Linux Ransomware Has Predictable Key, Automated Decryption Tool Released

itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.

Linux.Encoder.2

[bloodhawk]

soo Linux.Encoder.2 out soon?

Re: Linux.Encoder.2

Could we PLEASE stop telling the malware writers what they got wrong? Either that or put it on github so we can all make a buck.

Re:Linux.Encoder.2

[Attila+the+Bun]

If it was open source there'd be a patch already.

Re:Linux.Encoder.2

[crtreece]

Linux.Encoder.2: Electric Boogaloo

Coming soon to a DataCenter near you.

first contact with the enemy

[turkeydance]

and all that

Still No Word On Infectoin Vector

I'm still waiting to hear how this thing gets on servers in the first place.

Re:Still No Word On Infectoin Vector

I'm still waiting to hear how this thing gets on servers in the first place.

NSA or retards at microsoft.
They be like "I GOT AN MCSE!" ... "MONEY MONEY MONEY! MONNEAY!"

Re:Still No Word On Infectoin Vector

[grahamsz]

I had a server hit by this a few weeks ago. Got the same ransom message shown there. I'm fairly sure it didn't require root, in fact it only encrypted files that were writable by www-data and not the handful in /var/www that were owned by root. The README_FOR_DECRYPT.txt file that was left in every directory was also owned by www-data.

I'm not sure what was posted in, but the infection mechanism appears to be this single request

46.160.xxx.xxx - - [19/Oct/2015:05:14:06 -0400] "POST /wp-content/include.php HTTP/1.0" 404 135395 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

I'm still not really sure how that caused an infection, but i'm guessing it exploited something in the wordpress 404 handler? I don't see any other request from that IP and the server load spiked right after that as the files starting being encrypted.

Re:Still No Word On Infectoin Vector

[fearlezz]

I think the 404 doesn't necessarily mean something is wrong with the WP 404 handler. It could have been generated by the malware itself with <?php header("HTTP/1.1 404 Not Found"); ?> Seeing a 404 in the logs will probably make a lot of victims believe that line was not related to the intrusion.

Re:Still No Word On Infectoin Vector

[grahamsz]

I no longer have the damaged machine, but i'm pretty sure there wasn't a php file available called wp-content/include.php but mod_rewrite ends up catching that and routing the request into the main wordpress scirpt.

Still it's good subterfuge, and my first instinct was to discount it.

Wish I had that post body logged somewhere, would be really interested to see what came in

The malware is injected into Web sites ..

[nickweller]

"Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. ref

"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:" ref

Re:The malware is injected into Web sites ..

[techno-vampire]

I don't know how easy it is to get administrator privileges under Windows now (I don't use it any more.) but I'm sure most of us can remember when most Windows users either ran as Administrator or automatically granted those privileges to any program that asked. It's never been that easy under Linux, simply because very few users have ever felt the need to run as root unless they needed to. Of course, there are always going to be those who grant root access to any Linux programs that ask, but just keeping people from using root/Administrator for regular tasks is a good first line of defense against things like this.

Re:The malware is injected into Web sites ..

[darth_borehd]

How does it get admin?

Re:The malware is injected into Web sites ..

[Harlequin80]

So basically linux is completely secure from this. The ONLY time I use root to install something is when it comes out of a repository and is intended to be system wide. If anything is ever downloaded it gets installed at a user level. Seriously who the fuck would give admin rights to a random piece of software in Linux? There simply isn't any need.

It's not like windows where you get a pop-up asking for admin rights press ok and that appears for every bloody damn piece of software under the sun.

Re:The malware is injected into Web sites ..

you may only do things securely. however millions of others take the easy path and just install everything as root or with an account that has root or near root privileges.

Re:The malware is injected into Web sites ..

[Harlequin80]

Who and how? Millions take the easy path so they install ubuntu, or maybe mint. So NONE of them are running as root. The closest that they will get to root is sudo. And if they are someone who is operating outside of the repos they are already moving into the realm of "not that easy" and they have to type the root password to give it permission to install.

Christ if I am working on a server that I don't get a toss about and I'm working in root 99% of the software spits up a warning saying "we really really really don't recommend you run this as root"
 

Re: The malware is injected into Web sites ..

It's been a while (as I don't use wordpress), but doesn't the install script prompt for root so it can chmod, chown, etc?

Re:The malware is injected into Web sites ..

[gl4ss]

apparently it doesn't. it just does what it can as whatever you have wordpress set up as.

of course, next version could have it try any number of elevate to root exploits available - or simply lay dormant until some maintanence that requires root is done with the wp install.

Re:The malware is injected into Web sites ..

[someone1234]

Linux yes, Linux webservers with usual use cases no.

Re:The malware is injected into Web sites ..

