Slashdot Mirror
Critroni Crypto Ransomware Seen Using Tor for Command and Control
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.
All a firewall will see is encrypted traffic from the computer in the LAN (inside) initiate a connection to a random computer (IP address) on the Internet (outside interface). Its not able to see what is being sent/received, which is the entire reason for TORs existence.. protecting you from Man in the Middle attacks, which in this case, the firewall would be.
It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter. The considerable soft power that the West gains over the youth in these often hostile or hermetic states is worth the occasional use of the network for financial crimes.
All trojans/bots/ransomsware is designed to circumvent antivirus. It is a arms wars between viri and anti-virus. At the moment the viri are winning it :(.
And there is a nasty side effect: real legit tor usage will be detected as malware suspect by antivirus software. So if you have a "good"reason to use tor you might have to disable anti-virus
How is it you manages to not once mention Microsoft Windows in that whole article? How does the Critroni ransomware get onto the victim’s PC in the first place?
Most of this shit is installed by tricking the user with phishing style emails and general social engineering to download attachments. Certainly zero day stuff is a goldmine for malware, but under-informed end users are much more consistently available. The stuff that cryto ransom software holds hostage is heavily concentrated in the user's home directory, so no privilege escalation is required. It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack.
It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter.
And get uncensored news from buzzfeed
Don't get me wrong, Tor is a great enabler for countering censorship, etc... but advocating that these people need access to facebook and twitter? Honestly. Nobody needs that.
Time will come when firewalls inspect all outgoing packets and use heuristics to guess how dangerous encrypted traffic might be.
For example:
In the middle three groups, give the user a chance to approve/block/whitelist the traffic or, if the user just wants such traffic logged or just wants to see an on-screen alert but doesn't want to be bothered with the "should I block it" question, log it and/or put up a visible notification to the end-user.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
And those countries instantly became bastions of freedom? Hint: no they didn't. People think Internet = magical standard of living raiser, and it isn't. It's just another tool to control the population.
I want to delete my account but Slashdot doesn't allow it.
And those countries instantly became bastions of freedom?
It didn't instantly fix everything, so it's worthless.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Technically yes, it can be done, but...
1. Where is the list of all IP addresses coming from
2. Who is supposed to manage the white list, or the now very large ruleset in your large organization
3. Who is supposed to whitelist EVERY SINGLE ip address your computer talks to? Track the connections in your ASA, and you will discover that with phones, tablets, and regular users, a 50 man organization will connect to literally tens of thousands of IPs a day. Its unrealistic to whitelist IPs, especially when you can not guarantee targets will not update their DNS records when they obtain new IP addresses.
4. Forget about any P2P application.. not just file-sharing but chat and messaging programs that communicate directly to the client.
Most linux distros have software repositories, and when you only use them (no ppas) to install stuff, you are on the safe side. Windows store only includes metro apps. The lack of a proper software repository mechanism is nothing else than an invitation from microsoft to surf the web for software and download it from there. Another part of this problem is dice, which agrees to display "download here" ads on sourceforge, and google, which doesn't want to disable the "download here" ads.
Dice and Google make money from being used to spread malware, and tor is blamed for routing C&C? This is just stupid.
Of course, i've read this, but somehow their efforts were in vain, as I've tried today and got a "free trial windows drivers download now" ad on the vlc download page.
Which is more evil:
Telling employees "we block all encrypted traffic and snoop on everything else"
or telling them
"We MITM all encrypted traffic we can so we can snoop on it, we snoop on everything we can and block the rest"
or telling them
"we block all traffic except traffic to the few Internet resources we know you need, and oh by the way we snoop on that"
or telling the
"we don't think you need a computer to do your job, if you do need a computer to do your job then talk to your boss and he MAY give you the keys to the one room where there is a computer. Oh, by the way, there are TV cameras all over that room so don't even think about using it for non-business purposes."
Substitute "school," "institution," or "parent" for "employer" and substitute "student," "client/end-user," or "minor child who the parents deem too young/immature to use the Internet unsupervised" for "employee."
