Are you listening Window's users?

      Yeah, it said that shit ransomware was shit so it's easy to decrypt. Shit ransomware on Windows is equally shit.

      1. kryptylomese

        Re: re: Are you listening Window's users?

        Difference is that Linux has a whole community of people who can help fix ransomware even though it so uncommon on Linux. Hard to fix anything on a close source operating system like Windows.

        1. Benchops
          Trollface

          Re: re: Are you listening Window's users?

          Ah yes, undoubtedly the ransomware followed the spirit of linux and made the source available. In fact all the researchers had to do was

          sudo apt-get source linux-encoder-1-ransomware

          to find out what it was doing ?????

          1. kryptylomese

            Re: re: Are you listening Window's users?

            Microsoft fix all malware issues on Windows so that you don't have to develop the skills to do it yourself?

            Linux community wins because using open source Linux helps you to develop the skills (If you want to delve into it) to do this kind of thing - Windows does not help you in any way to do that!

            1. Naselus

              Re: re: Are you listening Window's users?

              "Microsoft fix all malware issues on Windows so that you don't have to develop the skills to do it yourself?"

              .... You don't really know very much about computers, do you?

              1. JLV Silver badge
                Headmaster

                Re: re: Are you listening Window's users?

                >.... You don't really know very much about computers, do you?

                Or English, in the case of the OP.

              2. kryptylomese

                Re: re: Are you listening Window's users?

                I have been using computers since 1978 so I do know a thing or two.

                My question was clearly sarcastic but you don't understand sarcasm do you?

                1. vagabondo

                  Re: re: Are you listening Window's users?

                  kryptylomese said:

                  "I have been using computers since 1978 so I do know a thing or two."

                  Bloody kids!

                  [self-confessed boring old fart]

            2. Prst. V.Jeltz Silver badge

              Re: re: Are you listening Window's users?

              @ kryptylomese

              Look , it dosent matter what OS you are using , or how many friends you have , how good you are at coding, or how much source code is available - if your data is encypted in AES256 you are screwed .

              Its only becuase this time you Linux users got *really* *really* lucky due to inept coding that anyones getting their data back

              1. Tomato42 Silver badge
                Boffin

                Re: re: Are you listening Window's users?

                if they key is derived from current time and the cipher is used in ECB mode, not even AES-256 will make it unbreakable

    2. Prst. V.Jeltz Silver badge

      Are you listening Window's users?

      Yes. Although I'm not sure what to infer from your comment.

      "Best defence is to hope the ransomware is unbelievibly badly written so clever people can crack it for you"

      Is that the Linux way?

      1. Anonymous Coward
        Anonymous Coward

        "unbelievibly badly written "

        Sounds like typical OSS software to me!

        1. Anonymous Coward
          Anonymous Coward

          @AC - You mean

          OSS software written by Windows coders ?

  3. Anonymous Coward
    Anonymous Coward

    This:

    The obliteration of Linux.Encoder.1 comes days after BitDefender released a preventative tool that would prevent the reigning ransomware kings Cryptowall and CTB Locker from executing on victim systems. It does so by preventing executables running from the Windows AppData and Startup folders.

    Erm, https://www.foolishit.com/ has had cryptoprevent out for about 2 years now helping stop ransomware on Windows PC.

    Catch up, Bitdefender

    1. Prst. V.Jeltz Silver badge

      Re: This:

      "It does so by preventing executables running from the Windows AppData and Startup folders."

      I always like to put stuff i want to run at statup into HKLM\software\ms\win\current ver\run

      That way it runs for all users not just the current one

  4. Potemkine Silver badge

    Keep your secret secret

    "This information can be easily retrieved by looking at the file’s timestamp [and] is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the" attacker's key, he says."

    Thanks for the tip, I'm sure future attackers will note that one :mad:

    1. Prst. V.Jeltz Silver badge

      Re: Keep your secret secret

      Amazing they figured that out , given that it was combined with an RND function. I dont think its giving anything away to future attackers to try harder. I dont think it would be very difficult to find a better key either . unfortunately.

    2. boltar Silver badge

      Re: Keep your secret secret

      "Thanks for the tip, I'm sure future attackers will note that one :mad:"

      Easy fix - use gettimeofday() to get the microseconds field and use that as the seed. So then even if you can see the file timestamp you'll have a million different possibly keys. Hardly impossible to solve but beyond most users. Or if they wanted to be really sneaky do some system op which will never take exactly the same number of microseconds to accomplish and use this further time interval as extra noise for the key.

      1. Frumious Bandersnatch Silver badge

        Re: Keep your secret secret

        you'll have a million different possibly keys

        A 20-bit key is eminently crackable using brute force, especially if the file is of a known type. (<insert shell one-liner calling 'file' program on each one here>)

        What you need to do is use "cryptographically secure" RNG like reading /dev/random (which may give the game away) or gather entropy from the running system in much the same way that the kernel and other RNG seeding functions do. Definitely don't use something like the time as the sole value for seeds.

  5. boltar Silver badge

    Don't run your webserver as root...

    .... and you make your life a lot less stressful to start with. Then it doesn't matter what holes any server side scripting may have then , the worse it'll do is get local user privs and mess up that users - probably "webadmin" or similar - data. Which you will have backed up , right?

    1. h4rm0ny

      Re: Don't run your webserver as root...

