Critroni Crypto Ransomware Seen Using Tor for Command and Control 122
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
Re:Time to get rid of Tor (Score:5, Interesting)
And while we are on the subject:
Its true that some protests and the beginnings of the Arab spring stuff apparently began on Twatter and Facespace; I wonder how much of that was going to happen anyway, especially given that in at least 3 of the four major uprisings the secular movements that seemed so popular online certainly have not proven to be what the people ultimately choose to support:
Egypt - went theocracy and is now back to essentially an autocracy that more or less resembles the one they started out with.
Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.
Syria - Ramains to be seen if the rebels will even succeed by if they do will probably be Islamist
Tunisia - Well that one might have kinda worked.
One is left to wonder if much like Slashdot here in the states, were lots of radical (not to be necessarily read with a negative connotation), ideas get expressed on line, but it seems to amount to a lot of political masturbation because it does not get translated into actions that generate any sort of results at the ballot box. In some respects taking a longer view of the pamphleteers of the late 17th and 18th centuries, and the marchers and organizers of the mid 20th century seem to have had much more influence that the 21st century Internet critics. Oh sure the can manage to get a SOPA or PIPPA shot down once in awhile, but can't get it turned into the sort of third rail the politicians will shy away from touching again for even a year.
So is it possible the Internet is actually harmful to these movements, is it keeping people sitting at home posting on Facespace behind their proxies instead of actually out in the street doing something disruptive? Sure the organizing power of these things is clear but real widely supported political movements always have managed to organize before.
Re:Time to get rid of Tor (Score:4, Interesting)
There is no need to get rid of Tor: in theory, Tor could have a "hidden service policy" mechanism not much different to the exit policy mechanism. HS Policies would allow a node operator to state that they aren't willing to act as an introduction point for a list of hidden services (or point to lists maintained elsewhere to stop fast-flux type behaviour).
Tor already accepts that not all relay operators will want to support all kinds of behaviour and that some kinds of traffic can be abusive, that's why they implement exit policies which allow exits to ban port and IP ranges. Taking this philosophy to hidden services seems like the next natural step. After all, Tor volunteers are ultimately acting as human shields for other people's anonymous behaviour. Requiring them to shield everything just restricts the number of people who would be willing to donate bandwidth to general privacy but are not interested in enabling botnets.