Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Ransomware Has Predictable Key, Automated Decryption Tool Released (csoonline.com)

Posted by samzenpus on from the protect-ya-neck dept.

itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.

44 of 78 comments (clear)

  1. Linux.Encoder.2 by bloodhawk · · Score: 3, Insightful

    soo Linux.Encoder.2 out soon?

    1. Re:Linux.Encoder.2 by Attila+the+Bun · · Score: 3, Funny

      If it was open source there'd be a patch already.

    2. Re:Linux.Encoder.2 by crtreece · · Score: 2
      Linux.Encoder.2: Electric Boogaloo

      Coming soon to a DataCenter near you.

      --
      file: .signature not found
  2. first contact with the enemy by turkeydance · · Score: 1

    and all that

  3. Still No Word On Infectoin Vector by Anonymous Coward · · Score: 1, Informative

    I'm still waiting to hear how this thing gets on servers in the first place.

    1. Re:Still No Word On Infectoin Vector by grahamsz · · Score: 5, Informative

      I had a server hit by this a few weeks ago. Got the same ransom message shown there. I'm fairly sure it didn't require root, in fact it only encrypted files that were writable by www-data and not the handful in /var/www that were owned by root. The README_FOR_DECRYPT.txt file that was left in every directory was also owned by www-data.

      I'm not sure what was posted in, but the infection mechanism appears to be this single request

      46.160.xxx.xxx - - [19/Oct/2015:05:14:06 -0400] "POST /wp-content/include.php HTTP/1.0" 404 135395 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

      I'm still not really sure how that caused an infection, but i'm guessing it exploited something in the wordpress 404 handler? I don't see any other request from that IP and the server load spiked right after that as the files starting being encrypted.

    2. Re:Still No Word On Infectoin Vector by fearlezz · · Score: 2

      I think the 404 doesn't necessarily mean something is wrong with the WP 404 handler. It could have been generated by the malware itself with <?php header("HTTP/1.1 404 Not Found"); ?> Seeing a 404 in the logs will probably make a lot of victims believe that line was not related to the intrusion.

      --
      .sig: No such file or directory
    3. Re:Still No Word On Infectoin Vector by grahamsz · · Score: 1

      I no longer have the damaged machine, but i'm pretty sure there wasn't a php file available called wp-content/include.php but mod_rewrite ends up catching that and routing the request into the main wordpress scirpt.

      Still it's good subterfuge, and my first instinct was to discount it.

      Wish I had that post body logged somewhere, would be really interested to see what came in

  4. The malware is injected into Web sites .. by nickweller · · Score: 3, Informative

    "Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. ref

    "Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:" ref

    1. Re:The malware is injected into Web sites .. by techno-vampire · · Score: 1

      I don't know how easy it is to get administrator privileges under Windows now (I don't use it any more.) but I'm sure most of us can remember when most Windows users either ran as Administrator or automatically granted those privileges to any program that asked. It's never been that easy under Linux, simply because very few users have ever felt the need to run as root unless they needed to. Of course, there are always going to be those who grant root access to any Linux programs that ask, but just keeping people from using root/Administrator for regular tasks is a good first line of defense against things like this.

      --
      Good, inexpensive web hosting
    2. Re:The malware is injected into Web sites .. by darth_borehd · · Score: 1

      How does it get admin?

    3. Re:The malware is injected into Web sites .. by Harlequin80 · · Score: 1

      So basically linux is completely secure from this. The ONLY time I use root to install something is when it comes out of a repository and is intended to be system wide. If anything is ever downloaded it gets installed at a user level. Seriously who the fuck would give admin rights to a random piece of software in Linux? There simply isn't any need.

      It's not like windows where you get a pop-up asking for admin rights press ok and that appears for every bloody damn piece of software under the sun.

    4. Re:The malware is injected into Web sites .. by Harlequin80 · · Score: 1

      Who and how? Millions take the easy path so they install ubuntu, or maybe mint. So NONE of them are running as root. The closest that they will get to root is sudo. And if they are someone who is operating outside of the repos they are already moving into the realm of "not that easy" and they have to type the root password to give it permission to install.

      Christ if I am working on a server that I don't get a toss about and I'm working in root 99% of the software spits up a warning saying "we really really really don't recommend you run this as root"
       

    5. Re:The malware is injected into Web sites .. by gl4ss · · Score: 1

      apparently it doesn't. it just does what it can as whatever you have wordpress set up as.

      of course, next version could have it try any number of elevate to root exploits available - or simply lay dormant until some maintanence that requires root is done with the wp install.

      --
      world was created 5 seconds before this post as it is.
    6. Re:The malware is injected into Web sites .. by someone1234 · · Score: 1

      Linux yes, Linux webservers with usual use cases no.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
    7. Re:The malware is injected into Web sites .. by KGIII · · Score: 1

      Heh... You might be surprised at the number of people who ask how to set up root with a password and use it - even by default, as their login on the AU SE site or even the Ubuntu forums. I giggle to myself and tell them how to do so. I aim to please, after all.

      --
      "So long and thanks for all the fish."
    8. Re:The malware is injected into Web sites .. by cdrudge · · Score: 1

      I don't know how easy it is to get administrator privileges under Windows now

      If the user has the privileges of Administrator, a UAC pop up window shows and asks the user if they want to allow the program admin access. If the user doesn't have privileges, it asks for the admin password to temporarily gain privileges.

      So you're warned, but most users probably are the admin user so it's pretty common that people just click through it granting permission.

    9. Re:The malware is injected into Web sites .. by blogagog · · Score: 1

      very few users have ever felt the need to run as root unless they needed to.

      So, no need unless there is need?


      Heh. You made perfect sense. I just thought the wording was humorous :).