I don't know how easy it is to get administrator privileges under Windows now (I don't use it any more.) but I'm sure most of us can remember when most Windows users either ran as Administrator or automatically granted those privileges to any program that asked.

Nonsensical. A server program (a service or a "daemon") cannot ask the logged-in user for elevation. Not since Windows XP SP2, and even before that it was extremely hard. A website is running as a service. Windows is actually much more secure than the typical Linux in this regard: Websites are running using apppools that are running as (by default) as the "network service" account. Network service is not an administrative account, the only privilege it has beyond regular user is the ability to authenticate across the network. The server does not start off as root and then drops down to a regular user. Indeed, an IIS website is by default created using service hardening and the website get's it's own website identity. This is an ad-hoc account, which still needs to be granted access to any resource it will try to access. This means that there's a very long way from compromising a website to be able to install anything on a Windows server.

Since Vista, Windows has session isolation, where all processes started by services (daemons) run in session 0, while any interactive user will run in session 1 or "session n" - in case of remote desktops. It is *not* possible to send messages across session boundaries. If a background service needs to interact with the interactive user, there is only interprocess communication - and the user needs to run a process which can act as the endpoint in the user session for the communication. A service cannot pop up a window on the user desktop, request elevation or anything like that. Period.

It's never been that easy under Linux, simply because very few users have ever felt the need to run as root unless they needed to.

It has always been much easier on Linux, simply due to the brain-dead SUID root design. There are many, many examples where a simple compromise of a website has been amplified using SUID root vulnerabilities. On top of that, Linux (without the likes of SELinux) does not allow subdivision of accounts, which much too often leads to several websites sharing the same account.

Of course, there are always going to be those who grant root access to any Linux programs that ask, but just keeping people from using root/Administrator for regular tasks is a good first line of defense against things like this.

You misunderstand the problem here. A website is NOT compromised through an interactively logged on user. Whether the interactive user run as root has no bearing on how easy it is to compromise a website.

Re:The malware is injected into Web sites ..

[KGIII]

Heh... You might be surprised at the number of people who ask how to set up root with a password and use it - even by default, as their login on the AU SE site or even the Ubuntu forums. I giggle to myself and tell them how to do so. I aim to please, after all.

Re:The malware is injected into Web sites ..

So basically linux is completely secure from this.

No

The ONLY time I use root to install something is when it comes out of a repository and is intended to be system wide.

That's the problem with the Unix/Linux security model: You are often running as root without being aware of it. It happens all the time. Each time you invoke a utility, directly or indirectly, that uses SUID root - you are running as root. It is basically a deliberate hole in the security model, drilled because the standard user is far too restricted and the model too coarse grained to express real world needs.

Re:The malware is injected into Web sites ..

Actually, Windows is much LESS secure than linux in that regard. Those services are started with special privileges (for example, to secure the audio path in case you rip "their" music). They can access the entire system including the registry and System folders. And start and install other services to run automatically.

On Linux the httpd daemon is run as a user without a login, That one will be chrooted so it can't access the system. It can't bind to authorised ports, can't run programmes requiring root, only world or that user/group permissions, which won't include user files. Other systems have other methods of securing their daemons from malice (postfix, for example, allows each program to do what it must but each program cannot manage to do anything else "system-ey").

Remote escalation is how many viruses spread, and windows is much MUCH less secure (and still a heck of a lot less secure, if improving, today) than Linux in that regard.

Re:The malware is injected into Web sites ..

[cdrudge]

I don't know how easy it is to get administrator privileges under Windows now

If the user has the privileges of Administrator, a UAC pop up window shows and asks the user if they want to allow the program admin access. If the user doesn't have privileges, it asks for the admin password to temporarily gain privileges.

So you're warned, but most users probably are the admin user so it's pretty common that people just click through it granting permission.

Re:The malware is injected into Web sites ..

[blogagog]

very few users have ever felt the need to run as root unless they needed to.

So, no need unless there is need?


Heh. You made perfect sense. I just thought the wording was humorous :).

Re:The malware is injected into Web sites ..

Is there nowadays a limit on how often the program can present that prompt? Because I distinctly remember a couple years ago being locked out of my Win7 box by an app that wouldn't take "no" for an answer and renew the request as soon as it was denied. Luckily that wasn't malware but some crappy device driver provided with some obscure hardware, still, the approach was driving me mad. (I had installed it before, then clicked the installer accidentally and didn't want to reinstall it).

I can easily picture malware molesting the user into allowing it like that.

Re:The malware is injected into Web sites ..

