back to article Plain cruelty: Boffins flay Linux ransomware for the third time

Probably the world's most tragically determined blackhat developers have had their revitalised Linux.Encoder ransomware pwned again by meddling BitDefender whitehats. The third iteration of the Linux.Encoder ransomware was unleashed on the world, infecting a paltry 600 servers before a crack team of security analysts returned …

  1. channel extended
    Linux

    FOSS?

    The question is, is it released under the GPL 2.0 or not?

    1. Anonymous Coward
      Anonymous Coward

      Re: FOSS?

      "Boffins flay Linux ransomware for the third time"

      Windows developers would get it right sooner? I guess that makes sense - products with more resources / investment are usually better- Just like Open Office versus MS Office, etc, etc.

      1. kryptylomese

        Re: FOSS?

        Like anything Microsoft actually has protection against malware? - LOL! This is not even a Linux issue it was a problem with unpatched CMS software but the FOSS community has people that can fix it and far quicker than the limited resources that Microsoft has!

        1. Naselus

          Re: FOSS?

          "Like anything Microsoft actually has protection against malware?"

          I know you probably haven't looked at Windows since 2003, but the world has actually moved on since then.

          Microsoft Security Essentials and Windows Defender are actually pretty good (not as good as they were a couple of years back, but still much, much better than any comparable in-built anti-malware). There's even examples of big-name malware (including certain suspected nation-state backed cyberweapons) which checked if MSE was installed on a system and just didn't bother attacking it if it found it.Even now, when it's fallen behind software from dedicated security companies, MSE blocks most known malware and the majority of zero-days. That's pretty impressive for a non-infosec outfit.

          But yes, the best way to stop malware is by aggressive information sharing with thousands of eyes on the case - it's the ideal circumstance for open source, and most AV companies share virus signatures with each other freely. While they keep their code proprietary, they have a lot of incentive to share data.

          1. TheOtherHobbes

            Re: FOSS?

            >But yes, the best way to stop malware is by aggressive information sharing with thousands of eyes on the case

            True - and that's why there are so many sites explaining how to keep Win 10 off your PC.

          2. kryptylomese

            Re: FOSS?

            RE Naselus:-

            You don't work in security do you....

            https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-17153/hasexp-1/Microsoft-Windows-7.html

            https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-23546/year-2013/Microsoft-Windows-Server-2012.html

            1. Anonymous Coward
              Anonymous Coward

              Re: FOSS?

              "You don't work in security do you...."

              I guess you don't either:

              https://www.cvedetails.com/vulnerability-list/vendor_id-33/product_id-47/Linux-Linux-Kernel.html

              "OpenOffice/LibreOffice has way more features"

              Nope - way fewer features. MS Office has many times the features / functions of Open Office. It's a vast product in comparison.

          3. Hans 1 Silver badge
            Coffee/keyboard

            Re: FOSS?

            >Microsoft Security Essentials and Windows Defender are actually pretty good

            You must be kidding ? Seriously, YOU MUST BE KIDDING!

            Malware dances around that crap! I have had multiple computers that I had to fix, up-to-date with latest malware removal tools, defender had latest definitions, however, boxore and a bunch of other malware was happily doing its work.Worst thing is, I found the exact same malware on different machines, 6 months apart. So they are not even updating their definitions!!!! Waste of CPU time.

          4. poohbear

            Re: FOSS?

            I think the better way is in the design of the OS ... which has always been Microsoft's problem.

        2. kryptylomese

          Re: FOSS?

          I guess if Microsoft Windows actually was any good then it would qualify as suitable for mission critical systems out of the box without having to enter into any special (read as expensive) extended support.

          1. Anonymous Coward
            Anonymous Coward

            Re: FOSS?

            "I guess if Microsoft Windows actually was any good then it would qualify as suitable for mission critical systems out of the box without having to enter into any special (read as expensive) extended support."

            You mean like for instance military command and control systems (SMCS-NG) that control weapons?

      2. DasWezel

        Re: FOSS?

        "... products with more resources / investment are usually better- Just like Open Office versus MS Office, etc, etc."

        IIS/Apache, Internet Explorer/Firefox etc. etc... Er, wait a minute.