Speaking of parents, many parenting experts highly recommend that if a kid under a certain age/maturity level wants to use the Internet, he only be allowed to do so under close supervision, as in mom or dad in the room within eyesight of the screen. What age? Experts disagree, but almost all would put the cutoff age where mom can leave the room for a few minutes at somewhere in the elementary school (age 5-12) age range.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If counteracting the detecting and blocking bridge notes becomes a problem - and it probably will as soon the the Chinese get good at it - someone will find a solution.
A resource-intensive solution would be to layer the TOR/bridge traffic on top of and steganographically embedded into some seemingly-normal traffic, such as an encrypted streaming video, so that a traffic analysis would say "it's probably just someone watching online TV."
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
but under-informed end users are much more consistently available
Question: What's more common and arguably more dangerous than a Windows XP computer that hasn't received any OS updates in the last 2 months?
Answer: An "unpatched" (naive/uninformed) human operating the keyboard.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Indeed, the rest of us are lucky that there are enough clueless users to distract malware writers. If the focus were on finding all the vulnerabilities in our OS, all of us would be owned.
"First they came for the slanderers and i said nothing."
And desktop linux is unfortunately less secure than windows to 0day attacks. I hope wayland fixes this through isolation and privilege separation.
You're wrong. The Windows 8.1 app store does include traditional desktop apps. They're rare but the Adobe Reader XI is in the store.
Also, Microsoft can't very well force companies to only publish through their store...
Well it's a reactive business (hopefully) so that's to be expected.
didn't take look for Windows hate to hijack this thread.
And while we are on the subject:
Its true that some protests and the beginnings of the Arab spring stuff apparently began on Twatter and Facespace; I wonder how much of that was going to happen anyway, especially given that in at least 3 of the four major uprisings the secular movements that seemed so popular online certainly have not proven to be what the people ultimately choose to support:
Egypt - went theocracy and is now back to essentially an autocracy that more or less resembles the one they started out with.
Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.
Syria - Ramains to be seen if the rebels will even succeed by if they do will probably be Islamist
Tunisia - Well that one might have kinda worked.
One is left to wonder if much like Slashdot here in the states, were lots of radical (not to be necessarily read with a negative connotation), ideas get expressed on line, but it seems to amount to a lot of political masturbation because it does not get translated into actions that generate any sort of results at the ballot box. In some respects taking a longer view of the pamphleteers of the late 17th and 18th centuries, and the marchers and organizers of the mid 20th century seem to have had much more influence that the 21st century Internet critics. Oh sure the can manage to get a SOPA or PIPPA shot down once in awhile, but can't get it turned into the sort of third rail the politicians will shy away from touching again for even a year.
So is it possible the Internet is actually harmful to these movements, is it keeping people sitting at home posting on Facespace behind their proxies instead of actually out in the street doing something disruptive? Sure the organizing power of these things is clear but real widely supported political movements always have managed to organize before.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
No, not at all. What you are referring to is that X server doesn't need uid 0 to run. But still there is, amongst others, the problem that every x application can keylog you: http://hamsterbaum.de/index.ph...
And taking screenshots from the whole screen or faking user input (also for the whole screen) is also possible for every X application.
For voicing opinions safely though...
Not all Linux applications come from repositories, either.
Once I imaged a computer and opened IE to go download Firefox and other apps and my webcam went on instantly! Ad appeared doing a fake AV scan all from msn.com since computer had 0 updates yet it was 0wned.
Had to reimage again.
XP users really are in trouble and you don't need social engineering. Just IE, no updates, reader, or Java. Scary stuff.
It is why I don't run ancient operating systems, updates, and never use a root or admin account.
http://saveie6.com/
There is no need to get rid of Tor: in theory, Tor could have a "hidden service policy" mechanism not much different to the exit policy mechanism. HS Policies would allow a node operator to state that they aren't willing to act as an introduction point for a list of hidden services (or point to lists maintained elsewhere to stop fast-flux type behaviour).
