Slashdot Mirror
Badly-Coded Ransomware Locks User Files and Throws Away Encryption Key (softpedia.com)
An anonymous reader writes: A new ransomware family was not tested by its developer and is encrypting user files and then throwing away the encryption key because of an error in its programming. The ransomware author wanted to cut down costs by using a static encryption key for all users, but the ransomware kept generating random keys which it did not store anywhere. The only way to recover files is if users had a previous backup. You can detect it by the ransom message which has the same ID:qDgx5Bs8H
So it's like the old fashion viruses that actually cause damage to your system then.
If the author decided on an open source project, the community could have found and developed a fix during beta testing.
I particularly enjoyed how TFA explained that they usually make it a point not to point out mistakes in ransomeware to the author to avoid giving them a leg up, but then "made an exception" in this case and proceeded to give a short lecture to the author about how to fix his "bug".
I always thought we should lock up those bastards and throw away the key. Shall we take it as a recommendation how he wants to be treated when we catch him?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Well, that's one good example of why one should never negotiate with terrorists - you never know, maybe the hostages have been already executed.
Isn't that usually the case? I never thought paying the ransom would actually be followed by the recovery of the data...
Video of some good progressive thrash music
Disasters Usually Motivate Backups
== Jez ==
Do you miss Firefox? Try Pale Moon.
As a software tester I can say developers make bad testers indeed!
Dev: "The unit tests all passed. Let's ship it to production!" ... You see where this is going, Le Sigh.
QA: "How many unit tests did you make around this new functionality."
Dev: "None. I write those while I wait for ops to get the code deployed to production"
QA: "... So you believe in time travel to fix your bugs? And for that matter, how many unit tests have you written since the last deploy?"
http://techcrunch.com/2015/11/06/linux-ransomware-is-now-attacking-webmasters/
Get a virtual machine up and running or an older MacBook off eBay and it does Internet and all downloads.
Any crap needs to be isolated to the VM or email machine.
https://blockchain.info/address/1Pw1JinSMhf93MRqfYW3KeywX8oFjs6fLe
I can only hope those transactions are by the owner of the wallet, like putting a few coins in a tip-box.
For extra lulz, the ransom should have been sent to "1BitcoinEaterAddressDontSendf59kuE".
http://bitcoin.stackexchange.com/questions/35842/is-it-actually-possible-to-create-a-verifiably-unspendable-address
These "proof of burn" addresses can be used to demonstrate that you're a "better class of criminal"...
https://theonewithjb.files.wordpress.com/2014/08/joker.gif
"It's not about money! It's about sending a message: everything burns!"
What part of badly-written don't you understand?
Well, that's what happens when you use Windows: you get infected with badly-written ransomware.
Full disclosure: I'm 100% on Linux and in fact have never used Windows as my primary desktop. I had a spell of using it as a games platform before I got the Xbox, but even then Linux was my desktop.
If you think Windows has such ransomware and Linux doesn't because of the OS itself, you are smoking some good stuff. The reason is social, not technical. There is NOTHING that stops Linux from doing the same thing. The reason you don't see it is that the density of highly technical Linux users is very large, where on Windows it's very small. Add to that, there are many more Windows users, and Windows is a target rich environment.
If all those legions of Windows users descended on Linux tomorrow, then the day after tomorrow you'd have the same kinds of ransomware problems. Randomware can run just as well on Linux.
Ransomware: "See the dancing monkey! Install this awesome app now!"
Clueless user: "Sure! I'll do that right away!"
That's how it'll go. You don't even need root access to wipe out most data the user cares about. There's nothing at all about Linux to block this except that Linux users are mostly too astute to fall for it.
Never underestimate the power of dumb people in large numbers.
Now that we've decided to help bug-fix ransomware, anyone consider its usability?
"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:"
In other words, it probably goes something like this:
% tar -xf "ransomware-dontrunme-whatareyouanidiot?.tar" ./configure > /dev/null 2>&1
/dev/null 2>&1
/dev/null 2>&1
./runransomware
% cd ransomware-dontrunme
%
% make >
% make install >
%./runransomware
Error: Permission denied. Please run as root.
% sudo
Password:
Segfault in libc.so. Please reinstall.
Followed by much sighing, and trying to google what the problem is.
See, this is the problem with the Linux desktop. Even installing malware is just too darned complicated.