        1. Anonymous Coward
          Anonymous Coward

          Re: FOSS?

          "IIS/Apache"

          Current versions of IIS are faster than apache on the same hardware and scale better - and it has had far fewer security vulnerabilities over the past decade.

          "Internet Explorer/Firefox etc."

          Every IE release has been faster at point of release than the current version of Firefox since IE9. For security holes IE is on average patched faster too.

      3. Hans 1 Silver badge
        Windows

        Re: FOSS?

        OpenOffice/LibreOffice have way more developers than MS Office, besides, it supports many more languages in its macro-framework, for example. OpenOffice/LibreOffice has way more features, like DocBook support, SVG support, stuff like that ... MS Office has way more testers, though ... I grant you that.

      4. fruitoftheloon
        WTF?

        @AC (The Village Idiot) Re: FOSS?

        Dear AC,

        as I am sure you aware MS' coding practices that none of their Applications or Operating Systems have ever had any bugs or never need to be patched...

        Well fuck a duck, it's amazing the amount of 'updates' that my Win 8 box tells me are needed to fix apparent issues...

        Do us all a favour and climb back under your rock eh??

        Regards.

        jay

  2. CAPS LOCK Silver badge

    In what sense is this a Linux issue?

    Last time I check it was a problem with unpatched CMS software. Not Wordpress for once, but still...

    1. MyffyW Silver badge

      Re: In what sense is this a Linux issue?

      Dear El Reg,

      It would be really good if you could highlight the specific vulnerability here in the article.

      I think you did it in the previous article ("the code is spreading at the moment using a critical flaw in the CMS Magento. A patch was released for this on October 31")

      ..but you know what a lazy cow I am.

      Lots of love,

      A sub-critical friend.

    2. Naselus

      Re: In what sense is this a Linux issue?

      In the sense that the malware in question targets systems running Linux, and not Windows/MacOS. Reel in your penguins of wrath.

      It's not a 'Linux issue' as in some kind of vulnerability in the OS that mean Linux is automatically shit. It's a Linux issue in the sense that malware can be written for any platform and this one happens to be written to run on net-facing Linux servers.

      1. Anonymous Coward
        Anonymous Coward

        Re: In what sense is this a Linux issue?

        It's a Linux issue in /exactly the same way/ that thousands of posters over 2 decades have derided MS Windows as being the core problem of /any/ malware attack or luser failure.

        And it would be either cheap and dishonest, or merely ignorant, to pretend that wasn't the case.

        1. JEDIDIAH
          Devil

          Re: In what sense is this a Linux issue?

          The problem with the Windows platform is that the biggest problem children in terms of insecure bug ridden apps have also been from Microsoft.

          1. Anonymous Coward
            Anonymous Coward

            Re: In what sense is this a Linux issue?

            "the biggest problem children in terms of insecure bug ridden apps have also been from Microsoft."

            Which apps? A quick check of CVEs shows by far the worse offenders over the past few years are Adobe and Oracle.

      2. Anonymous Coward
        Anonymous Coward

        Re: In what sense is this a Linux issue?

        "happens to be written to run on net-facing Linux servers."

        And it just so happens that said net-facing Linux servers are on average about 4 times more likely to be successfully hacked than net facing servers running Windows...

  3. TonyJ Silver badge

    Hmmm

    Is it a good idea to take to the likes of Twitter and give them what amounts to free advice on how to improve their work?

    1. Kevin Johnston

      Re: Hmmm

      It sounds, from the article, as though they were so inept that they would have blindly followed any advice so by using Twitter that way the whitehats would know exactly where to start the next time around

    2. DropBear Silver badge

      Re: Hmmm

      Unless I'm misunderstanding something, that twitter suggestion seems much more sarcasm than suggestion. The initial problem was that they took a known and knowable quantity (the time when the encryption was done, preserved as the modification time of the encrypted file) and used it to generate the encryption key: once you know what the seed for the random function was, it's not random at all and anyone can find the key again later using the same seed. That means that hashing that time changes NOTHING, the seed is still known, now you just have to hash the modification time of the encrypted file before using it as random seed if you want to find the "new" key; in other words, as long as they start from "time()" it doesn't matter what they do to it to make the key as long as we know what that time was and what exactly they did to it. Failing to grasp that is what the sarcasm targets, as an utterly useless piece of advice.