Tor already accepts that not all relay operators will want to support all kinds of behaviour and that some kinds of traffic can be abusive, that's why they implement exit policies which allow exits to ban port and IP ranges. Taking this philosophy to hidden services seems like the next natural step. After all, Tor volunteers are ultimately acting as human shields for other people's anonymous behaviour. Requiring them to shield everything just restricts the number of people who would be willing to donate bandwidth to general privacy but are not interested in enabling botnets.
Not really
Java is easy to exploit and almost everyone has an obsolete version with dozens of exploits. Double bonus if the user is running XP as a local admin.
http://saveie6.com/
I guess your host file program is very superior (it uses 64 bit, that is very future-proof) and so on and so on, but even *if* the C&C servers were known, they could only be defeated if your host program were installed on the tor exit relays. As I guess most run linux, you should port your host program to linux, and encourage its installation on the tor mailing list. Tor doesn't use "normal" DNS -- it uses its own which is routed through the tor network also. The exit relays do the DNS request for you. Otherwise it would be too simple to trace the traffic from the DNS usage.
Jay Maynard, collaborator anno 2014. There's a tree for you somewhere.
As so often, the solution is called "Backup".
CLI paste? paste.pr0.tips!
"It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack."
Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.
Is it conceivable that a very similar attack could be written specifically for your OS of choice and do the same job? Yes, it's conceivable, that's right. But it's not in evidence.
More generally, regardless of OS, this attack wont even trigger if your browser is configured sanely. The exploit kits and injectors all rely heavily on javascript. Make sure it is disabled and you have not only defeated this exploit before it even got started, along with all the others, but you have also taken a positive step towards making the web readable again!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.
You are trying to say that users needing to type chmod +x ./latest_flash_player_youtube.sh , is sufficient protection to prevent end users from running things they shouldn't....
Ransomware is not prevalent in Linux, but again, it is absurdly naive to think that it couldn't, or that the OS is doing much to prevent it. Again, end user education is key, regardless of OS. Implying to under-informed users that OSX is magically secure against cryptoware, is a recipe for disaster.
Have you ever actually asked where the software in repositories comes from?
I think XP users are in trouble too, and there is not much to save them.
Tor has value, BUT it has no proper place running behind the firewall on the corporate intranet or in the home within the developed world -- it is a huge security risk, and it makes sense to block tor completely.
Tor has value for some people living in tyrannical regimes where free speech has been outlawed and internet users have a jealous government to worry about who may object to what they post or read, and may threaten them or their families based on it.
However.... these users also need some sort of VPN or anonymized onramp to get onto Tor, or else they may be busted for the crime of using Tor.
Even a Java plugin exploit requires some level of social engineering to convince the user to visit the attack page.
The C&C Servers are what is communicated back against (as well as serving up exploits payloads etc. @ times also & IF they don't? Blocking out the payloads servers does the job... which hosts CAN do) - IF/WHEN I block that, should it NOT be disabled for communication, even via TOR?
blocking C&C can at least stop the bad guys from integrating your computer into a botnet. correct me if I'm wrong, but hosts only changes the host file? The host file blocks a website only when the OS' DNS is used, but tor has its own DNS, not even using the usual DNS port, but tunneling everything through a https-like connection.
* Fill me in...
(As far as "porting" it to Linux? I've thought about it... wouldn't be hard - & I WISH Borland didn't KILL Kylix (was Delphi for Linux for the most part) - however - there IS FreePascal & it's "Lazarus" IDE, which is VERY CLOSE to the Delphi IDE, & from what I understand, an ALMOST clone of its compiler commandset too! Thus, it IS, doable...)
APK
P.S.=> See - I guess I don't *fully* understand TOR (as I don't use it myself, tried it once - TOO damned slow, just like anonymous proxies are, same idea iirc for the most part afaik - correct me IF I am wrong/off here too... I can stand to learn by it as I *admit* I do NOT "know it all" & can learn as much as the next guy since this field changes so fast & dynamically)
... apk
The first time I've tried tor it was also very slow, but after some years I've tried again and now its usually fast enough even for videos. Sometimes (seldom) a relay is slow, then wait 10 minutes or choose another circuit.
