Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stung By File-Encrypting Malware, Researchers Fight Back

Posted by timothy on from the picked-the-wrong-guys dept.

itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."

23 of 85 comments (clear)

  1. Wich only serves to further by Wapiti-eater · · Score: 4, Insightful

    The myth that the 'security' industry is at the root of the problem

    --
    Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
    1. Re:Wich only serves to further by gstoddart · · Score: 3, Informative

      How does that support that the security industry is somehow part of the problem? They found a simple and convenient way to give the ransomware the boot, what's your point?

      Because, if you publicize how you caught their error, they can fix it.

      So, now the next iteration of this will possibly NOT be fixable.

      Someone found a way to fix it, and didn't tell how it was done. Someone else then publicized it ... and when you explain the ways and means, the bad guys can know how you did it.

      What they've done is tell the ransomware folks how to 'improve' their malware.

      --
      Lost at C:>. Found at C.
    2. Re:Wich only serves to further by Anonymous Coward · · Score: 2, Insightful

      Yeah, it would've been much harder for the attackers to reverse his utility right? Anything that monitors file accesses would've seen what files it was accessing. I don't disagree the AV company made a mistake because they wanted publicity but I don't think what they did was as significant as you might think.

    3. Re:Wich only serves to further by Calydor · · Score: 3, Informative

      Symantec did exactly what gets private security researchers into hot water: They publicized an exploit in a program.

      Ignoring the fact that the program is malware and the exploit was a means of defeating the malware, WHY is it okay for Symantec to do this?

      --
      -=This sig has nothing to do with my comment. Move along now=-
    4. Re:Wich only serves to further by v1 · · Score: 5, Interesting

      WHY is it okay for Symantec to do this?

      The more relevant question to ask is "Why DID Symantec do this?" A more interesting question would be "Why did Symantec break the law?" They didn't do that, but the answer to all three is the same.

      "because it helps them make money".

      In this particular case, the fear of ransomware helps Symantec sell their product. So a researcher doing something to combat ransomware hurts Symantec's business. So they do what they can do, to protect their profits. In this case, it's even legal for them to do it. So it's a no-brainer.

      You simply have to expect this sort of behavior from any big business. There's no point in being confused or shocked by it.

      A month from now they will be able to make a new press release, "Two months ago security researchers dealt a blow to ransomware, protecting users and devaluating our product. Today, we're pleased to announce the ransomware developers have made the necessary fixes to their code outlined in our recent publication, and once again, Symantec is your only defense against ransomware!"

      --
      I work for the Department of Redundancy Department.
    5. Re:Wich only serves to further by mysidia · · Score: 3, Insightful

      Because, if you publicize how you caught their error, they can fix it.

      Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.

      Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.

      It also helps their product by making sure the authors of ransomware learn from mistakes, so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.

    6. Re:Wich only serves to further by Anonymous Coward · · Score: 3, Informative

      You'd think this would be the case... but the reality is that the malware authors updated their software the day after Symantec published the flaw. They didn't fix the flaw during the time when the "free tool" was available. Looks like a direct correlation to me.

      The big thing here is that the authors probably couldn't be bothered to fix it before Symantec broke the news, as they were still getting lots of payments.

    7. Re:Wich only serves to further by Darinbob · · Score: 2, Interesting

      How about the question "why should they not do this?" The ransomware makers know that there's a recovery tool, so it's a short period of time before they figure out what their flaw is. There's no gain to be benefited by keeping the details secret. Do we want the situation where some security professionals know what the flaw is, the malware authors know what the flaw is, but the general public is kept in the dark?

      Security through obscurity does not work. Similarly, keeping security protection details limited to a select few is also a bad idea.

  2. Of course Symantec did that... by Last_Available_Usern · · Score: 4, Interesting

    It's in Symantec's interest that the authors mitigate the weakness in their malware so the threat will permeate through media and people will continue to be terrified into buying copious amounts of security software that in most cases won't even mitigate the risk.

    1. Re:Of course Symantec did that... by dcollins117 · · Score: 3, Informative

      What I find most interesting about this story is that both the white hats and the black hats share a common goal. It's your money.