      Hardly the panacea you describe. Give me the ability to execute as the webserver and I'll probably be able to pull off all sorts of dreadful things that would knock your share price into the gutter. Getting the same access to your database that your legitimate web pages have sounds like a fine starting point to me. And there's plenty more where that came from. You lack imagination when you talk about "mess up that user's data". First thing I'd do with these "holes" you think aren't serious, is start collecting your visitor's information - usernames, passwords, et al. Then depending on how valuable or not that is, I'd start using your site(s) to distribute my malware.

      I mean sure, don't run your webserver as root if you don't need to, but the way you write it is that "it doesn't matter what holes any server side scripting may have then" if you've "backed up". That isn't so.

  6. Wyrdness

    "The secure random keys and initialisation vectors generate information from the libc rand() function, and are seeded with the current system timestamp at the point of encryption. This information can be easily retrieved by looking at the file’s timestamp"

    I guess that these muppets failed Crypto-101.

    1. John G Imrie Silver badge

      Crypto-101.

      Don't use rand() for anything

      1. boltar Silver badge

        Re: Crypto-101.

        "Don't use rand() for anything"

        What would you suggest as a better random number generator then that doesn't require specialist hardware? All software based generators are predictable so rolling your own won't improve things.

        1. sed gawk

          Re: Crypto-101.

          Personally I'd use a composite counter and use a cryptographic hash function to generate the next number in the sequence. It's slow but simple, and likely to be a more random distribution than rand or some homebrew prng

        2. John G Imrie Silver badge

          Re: Crypto-101.

          I'd use /dev/random on Linux, as that blocks when there is insufficient entropy in the system

          1. sed gawk

            Re: Crypto-101.

            That's a *much* better solution. I was thinking portable as in cross-platform and considered using grown up tools like /dev/random /dev/urandom some what detached from the Heath Robinson spirit of the question.

            using a monotonically increasing composite clock something like

            struct clock

            {

            uint32_t cs; // sessions since last restart

            uint32_t ci; // inputs in current session, wraps to zero on {cs,cn} increment

            uint32_t co; // outputs in current session wraps to zero on {cs,cn} increment

            uint32_t cn; // restarts

            } prng_clock;

            char buf[16] = {0};

            memcpy(buf,&prng_clock,sizeof(buf));

            sha3(buf,buf,len);

            The values of {cs,ci,co,cn} vary from run to depending on whatever rubbish was on the stack, the exact same run is needed to generate the same sequence, meaning if one was to stop the program running that has used this sequence, one has little chance of reproducing the run.

            It gives a better period than rand, and it's crapness is it's strength, it's not reliable, so unless you capture the initial run, good luck getting same inputs.

            That said, upvoted as /dev/urandom is indisputably better.

        3. Anonymous Coward
          Anonymous Coward

          Re: Crypto-101.

          "What would you suggest as a better random number generator then that doesn't require specialist hardware?"

          https://www.random.org/integers/

        4. Hi Wreck
          Coat

          Re: Crypto-101.

          Minimally drand48(), or better yet random(). rand() has been known to suck for eons. However, it is available on Windows because it is part of the C standard, whereas drand48() and random() are not. Perhaps the malware authors were striving for maximum portability?

          1. Anonymous Coward
            Anonymous Coward

            Re: Crypto-101.

            Perhaps the malware authors were striving for maximum portability?

            Or perhaps they're former Window-cleaners that have decided they need to move where the money is… and in the web server market, that is not Microsoft.

        5. Tufty Squirrel

          Re: Crypto-101.

          >> What would you suggest as a better random number generator then that doesn't require specialist hardware?

          5

          It's a random number between 1 and 6.

  7. Mark 75

    So now that Bitdefender has blabbed the flaws in the script, the naughty people can develop a workaround to make it even harder to break.

    Great.

    1. Lamont Cranston
      WTF?

      The other option being

      that they keep quiet about it and let the existing malware go around encrypting files and extorting bitcoins as usual?

    2. Anonymous Coward
      Anonymous Coward

      > So now that Bitdefender has blabbed the flaws in the script, the naughty people can develop a workaround to make it even harder to break.

      You do not understand this security game much, do you, Love?

  8. Anonymous Coward
    Anonymous Coward

    Hail, hail Romania

    (a land I didn't make up -- sorry!)

    Seriously, good work, guys!

  9. Anonymous Coward
    Anonymous Coward

    "It does so by preventing executables running from the Windows AppData and Startup folders."

    This should be a standard feature of Windows.

    1. Anonymous Coward
      Anonymous Coward

      a better feature would be to prevent running any program from anywhere...

      (somebody had to say it...)

    2. NeonTeepee

      It's in group policy. 'Admins' make me so sad.

  10. iMap

    http://labs.bitdefender.com/wp-content/plugins/download-monitor/download.php?id=Decrypter_0.2.zip

    It's that good at what it does, it has killed itself !!

    This was available earlier

  11. Permidion
    Flame

    attack vector?

    and yet once again there is not a single word about the attack vector and any info about how that ransomeware got installed on the related server...

    1. Anonymous Coward
      Anonymous Coward

      Re: attack vector?

      PHP code injection is one possibility… there are some dodgy PHP web-apps out there, and running as www-data or Apache would be more than sufficient to cause some carnage.

  12. Cameron Colley

    I wonder...

    Are some Western Digital "security" bods moonlighting in the malware business?

  13. Proffesor Madhead

    Chances Are

    Chances are that the ransomeware itself is open source!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019