The problem is if you install java 6 and early java 7 it will install plugins for your browsers.
Visit a website and you are 0wned as it runs as full admin since javaw.exe runs as a freaking service with admin privledges! ... facepalm.
I think the old myth do not click on ads is 2004 knowledge. Unfortunately recent operating systems have terrible GUI's so many run older flavors like 7 and XP which do not have the same level of protections.
It pulls my hair out to see java 5 and the same users whine I AM INFECTED week after week after week because some beancounter does not want to upgrade to save $1,000 means $10,000 in lost productivity.
http://saveie6.com/
I haven't reviewed the source code for every single application and update I install. Nor have my distro's packagers. And the software is compiled on some server I don't know, and the server is a single point of failure.
But still I trust this model more as randomly installing blobs from various websites.
When I randomly install software from my package repo no ads pop up from the taskbar, and I don't see CPU constantly at 100%. Don't have tried it for randomly downloading windows software from the internet.
Linux users are incredibly prideful and niave and feel vulnerable and will not believe you when you claim you are infected. The perfect demographic.
Arstechnica had something a few months back on Linux malware. It is easier to infect linux users because they feel they are secure and do not run AV software and many run outdated versions because they do not like gnome 3
http://saveie6.com/
There's a registry hack that I've applied to Windows XP and I'm getting security updates ...
It little behooves the best of us to comment on the rest of us.
"didn't take look for Windows hate to hijack this thread."
So, how does the Critroni ransomware get onto the victim’s Windows PC in the first place?
Why doesn't someone infiltrate the forums and out some of the fuckheads buying/selling this so someone can run some "extortionware/revengeware" on their piddly asses? Wouldn't it make great articles? Malware Ring Found Tortured Columbian Style with All Their Assets Missing.
It'd make a great hobby for some bored sociopath or open new Animal Friendly Hunting opportunities for those turned off by killing innocent animals for sport.
Name one person on the planet who would even care, besides their mothers. No? I thought not.
Seasons OPEN!
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
The ldpreload attack is not a problem of the compositor, but the configuration of apparmor or SELinux:
http://mupuf.org/blog/2014/02/...
http://blog.siphos.be/2011/04/...
The transparent window attack doesn't work, does it? It seems that it is possible to make a transparent window, but then I doubt the events will be passed on onto the below applications. The keylogger would need to fake user input, which isn't possible AFAIK.
I think he has... ahem... balls to assert such a contrarian viewpoint on slashdot.
But, yeah, he's a loony reactionary. Just ignore him or laugh at him. "Collaborator" is a bit too generous.
"They were pure niggers." – Noam Chomsky
That might be true if the application is using the OS provided network stack, e.g. with DnsQuery. However AFAIK nothing prevents an application to bring its own DNS stack which queries external DNS, ignoring the host file. Does the OS block outgoing requests on port 53?
And, as I've said before, the DNS in TOR doesn't use the OS provided DNS. It uses its own one.
Blocking the C&C perhaps stops communication to the hq, but that doesn't help when the virus is written to first encrypt the HDD and then wait for further commands from C&C.
Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.
Instrumental yes. In the same sense that Bic pens were instrumental in me graduating university. However, if there were no bic pens I'd have found something else to use.
Likewise, twitter was instrumental, in the sense that it got used, but if there had been no twitter, they could have just as easily organized from something else.
Seriously? way to reduce your pool of potential customers to those who know how to make a payment in BitCoin.
Is this is an ad for BitCoin?
Requiem for the American Dream
the firewall - running locally - wont be worth shit, since the code already owns your computer on admin level and can change the firewall rules to whatever.
much easier if the AV just detects the embedded tor executable/process. generally speaking the av would detect this as it detects any other malware... the tricky part comes from that it's harder to see where the actual control and command for the whole network is.
world was created 5 seconds before this post as it is.
Blocking ips using a hosts file... I'm sorry but I don't know of any way of doing this.