      What does matter is that this time they _preserve_ the original file timestamp while encrypting the file, which means we no longer know later what their "time()" seed was as we no longer know when exactly they modified the file. Thankfully, as I understand it, they do need to store the key they used somewhere in order to decrypt the file if ransom is paid, so they embed it in an encrypted form into the file itself - except they f###ed up the key encryption part, so the key is embedded into the file IN PLAINTEXT... making it ridiculously easy to decrypt.

      1. This post has been deleted by its author

    3. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      Jibe against them all you like but I'd work on the basis of not telling the opposition coders _anything_ that would steer them towards an improved product. And that includes case errors, misspelling variables...

      This is not a case of shaking their hand and saying "A gallant attempt Fritz, but you know if you'd just made a run for your own lines you'd have been alright. I'd nearly run out of bally fuel." No room for honour or respect for the enemy here.

    4. TeeCee Gold badge
      Happy

      Re: Hmmm

      Well that depends on the advice now, doesn't it.

      Note that the improvement suggested is to take the MD5 hash of the seed candidate and use that as the actual seed. That'll be the same known vulnerable MD5 function mentioned elsewhere here as something nobody in their right mind should be still using, right? Note also that the use of the known time as the seed candidate is preserved, making deriving the hash and thus the key later a somewhat trivial task.

      When it comes to staying ahead of the scrotes, there's only one thing better than knowing the fuckup they made this time around and that's knowing the one they're going to make next time.........

      1. Stevie Silver badge

        Re: Hmmm

        No it doesn't depend, at least from my window seat.

        No hints, not even sarcastic ones, because you never know when a new member of the team will have a sarcasm detector that works, and your own side is well-populated with people who don't have one who will be only too eager to wade in and "fix" your suggestion in a blaze of overly focussed oneupmanship

        1. Prst. V.Jeltz Silver badge

          Re: Hmmm

          Hints dont hurt. How hard can it be to generate a random number? god knows how they got it wrong 3 times. I'd have thought the hard part in this enterprise is covering your tracks and collecting bitcoins , and infecting servers not "think of a number".

          Off the top of of my head, if it were me , i'd try basing the seed on something more truly random , like keypresses (unlikely on a server tho)

          or look at cpu / mem usage and base it on those numbers .

          Or time between page requests if its a web server.

          Or farm out to some true random genrator on the net and get one from that

          presumably they only have to have one key per machine hijacked , I dont see why they do it per file.

          the malware could spend a good long while thinking of a suitably random seed and then encrypt all the files with the same key - after all if user pays up he's paying for all the files right?

          So i'd patch your servers - i doubt they'll fuck up a 4th time

          1. Charles 9 Silver badge

            Re: Hmmm

            "How hard can it be to generate a random number?"

            Moderately difficult. Now, being able to REMEMBER that number AND still hide it from the victim. That's another matter. If the malware's designed to be online, then a public key infrastructure can be used so that only the public encryption key stays with the victim (fat lot of good it'll do them). But if the malware has to be able to work offline, then you've got a problem: how to hide it so that the victim can't find it BUT be able to yourself find it later.

    5. Jeffrey Nonken Silver badge

      Re: Hmmm

      Athena: stop giving the enemy tactical advice!

      Pickle: sorry, got carried away.

  4. Ian Emery Silver badge
    Joke

    Most Secure system

    I am switching all of my most sensitive data to a PaP system, spread over multiple copy locations.

    .

    .

    .

    .

    .

    .

    .

    (Pen and Paper; spare copy at my mums house).

  5. Dave Harvey
    Devil

    DMCA

    How long before some A**ehole of a US lawyer decides to offer his services to the scum to help hem to sue the pants off the white hats for the lost profits due to unauthorised reverse engineering of their "product"?

    In the bizarre institutions which pass for courts in some parts of Texas, they'd probably win!

    1. Tom 7 Silver badge

      Re: DMCA

      TTIP its called now.

  6. MJI Silver badge

    They need to try better encryption

    Try ROT13 and for extra security do it twice

  7. Hans 1 Silver badge

    Embarrassing for the mob!