And how exactly does someone get infected with this anyhow? According to your link: "The malware requires administrator privileges to run and, presumably, a sysadmin who would allow for such a program to run unbridled." There's no mention on that page, or the "Dr. Web" page it links to, how anyone actually gets infected with this thing other than somehow getting themselves a copy and then intentionally running it as root. If there is an infection path it takes in the wild, these pages aren't specifying.
It's also mentioned that it works on systems running MySQL and Apache. Who runs Apache any more? Every serious Linux webserver is running Nginx now.
Finally, you're comparing apples to oranges. The Windows malware is for desktop and/or server Windows. The Linux malware appears to only be targeted at webservers. I don't know about you, but I don't run a webserver; for my websites I just use simple shared hosting and let someone else worry about that stuff (if my web host gets infected, no big deal, I'll just reload from backups). I'm worried about my desktop (/laptop) PCs, but since I run Linux there, I don't have to worry about any *serious* malware threats. No one has yet proven that there is any *serious* malware threat for desktop Linux.
Unfortunately it seems some people Just Don't Get It. They would probably recoil at the idea of only having one set of house keys yet for some reason they think having only 1 copy of important files is just dandy. To be frank, they deserve what they get because if this sort of malware doesn't get them then a dead hard drive or their own fat fingers on a delete button will one day.
Just asking......would anyone really be all that upset if the fucker that coded this was hunted down and beaten to death? Or shot full of holes?
I've searched my soul (what tiny, tiny fragments remain) and personally I wouldn't mind one bit.
Seriously, if I read tomorrow morning that he'd been found dead as a result of some brutal, awful violence, I wouldn't even stop eating my bagel.
Just cruising through this digital world at 33 1/3 rpm...
A malware app that someone has to be dumb enough to manually install is one thing, getting infected with something because your web browser or your email program is vulnerable is another. Most of the Windows malware I've heard about doesn't require someone to manually install software, it's as easy as clicking on the wrong link in IE.
Also, a lot of Windows malware seems to thrive because Windows is homogeneous. Remember that Lenovo malware that was (still is I think) baked into their laptops' BIOS, and would replace a critical Windows system DLL? That stuff only works because Windows is so uniform. If someone has Windows 8.1 installed, then you can count on that DLL being there, and you can count on being able to replace it with a modified DLL and have things work out the way you expect. This just isn't the case with Linux: every distro is different, files are in different places, files are not binary compatible (you can't just take libfoo.so.4.2.1.0 from Ubuntu and drop it into an Arch install and expect it to work), distros change versions every 6 months (so libfoo.so from Mint 17 is incompatible with libfoo.so from Mint 17.1), systems don't even use the same init system and low-level utils (Ubuntu and Mint still use upstart, Slackware still uses sysvinit), etc. Everything works fine because of package management and distros building everything all together at once, but malware expecting to monkey with the internals simply won't work because there's too many variables.
Yes, if someone distributes some Linux dancing-monkey malware, there's nothing you can do to prevent people from being stupid and installing it, but I haven't heard about this attack vector being a serious problem on *Windows* for a long time. Even the Windows users aren't that naive any more; they've had this stuff drilled into their heads for years. They're getting infected in other ways.
really? that is the moral you get from this? nothing in this is a windows specific weakness, it is the same weakness that exists in Linux, OSX, Android, IOS etc etc. i.e. the idiot at the keyboard. The fact you think this way makes you probably one of there primary targets and hence yes you are probably better off on Linux or anything else until they focus there attention there as you will be an easy mark.
really? nearly all the windows malware requires the user to install. especially the ransomware stuff. it is usually emailed to a dumb user or emplanted in something they downloaded. idiot user runs the program and bam they are done. You obviously aren't very familiar with security or malware given your post. only a tiny fraction of malware uses exploits beyond the "dumb user" vulnerability.
>nearly all the windows malware requires the user to install. especially the ransomware stuff.
This shows that you are clueless about this.
Right now, I am looking at the output of the malware testing cluster's I designed/wrote for my employer. It grabs the latest malware from emails, live exploit URLs, etc. and show what the payload does.
Right now the system has captured 3 ransomeware in the last hour (slow day). None of them require any user interaction beyond going to an URL in an outdated website.
I'm with you. Kill everyone of these Cryptowall thieving bastards. The world would litterally be a better place and I would lose not a single other thought cycle to these little parasites.
Fuck them and fuck every one of these bleeding heart whiny-assed liberal Anonymous Cowards that are railing against you and your post. I hope Cryptowall silences their pathetic granola crunching asses.
