Stung By File-Encrypting Malware, Researchers Fight Back

← Back to Stories (view on slashdot.org)

Stung By File-Encrypting Malware, Researchers Fight Back

Posted by timothy on Thursday April 10, 2014 @03:26AM from the picked-the-wrong-guys dept.

itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."

17 of 85 comments (clear)

Min score:

Reason:

Sort:

Wich only serves to further by Wapiti-eater · 2014-04-10 03:29 · Score: 4, Insightful

The myth that the 'security' industry is at the root of the problem

--
Senior NCO in the fight against entropy. I've seen things, man. Things no one should have to see.....
1. Re:Wich only serves to further by gstoddart · 2014-04-10 04:07 · Score: 3, Informative
  
  How does that support that the security industry is somehow part of the problem? They found a simple and convenient way to give the ransomware the boot, what's your point?
  Because, if you publicize how you caught their error, they can fix it.
  So, now the next iteration of this will possibly NOT be fixable.
  Someone found a way to fix it, and didn't tell how it was done. Someone else then publicized it ... and when you explain the ways and means, the bad guys can know how you did it.
  What they've done is tell the ransomware folks how to 'improve' their malware.
  
  --
  Lost at C:>. Found at C.
2. Re:Wich only serves to further by Calydor · 2014-04-10 04:44 · Score: 3, Informative
  
  Symantec did exactly what gets private security researchers into hot water: They publicized an exploit in a program.
  Ignoring the fact that the program is malware and the exploit was a means of defeating the malware, WHY is it okay for Symantec to do this?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
3. Re:Wich only serves to further by v1 · 2014-04-10 05:19 · Score: 5, Interesting
  
  WHY is it okay for Symantec to do this?
  The more relevant question to ask is "Why DID Symantec do this?" A more interesting question would be "Why did Symantec break the law?" They didn't do that, but the answer to all three is the same.
  "because it helps them make money".
  In this particular case, the fear of ransomware helps Symantec sell their product. So a researcher doing something to combat ransomware hurts Symantec's business. So they do what they can do, to protect their profits. In this case, it's even legal for them to do it. So it's a no-brainer.
  You simply have to expect this sort of behavior from any big business. There's no point in being confused or shocked by it.
  A month from now they will be able to make a new press release, "Two months ago security researchers dealt a blow to ransomware, protecting users and devaluating our product. Today, we're pleased to announce the ransomware developers have made the necessary fixes to their code outlined in our recent publication, and once again, Symantec is your only defense against ransomware!"
  
  --
  I work for the Department of Redundancy Department.
4. Re:Wich only serves to further by mysidia · 2014-04-10 06:11 · Score: 3, Insightful
  
  Because, if you publicize how you caught their error, they can fix it.
  Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.
  Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.
  It also helps their product by making sure the authors of ransomware learn from mistakes, so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.
5. Re:Wich only serves to further by Anonymous Coward · 2014-04-10 06:27 · Score: 3, Informative
  
  You'd think this would be the case... but the reality is that the malware authors updated their software the day after Symantec published the flaw. They didn't fix the flaw during the time when the "free tool" was available. Looks like a direct correlation to me.
  The big thing here is that the authors probably couldn't be bothered to fix it before Symantec broke the news, as they were still getting lots of payments.
Of course Symantec did that... by Last_Available_Usern · 2014-04-10 03:40 · Score: 4, Interesting

It's in Symantec's interest that the authors mitigate the weakness in their malware so the threat will permeate through media and people will continue to be terrified into buying copious amounts of security software that in most cases won't even mitigate the risk.
1. Re:Of course Symantec did that... by dcollins117 · 2014-04-10 05:58 · Score: 3, Informative
  
  What I find most interesting about this story is that both the white hats and the black hats share a common goal. It's your money.
  The black hats are saying "Give me your money if you ever want to see your data again." The white hats are saying "Give me your money and we'll try to keep your data safe."
  They're both picking your pockets, all you have to do is choose your master.
Re:disclosure by Last_Available_Usern · 2014-04-10 03:55 · Score: 3, Insightful

It must be at least mildly effective if the only legitimate means of unencrypting the data was a copy of the keys that only a set of researchers dedicated to the issue were able to find.
Re:fake website by Qzukk · 2014-04-10 04:07 · Score: 3, Informative

That's a pretty common ad-delivered site that's been around for a while. It has an "onunload" function that pops up an error message when you try to leave the site. Chrome added a checkbox to disable the message, so they made their error message so long it goes off the bottom of the screen and since its a dialog box, you can't scroll the text to get to the checkbox, you just have to trust it's there after the third or fourth alert: hit tab, space to check the box, tab again, space to hit ok.

--
If I have been able to see further than others, it is because I bought a pair of binoculars.
Why the Antivirus Era Is Over by Martin+S. · 2014-04-10 04:08 · Score: 5, Informative

They can't keep up with the known threats
Comparative reviews since February 2009 - February 2014
Out-maneuvered by new threat vectors
Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt
Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started.
Some of them even get it, Eugene Kaspersky admits :
The contemporary antivirus industry and its problems
Re:fake website by gstoddart · 2014-04-10 04:11 · Score: 3, Insightful

It has an "onunload" function that pops up an error message
And this is why I don't allow javascript to run on arbitrary sites.
Because javascript can be used to do way too many annoying things. Like websites which think they can disable my right click (so I can use the back button) because they think I'm going to steal their images.
It's also why Flash doesn't get installed on machines I control.

--
Lost at C:>. Found at C.
Re:disclosure by marciot · 2014-04-10 04:48 · Score: 3, Insightful

I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.
I think recent events have shown that relying on security of any kind leads to a false sense of security (examples: NSA backdoors, OpenSSL bugs, WEP vunerabilities, etc). We'd all be much safer if we simply assumed there was no such thing as security.
Future victims should sue Symantec by leereyno · 2014-04-10 05:42 · Score: 3, Insightful

Future victims of this criminal organization should sue Symantec.
Class action lawsuit.
I also think that criminal charges for aiding and abetting would apply as well.

--
Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
Paging file? by Dwedit · 2014-04-10 06:03 · Score: 3, Interesting

Okay, stupid question time...
If someone took a disk image during the time when the virus was in the process of encrypting files, would it be possible to find the key in the paging file?
Re:fake website by Richy_T · 2014-04-10 06:33 · Score: 4, Funny

I take special delight in stealing the images of sites like that.
Great summary by uvajed_ekil · 2014-04-10 14:06 · Score: 3, Funny

Now I finally know what API means.

--
This is a hacked account, for which the owner can not be held responsible.