    Go, go, go

  8. wahankh
    Facepalm

    Schoolboy error

    As an amateur programmer, even I know not to seed random with time,null, or the other countless ways I've seen people do it. Normally I get entropy from /dev/random to seed srand or rand_add.

  9. Cynic_999 Silver badge

    The fact that the (sarcastic) suggested fix was no better than the original is not the point at all. The point is that it accurately identified the exact nature of the vulnerability. Had the principle of operation of the free decryption application not been revealed, the black-hats may well have remained ignorant of their mistake.

    1. Anonymous Coward
      Anonymous Coward

      Yes. Make them work for it. And sow confusion in the enemies' ranks. If you find 10 errors in a few days, imply it took weeks and you got lucky; perhaps scum will overestimate their own prowess and reuse that flaky code with next version.

  10. VeganVegan
    Facepalm

    They made a hash of it

    From my reading of the description, the most hilarious part is that they hashed the original value 8 times to generate the key; the trouble is, they didn't specify a hash function (!). So all that hashing did nada. The output was the same as the input.

  11. Fibbles
    Facepalm

    When script kiddies attempt to code.

    Part Trois.

  12. swm Bronze badge
    Happy

    I currently run an XP machine with no firewall or virus detector. Removing the firewall made the machine actually work for updating some web sites. Removing the virus detector made the machine run 2-5 times faster. I used to run both of these and my machine got infected a couple of times so they provided no benefit to me. I am behind a router so incoming connection attempts don't get anywhere.

    I have a second machine running ubuntu linux which I use for computation-intensive work. There is an unprivileged account on the linux machine that I log into from my XP machine to do my web surfing. An attacker would have to break out of the web browser, break out of the unprivileged account to damage my linux machine or subvert the X protocol to damage my XP machine. So far, no problems. (I would like to use a virtual machine on the linux box but too lazy to set it up yet.)

    Security depends on being really careful. I also backup on several machines and off-site - just in case. So far so good.

    1. Anonymous Coward
      Anonymous Coward

      Sometimes, even being careful doesn't work. That's why drive-by attacks on mainstream sites got so much attention. As for your defenses, combine a drive-by web browser exploit with a privilege-escalation attack and your Linux box is pwned. Once there, they'll be able to see your XP machine and attack it via the Linux box. And BTW, they can also decide to lay low and let the malware get into your backups before attacking so that by the time you realize you need to pull them out, they're infected, too.

  13. Aseries

    In several articles I have seen the largest most active BOTNETS reside on Linux servers and the main problem is poor administration and weak passwords. As usual, it's the nut behind the wheel.

  14. Anonymous Coward
    Anonymous Coward

    Wouldn't it make a lot more sense to not generate the keys locally?

    If I were to write ransomware, I'd have the software generate RSA keys, open an encrypted connection to the C&C server, which uses a true hardware RNG to generate a good encryption key or seed, which is then sent to the client, to be stored in RAM only (and in the C&C database).

    Sure, that makes the malware vulnerable to having the key read out of memory while it's running, but when the malware is done and cleans up after itself in the memory, you'll have a much harder time...

    1. Charles 9 Silver badge

      That's assuming your malware can get online to call back to the server to hide the private key (the public key doesn't matter). But what if you have to assume you're working offline (such as in an airgapped machine)? Now you have to generate your own key, be able to hide it somewhere the victim can't find it, AND still be able to recall it later to do your dirty work. It's a "hiding in plain sight" scenario.

  15. JLV Silver badge
    Paris Hilton

    Just wondering...

    You have to wonder why, for an article on Linux malware, so many people are slagging Windows in passing.

    Which well deserves slagging, and provides ample opportunity to do so on a pretty steady basis. But Windows is not at all involved in this little story. Even the bit about the open source software being so awesome seems strange... surely the malware isn't sitting on github waiting to be taken apart? Seems to me the same competent efforts by the white hats to nix the encryption could have taken place in the, vastly more likely, event of a Windows-based malware.

    Does go to show that you can't rely on an OS, even a fairly secure one, to totally mitigate badly written applications and/or incompetent users or admins. And that, as usual, we can't collectively step out of our partisanship.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019