[SharpFang]

There are quite few utilities suid root currently. The usual approach to "common day" privilege escalation is some server/service/daemon working with privileges set to exactly what it needs for its work (if root, so be it) and a "frontend app" that runs on user level and contacts the demon for said service. This allows for an additional choke point as only data that needs the extra privileges gets through, while the "client" handles all the rest; no hundreds of options that could exploit the escalated privileges, just a dozen or so that are designed to be easy to sanitize.

Re:The malware is injected into Web sites ..

Each time you invoke a utility, directly or indirectly, that uses SUID root - you are running as root.

So I just looked at the permissions of everything in my PATH on a typical (CentOS) Linux box. The only executable with SUID-root set is, duh, sudo. There are a few others with the SGID bit set, and they're not in group root (not that that would give them superuser privileges anyway).

So no, you're not often running as root without being aware of it. Use of the sudo command is a dead giveaway.

Re:The malware is injected into Web sites ..

[cdrudge]

AFAIK, no, there is no limit on the number of attempts. Perhaps there is with the number of attempts at entering a password, but just canceling out I don't believe so.

Re:The malware is injected into Web sites ..

[steveg]

Did you happen to look at /usr/bin/passwd ?

So let's get this straight

[iggymanz]

This is a C program that when run as root does bad things. Which is totally unexpected result compared to what any other C (or python or perl or bash or lisp) program that does bad things can do when run as root (or just having bad person logged in as root could do)

Yeah.

I swear "security experts" and "antivirus companies" are pandering to morons to justify their existence.

Re:So let's get this straight

No, this is a tool that can be used to reverse the effects of the ransomware. If you're going to be snarky, at least read the title first.

Re:So let's get this straight

To be fair, you also need to be an idiot to get malware on Windows since the introduction of UAC in Windows Vista.
The last time I had a real case of Viral infection was ~2006/7 and I was running Windows XP.

Problem is, most people are idiots.
Wherever the majority goes, the normal will be adjusted.
And seldom for the better...

Re:So let's get this straight

[jmccue]

Probably true, I have been using open source since well before XP came out so I cannot confirm. But many/most 'computing idiots' have moved from windows to smart phones. Just look at security craziness occurring over that fence, both by the users and the companies selling/supporting these phones.

Re:So let's get this straight

[iggymanz]

why would I need to reverse ransomware that one gets by running random shit as root?

Re:So let's get this straight

[iggymanz]

Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

In short, the idiots are out there and working hard at it

Re:So let's get this straight

[zwarte+piet]

I never had an infection even on XP..... only window 98 got borked once, an installation that was clean for 5+ years till I clicked a link on Google, the browser crashed, windows hung & after restarting I got ads everywhere. That's when I switched to xp.

Re:So let's get this straight

[Applehu+Akbar]

Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

In short, the idiots are out there and working hard at it

Ransomware is not as blatant as that because the most lucrative targets are businesses. Typically the vector is an official-looking email that says something like "Track the package you ordered by clicking here..."

Re:So let's get this straight

This has nothing to do with root. The malware gets in by exploiting Wordpress or other insecure PHP wares. It then encrypts and erases everything it can get a hold of. Then, the author attempts to sell you the private key to get your data back. The released tool can decrypt your files because the malware author used date+time as a seed to the private key, severely reducing the key search.

Re:So let's get this straight

There have been a number of flaws found in UAC that actually let malware install with admin privileges on windows.
In some of the instances, exploiting UAC was the only way the malware could actually get into the system.
Though I've also heard similar stories about leveraging exploits in antivirus programs to get malware or a remote connection on a machine.

Re:So let's get this straight

[iggymanz]

and our dumb-asses would click on it. we even have people that filled in their checking account number for "bank error" in spam. can we neuter such people before they reach puberty?

If only the ramsomware was open source

Then we would be able to fix it by creating a more random heuristic for the encryption that would be impossible to get without the hidden password.

Mistake from C language 101 course

[manu0601]

Mistaking rand(3) as a source of randomness is freshman mistake. Did the malware author skip C language 101 course?

Re:Mistake from C language 101 course

char *random = system("echo $RANDOM");

Re:Mistake from C language 101 course

They saved the seed. No pseudorandom function could have saved them.

Re:Mistake from C language 101 course

It's like he was trying to reference xkcd in his source code... Seriously: what the fuck?
https://xkcd.com/221/

Was this programmed under duress like that blowjob scene in Swordfish?
https://www.youtube.com/watch?v=zfy5dFhw3ik

http://dilbert.com/strip/2001-10-25

Re:Mistake from C language 101 course

[by+(1706743)]

Almost as bad as using the Spaceballs luggage password...

Re:Mistake from C language 101 course

[ihtoit]

you mean the one that's the same as my doomsday weapon insta-bang password?