Unless you are being targeted by three letter agencies.
But, by then, you have bigger problems than malware running on your box.
please post some citiations then. all current ones show as being sent via emails or attached to dodgy downloads, I also work in security at my organization, we basically only see them coming in via email attachments where a user has to run/open attachment to be infected.
>nearly all the windows malware requires the user to install. especially the ransomware stuff.
This shows that you are clueless about this.
Right now, I am looking at the output of the malware testing cluster's I designed/wrote for my employer. It grabs the latest malware from emails, live exploit URLs, etc. and show what the payload does.
Right now the system has captured 3 ransomeware in the last hour (slow day). None of them require any user interaction beyond going to an URL in an outdated website.
What you describe is again user error. only this time the bad users are the admins that permit email clients to be running where they can click on links and execute code. huge sign you have incompetent admins with insecure settings or outdated software.
>Also, a lot of Windows malware seems to thrive because Windows is homogeneous.
SystemD is taking care of this "problem" in liunx.
That's not a badly coded ransomware, that's was the intent of FSOCIETY's malware.
> Who runs Apache any more? Every serious Linux webserver is running Nginx now.
I don’t know if you’re trying to start another "BSD Is Dying" thing but
http://news.netcraft.com/archi...
Nginx is certainly making headway but it's still only half Apache's market share of the million busiest sites, and 30% among all active sites.
because he bounced all Command Control messages through your IP address and now they are coming for you.
Any death/extreme penalty can be abused and used to set up innocents and is the main reason countries/states choose not to implement them.
Your innocent in the eyes of the law until you are proven guilty, only that does not mean a) you did it b) you deserve it. ::I am commenting on Slashdot as an Anonymouscoward, this can not end well::
This is outrageous! I'm going to ask for my money back!
The problem is a combination of two things:
(1) files, even saved attachments from e-mails, automatically get what would in *n*x be an 'u+x' permission.
(2) MS, in all it wisdom, decided it would be a good idea to hide the only way a user can tell an application from a data file, i.e. filename extensions (unless someone turns off that 'hide file type' option, which is the first thing I do on my own machines).
For the rest, security in Windows and *n*x doesn't differ *that* much.
You don't have to be an administrator to install software in either OS, as long as that software only has to access files belonging to the user who installs it. In fact, *n*x gives a false sense of security here, "I'm not root so nothing can happen."
Tricking a dumb user into issuing a 'chmod u+x' command and then launch that file isn't any harder than it is to get that same user to install dancing monkey / nude celebrity viewing software in Windows.
For your protection, this $ 1,000,000 prize notification we're sending you is secured against illicit access, which makes it a little more complicated to read it. :)
To do so, open a console, and issue the commands: "chmod 777 luckywinner" and "./luckywinner".
Now who (except those reading it here) would NOT fall for that 777
Most of the Windows malware I've heard about doesn't require someone to manually install software, it's as easy as clicking on the wrong link in IE.
Define "manually install". I would say the opposite. The amount of malware that spreads via windows these days requires some form of user interaction, typically clicking yes to the question of "Do you trust this random program from the internet". Even browser exploit based ones will typically require some kind of user interaction. It's been a long time since a URL or simply viewing a picture did harm to the computer.
That hacker has what it takes to join the Home Alone crew (the wet bandits)
lucm, indeed.
No it does not. Dustributions use different versions, compiles/links differently and so on. And besides that systemd is all root and not something that your user account can access.
Most people who would fall for that are also people who have no idea how to open a console window (or even know what that is). My wife uses Mint KDE on her laptop, and gets along just fine with it for all the basic tasks (web browsing, LibreOffice documents, file management, scanning, etc.), but ask her to do something on the "console" and she'll look at you like you have two heads.
People like this who use Windows instead also never, ever use the shell.
And yet 100% of the infections will originate on Windows.
You are kind of coming down hard on IE.
There have been plenty of 0 day exploits in all of the major web browsers.
But more importantly, the exploits are generally Flash or Java based... which is browser agnostic.
Even still, just like with Linux, if you run as a standard, unprivileged user, the damage to your system will be limited to just your data.
Better yet, if you do this AND enable shadow copy on your data volume, you can recover all of your files even if you don't have any backups. This is because shadow copy replicas are not directly accessible to the user.
My eyes reflect the stars and a smile lights up my face.