      The black hats are saying "Give me your money if you ever want to see your data again." The white hats are saying "Give me your money and we'll try to keep your data safe."

      They're both picking your pockets, all you have to do is choose your master.

  3. disclosure by DriveDog · · Score: 2

    At first Symantec's actions sounded dismaying, but in the long run using every opportunity to publicize the folly of using that API is probably beneficial. I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.

    1. Re:disclosure by Last_Available_Usern · · Score: 3, Insightful

      It must be at least mildly effective if the only legitimate means of unencrypting the data was a copy of the keys that only a set of researchers dedicated to the issue were able to find.

    2. Re:disclosure by marciot · · Score: 3, Insightful

      I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.

      I think recent events have shown that relying on security of any kind leads to a false sense of security (examples: NSA backdoors, OpenSSL bugs, WEP vunerabilities, etc). We'd all be much safer if we simply assumed there was no such thing as security.

  4. Re:fake website by Qzukk · · Score: 3, Informative

    That's a pretty common ad-delivered site that's been around for a while. It has an "onunload" function that pops up an error message when you try to leave the site. Chrome added a checkbox to disable the message, so they made their error message so long it goes off the bottom of the screen and since its a dialog box, you can't scroll the text to get to the checkbox, you just have to trust it's there after the third or fourth alert: hit tab, space to check the box, tab again, space to hit ok.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  5. Why the Antivirus Era Is Over by Martin+S. · · Score: 5, Informative

    They can't keep up with the known threats

    Comparative reviews since February 2009 - February 2014

    Out-maneuvered by new threat vectors

    Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt

    Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started.

    Some of them even get it, Eugene Kaspersky admits :

    The contemporary antivirus industry and its problems

  6. Re:fake website by gstoddart · · Score: 3, Insightful

    It has an "onunload" function that pops up an error message

    And this is why I don't allow javascript to run on arbitrary sites.

    Because javascript can be used to do way too many annoying things. Like websites which think they can disable my right click (so I can use the back button) because they think I'm going to steal their images.

    It's also why Flash doesn't get installed on machines I control.

    --
    Lost at C:>. Found at C.
  7. Future victims should sue Symantec by leereyno · · Score: 3, Insightful

    Future victims of this criminal organization should sue Symantec.

    Class action lawsuit.

    I also think that criminal charges for aiding and abetting would apply as well.

    --
    Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
  8. Paging file? by Dwedit · · Score: 3, Interesting

    Okay, stupid question time...
    If someone took a disk image during the time when the virus was in the process of encrypting files, would it be possible to find the key in the paging file?

  9. I see a lot of criticism of Symantec here. by mmell · · Score: 2
    I keep seeing people essentially criticizing Symantec for releasing the details of this exploit. I'm sure the obsecurity model has worked quite well for all of you, hasn't it?

    Security through obscurity is a long-debunked myth. You people need to get over it - hiding an exploit only guarantees its continued effectiveness (obsecurity works both ways, protecting the exploit as well as the exploited). Exposing an exploit causes people to work to close the exploit and put it out of business. There's a short-term loss as every script-kiddie takes advantage of their newly discovered toy, but a greater long-term advantage in securing systems against said exploit.

    To be sure, secrecy can be used to add to security - but the secret should be what you've done to close the holes, not the fact that those holes exist.

  10. Re:fake website by Richy_T · · Score: 4, Funny

    I take special delight in stealing the images of sites like that.

  11. Re:Bitcoins? by Guest316 · · Score: 2

    Ah, blaming the tool again.

  12. Re:Bitcoins? by TangoMargarine · · Score: 2

    Yeah, good luck with convincing the people who use a currency specifically because it's not controllable by the government to report said use to said government.

    --
    Unity? Screw that: XFCE. Slashdot Beta? Screw that: SoylentNews. Australis? Screw that: Pale Moon. UX developers DIAF
  13. Great summary by uvajed_ekil · · Score: 3, Funny

    Now I finally know what API means.

    --
    This is a hacked account, for which the owner can not be held responsible.