Re:Mistake from C language 101 course

[CurryCamel]

At least in my "C 101" class they said using rand() is good enough.
For this class.
I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

Re:Mistake from C language 101 course

[urdak]

At least in my "C 101" class they said using rand() is good enough.
For this class.
I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

I guess you needed to also take the "advanced cryptography" course, where they would teach you that if you use stand(time(NULL)) and then make the time at that moment easily guessable (e.g., by leaving behind a file created at the exact same time), your supposedly-unguessable seed becomes easily guessable...

Re:Mistake from C language 101 course

[manu0601]

At least in my "C 101" class they said using rand() is good enough.

Good enough for what?

Re:Mistake from C language 101 course

Please learn C.

Does it install the Yahoo Search Bar ?

[TME1040]

Also, does this fix needs "Administrator" rights to run ?

How will they get paid?

If they hack into Linux users, how would they get paid? Anime DVDs, Cheetos box-tops, and invitations to party with them in their mother's basement?

Re:How will they get paid?

Just because you have no life, there's no need to construct a fairy tale story of how there are scads of people less liked and likeable than yourself.

Re:lol

It probably included the source code when the system was infected.

Crypto is hard

[Sean0michael]

This just goes to show that getting cryptography right can be just as hard for the bad guys as the good guys. There are so many ways to get it wrong. Just ask Bruce: https://www.schneier.com/essay...

Facepalm

Okay so the decryption tool will save you the cost of ransom for the 1.0 version of this ransomware but does it plug the exploit that allowed the system to be compromised in the first place? If not its only a matter of time until you are pwned once again. I'm guessing the cost of ransom will not be any cheaper for the next version of this brand of extortion-ware.

Re: Once again, Linux is on top of things...

Anyone who uses Windows has an offsite brain.

FTFY

now, that is funny haha (not funny ooh-er)

[ihtoit]

I heard about one over the last week or so that encrypts home folders then throws away the key with the expectation that a skeleton key would do to decrypt once the ransom is paid... something about the author then either lost or trashed the skeleton key, so any systems which got crunched had to be scuttled - no way to retrieve the home folder whatsoever absent backups.

So...

The cure for having run something as root from some random source is to run some other software as root from some other random source?

Hahahahaha! How the hell does someone get infected with this in the first place, running day to day shit as root? Or is it actually exploiting an actual flaw?

Lemme guess

[bytesex]

It was based on srand(time(0)) ?

Sounds dodgey

So I hit the site with https and I cant connect. Yeh that's when I turn off.

if trusted path and secure boot were a done deal

this would not have been possible. the trojan would have just used the built in tools to the bios and chipset to lock it down and finding (and ESPECIALLY disseminating) a bypass to THAT would have been a serious criminal matter for anyone even vaguely involved in it, and every news organisation would be held accountable for speaking of it.

When a program can insist on greater control of your system than you, the owner, or anyone, the program should NEVER be allowed on someone else's machine.

And if your PC purchase (or media player software purchase) insists, then they should refund the cost and pay for the upkeep of the system they now own.

Either the PC is mine and you can fuck off, or it's yours, but YOU damn well pay for that control.

UAC was just passing blame, nothing more

It ONLY meant that you could now be blamed for clicking "Yes". However, without ANY idea of why or how privs are needed, and despite many legitimate programs demanding it, there's nothing to do but either
a) not install. In which case windows now no longer does the thing you need, so why the hell use it?
b) click yes. 99% of the time it's fine. But even those legitimate cases allow another escalation to "root",and will LATER be exploited if popular and vulnerable.

UAC does fuck all but make MS blame you for it.

See also the "uninstall" routines that ask YOU if some dll it thinks is no longer needed should be removed. HOW THE FUCK SHOULD ***I*** KNOW???? ***YOU**** fucking installed it!!!

Re:UAC was just passing blame, nothing more

[dave420]

So it's just like requesting superuser access in linux, then? Gotcha.

Re:UAC was just passing blame, nothing more

[Gallefray]

At least in linux most libraries are documented, and things are generally transparent.

Re:UAC was just passing blame, nothing more

*** SMACK*** is the sound of dave420 going down eating his words getting bitchslapped by apk http://slashdot.org/comments.p...

Re:UAC was just passing blame, nothing more

*** SMACK*** is the sound of dave420 going down eating his words getting bitchslapped by apk http://slashdot.org/comments.p...

Never buy version 1 of anything

[DrXym]

It always contains bugs.

Darn Do Gooders

[cgfsd]

1) Install Ransomware
2) Profit!
3) Do gooders release tool to remove Ransomeware

Darn do gooders are ruining my business model!

Re:lol

I'm sure that made sense in your head. Outside, not so much.

DMCA?

[hawk]

Watch now for the litigation for this horrendous DMCA violation, which ruined the business model of the pirates^H^H^H^H^H^H^H entrepreneurs . . .

hawk