Even it it were possible, there tor uses no "rogue DNS" servers, and not using any DNS directly, the DNS is tunneled to the exit relay which then invokes the DNS request. Any block by any firewall or ISP DNS fails here -- not just DNS request blocks like the hosts files, but also IP level blocks. This is what TOR was invented for.
It is a rather questionable choice since for a non technical person who has never heard of them, figuring out how to acquire some is somewhat daunting.
The US put down multiple rebellions back when the military and civilian populations had the same types of guns. Armed citizens does not really change anything, it does not factor in to public policy in any significant way other then fund raising.
Yes it should be possible, if and when then cash it.
Get free satoshi (Bitcoin) and Dogecoins
To bring this back to the original topic: you know what a command and control is? I hope so. My posts only have covered the time the malware already was installed on the device. Not before. Of course you won't get the virus when you click a link "download here" which leads into nothingness. And yes, you are true, single ips are easier to fight than dns entries in remote countries, spread over the world. I just said that IPs cannot be blocked by a host file, and I say that it makes no sense to give a DNS server a DNS entry, which would have to be resolved first using a dns server, but the only one available needs a dns lookup before working, and so on and so on.
The only cause that justifies this /. story is that this malware was the first ransomware that used an onion address for C&C, not just only "tor alone". It would gain almost no advantage when it then exited the tor network again through an exit node. It would still have needed some DNS entry somewhere. onion addresses are almost impossible to take down.
Please explain: what are hardcodes?
TOR isn't slow anymore. try it. today. then come back and tell me your opinion about the speed of tor but don't yell tor *is* slow while not having tried it recently (you may yell tor *was* slow though).
but no one wants to do that. Doing it would mean to be responsible for subsequent takedowns, and what is seen as illegal in one country may be the opposite in another country, and you would need to establish a system for takedown, which can be misused for censorship.
am seriously considering assing client side resistance to the medical software I write designed for use across the public internet because of people like you who collect data you have no business collecting.
Please do.
The only one of the examples I listed in the grandparent post that I plan on implementing are those in a role of a parent.
When I have a 6 year old kid who is using the Internet, no amount of "client-side resistance" that you add is going to stop me from seeing what's on the screen as I watch my kid use the computer.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
So if I write an application for everyday users I get to pay/request to be added to the whitelist of every AV people use?
That probably wont kill independent software development.
No need. I have this newfangled feature called "sources.list."
Antivirus applications would never be an end all solution in any case. There might be a chance they can catch it, but you have to be up to date on the definitions for most to be able to catch it. Some newer systems may be able to do heuristics and catch potential cases that look malicious, but can have false-positives and false-negatives. Even cases where you have the best of everything and are up to date may not completely eliminate risk. This is where Zero-Day exploits (or unpublished exploits) can find their way in and disable or bypass many of these countermeasures.
Firewalls would not be helpful for anything other than blocking known ports to command and control servers. In this case, using Tor would be an advantage for the ransomware as it would block any legitimate use you may have for Tor browsing (not that I would allow it for business use in most cases). You are most likely thinking of something like an IDS/IPS system that can sit on the network and sniff out malicious traffic. Some allow for Deep Packet Inspection with SSL decryption. Even that may not cover all cases. If they use custom protocols or a different method for encrypting traffic, it would most likely render such setup useless after an infection. It may help in the initial detection however.
In the end you can never be 100% covered for anything. I always live by the notion that it is not a matter of IF but WHEN something is going to happen. The best solutions are the simplest. Make sure you have recoverable backups (don't just set them and forget). It also helps to reduce your footprint and exposure as much as possible.
No need. I have this newfangled feature called "sources.list."
That file barely tells you where the repositories are. The main question still remains, where did the programs actually come from, who compiled them, and why do you trust any of the parties involved?
I trust the Ubuntu repositories much more than any app store, but the principle is similar... they could conceivably contain malicious code.
You do have a point, but I trust the Debian repos 100%. They are so behind that I figure if there was malware in them...someone would have said so by now.
I have yet to hear of a single case of this happening. Granted, that could just mean they are better at covering their tracks..