    10. Re:The malware is injected into Web sites .. by SharpFang · · Score: 1

      There are quite few utilities suid root currently. The usual approach to "common day" privilege escalation is some server/service/daemon working with privileges set to exactly what it needs for its work (if root, so be it) and a "frontend app" that runs on user level and contacts the demon for said service. This allows for an additional choke point as only data that needs the extra privileges gets through, while the "client" handles all the rest; no hundreds of options that could exploit the escalated privileges, just a dozen or so that are designed to be easy to sanitize.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    11. Re:The malware is injected into Web sites .. by cdrudge · · Score: 1

      AFAIK, no, there is no limit on the number of attempts. Perhaps there is with the number of attempts at entering a password, but just canceling out I don't believe so.

    12. Re:The malware is injected into Web sites .. by steveg · · Score: 1

      Did you happen to look at /usr/bin/passwd ?

      --
      Ignorance killed the cat. Curiosity was framed.
  5. So let's get this straight by iggymanz · · Score: 1, Offtopic

    This is a C program that when run as root does bad things. Which is totally unexpected result compared to what any other C (or python or perl or bash or lisp) program that does bad things can do when run as root (or just having bad person logged in as root could do)

    Yeah.

    I swear "security experts" and "antivirus companies" are pandering to morons to justify their existence.

    1. Re:So let's get this straight by jmccue · · Score: 1

      Probably true, I have been using open source since well before XP came out so I cannot confirm. But many/most 'computing idiots' have moved from windows to smart phones. Just look at security craziness occurring over that fence, both by the users and the companies selling/supporting these phones.

    2. Re:So let's get this straight by iggymanz · · Score: 1

      why would I need to reverse ransomware that one gets by running random shit as root?

    3. Re:So let's get this straight by iggymanz · · Score: 1

      Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

      In short, the idiots are out there and working hard at it

    4. Re:So let's get this straight by zwarte+piet · · Score: 1

      I never had an infection even on XP..... only window 98 got borked once, an installation that was clean for 5+ years till I clicked a link on Google, the browser crashed, windows hung & after restarting I got ads everywhere. That's when I switched to xp.

    5. Re:So let's get this straight by Applehu+Akbar · · Score: 2

      Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

      In short, the idiots are out there and working hard at it

      Ransomware is not as blatant as that because the most lucrative targets are businesses. Typically the vector is an official-looking email that says something like "Track the package you ordered by clicking here..."

    6. Re:So let's get this straight by iggymanz · · Score: 1

      and our dumb-asses would click on it. we even have people that filled in their checking account number for "bank error" in spam. can we neuter such people before they reach puberty?

  6. Mistake from C language 101 course by manu0601 · · Score: 1

    Mistaking rand(3) as a source of randomness is freshman mistake. Did the malware author skip C language 101 course?

    1. Re:Mistake from C language 101 course by by+(1706743) · · Score: 1

      Almost as bad as using the Spaceballs luggage password...

    2. Re:Mistake from C language 101 course by ihtoit · · Score: 1

      you mean the one that's the same as my doomsday weapon insta-bang password?

      --
      Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
    3. Re:Mistake from C language 101 course by CurryCamel · · Score: 1

      At least in my "C 101" class they said using rand() is good enough.
      For this class.
      I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

    4. Re:Mistake from C language 101 course by urdak · · Score: 1

      At least in my "C 101" class they said using rand() is good enough.
      For this class.
      I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

      I guess you needed to also take the "advanced cryptography" course, where they would teach you that if you use stand(time(NULL)) and then make the time at that moment easily guessable (e.g., by leaving behind a file created at the exact same time), your supposedly-unguessable seed becomes easily guessable...

    5. Re:Mistake from C language 101 course by manu0601 · · Score: 1

      At least in my "C 101" class they said using rand() is good enough.

      Good enough for what?

  7. Does it install the Yahoo Search Bar ? by TME1040 · · Score: 1

    Also, does this fix needs "Administrator" rights to run ?

  8. Re:lol by Anonymous Coward · · Score: 1, Funny

    It probably included the source code when the system was infected.

  9. Crypto is hard by Sean0michael · · Score: 1

    This just goes to show that getting cryptography right can be just as hard for the bad guys as the good guys. There are so many ways to get it wrong. Just ask Bruce: https://www.schneier.com/essay...

    --
    Funtime Candy Wow! - my plan for eventually conquering Japan.
  10. now, that is funny haha (not funny ooh-er) by ihtoit · · Score: 1

    I heard about one over the last week or so that encrypts home folders then throws away the key with the expectation that a skeleton key would do to decrypt once the ransom is paid... something about the author then either lost or trashed the skeleton key, so any systems which got crunched had to be scuttled - no way to retrieve the home folder whatsoever absent backups.

    --
    Political debates have me rolling my eyes so much I think I got optical whiplash. I should sue. - Foamy The Squirrel
  11. Lemme guess by bytesex · · Score: 1

    It was based on srand(time(0)) ?

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  12. Never buy version 1 of anything by DrXym · · Score: 1

    It always contains bugs.

  13. Re:UAC was just passing blame, nothing more by dave420 · · Score: 1

    So it's just like requesting superuser access in linux, then? Gotcha.

  14. Re:UAC was just passing blame, nothing more by Gallefray · · Score: 1

    At least in linux most libraries are documented, and things are generally transparent.

  15. Darn Do Gooders by cgfsd · · Score: 1

    1) Install Ransomware
    2) Profit!
    3) Do gooders release tool to remove Ransomeware

    Darn do gooders are ruining my business model!

  16. DMCA? by hawk · · Score: 1

    Watch now for the litigation for this horrendous DMCA violation, which ruined the business model of the pirates^H^H^H^H^H^H^H entrepreneurs . . .

    hawk