Linux Ransomware Has Predictable Key, Automated Decryption Tool Released

itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.

Linux.Encoder.2

[bloodhawk]

soo Linux.Encoder.2 out soon?

Re:Linux.Encoder.2

[Attila the Bun]

If it was open source there'd be a patch already.

Re:

[crtreece]

Linux.Encoder.2: Electric Boogaloo

Coming soon to a DataCenter near you.

first contact with the enemy

[turkeydance]

and all that

Re:

[Anonymous Coward]

It probably included the source code when the system was infected.

Still No Word On Infectoin Vector

[Anonymous Coward]

I'm still waiting to hear how this thing gets on servers in the first place.

Re:Still No Word On Infectoin Vector

[grahamsz]

I had a server hit by this a few weeks ago. Got the same ransom message shown there. I'm fairly sure it didn't require root, in fact it only encrypted files that were writable by www-data and not the handful in /var/www that were owned by root. The README_FOR_DECRYPT.txt file that was left in every directory was also owned by www-data.

I'm not sure what was posted in, but the infection mechanism appears to be this single request

46.160.xxx.xxx - - [19/Oct/2015:05:14:06 -0400] "POST /wp-content/include.php HTTP/1.0" 404 135395 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

I'm still not really sure how that caused an infection, but i'm guessing it exploited something in the wordpress 404 handler? I don't see any other request from that IP and the server load spiked right after that as the files starting being encrypted.

Re:

[fearlezz]

I think the 404 doesn't necessarily mean something is wrong with the WP 404 handler. It could have been generated by the malware itself with <?php header("HTTP/1.1 404 Not Found"); ?> Seeing a 404 in the logs will probably make a lot of victims believe that line was not related to the intrusion.

Re:

[grahamsz]

I no longer have the damaged machine, but i'm pretty sure there wasn't a php file available called wp-content/include.php but mod_rewrite ends up catching that and routing the request into the main wordpress scirpt.

Still it's good subterfuge, and my first instinct was to discount it.

Wish I had that post body logged somewhere, would be really interested to see what came in

The malware is injected into Web sites ..

[nickweller]

"Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. ref [krebsonsecurity.com]

"Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:" ref [drweb.com]

Re:

[techno-vampire]

I don't know how easy it is to get administrator privileges under Windows now (I don't use it any more.) but I'm sure most of us can remember when most Windows users either ran as Administrator or automatically granted those privileges to any program that asked. It's never been that easy under Linux, simply because very few users have ever felt the need to run as root unless they needed to. Of course, there are always going to be those who grant root access to any Linux programs that ask, but just keeping

Re:

[cdrudge]

I don't know how easy it is to get administrator privileges under Windows now

If the user has the privileges of Administrator, a UAC pop up window shows and asks the user if they want to allow the program admin access. If the user doesn't have privileges, it asks for the admin password to temporarily gain privileges.

So you're warned, but most users probably are the admin user so it's pretty common that people just click through it granting permission.

Re:

[cdrudge]

AFAIK, no, there is no limit on the number of attempts. Perhaps there is with the number of attempts at entering a password, but just canceling out I don't believe so.

Re:

[blogagog]

very few users have ever felt the need to run as root unless they needed to.

So, no need unless there is need?


Heh. You made perfect sense. I just thought the wording was humorous :).

Re:

[darth_borehd]

How does it get admin?

Re:

[gl4ss]

apparently it doesn't. it just does what it can as whatever you have wordpress set up as.

of course, next version could have it try any number of elevate to root exploits available - or simply lay dormant until some maintanence that requires root is done with the wp install.

Re:

[Harlequin80]

So basically linux is completely secure from this. The ONLY time I use root to install something is when it comes out of a repository and is intended to be system wide. If anything is ever downloaded it gets installed at a user level. Seriously who the fuck would give admin rights to a random piece of software in Linux? There simply isn't any need.

It's not like windows where you get a pop-up asking for admin rights press ok and that appears for every bloody damn piece of software under the sun.

Re:

[Harlequin80]

Who and how? Millions take the easy path so they install ubuntu, or maybe mint. So NONE of them are running as root. The closest that they will get to root is sudo. And if they are someone who is operating outside of the repos they are already moving into the realm of "not that easy" and they have to type the root password to give it permission to install.

Christ if I am working on a server that I don't get a toss about and I'm working in root 99% of the software spits up a warning saying "we really real

Re:

[KGIII]

Heh... You might be surprised at the number of people who ask how to set up root with a password and use it - even by default, as their login on the AU SE site or even the Ubuntu forums. I giggle to myself and tell them how to do so. I aim to please, after all.

Re:

[someone1234]

Linux yes, Linux webservers with usual use cases no.

Re:

[SharpFang]

There are quite few utilities suid root currently. The usual approach to "common day" privilege escalation is some server/service/daemon working with privileges set to exactly what it needs for its work (if root, so be it) and a "frontend app" that runs on user level and contacts the demon for said service. This allows for an additional choke point as only data that needs the extra privileges gets through, while the "client" handles all the rest; no hundreds of options that could exploit the escalated privi

Re:

[steveg]

Did you happen to look at /usr/bin/passwd ?

So let's get this straight

[iggymanz]

This is a C program that when run as root does bad things. Which is totally unexpected result compared to what any other C (or python or perl or bash or lisp) program that does bad things can do when run as root (or just having bad person logged in as root could do)

Yeah.

I swear "security experts" and "antivirus companies" are pandering to morons to justify their existence.

Re:

[iggymanz]

why would I need to reverse ransomware that one gets by running random shit as root?

Re:

[jmccue]

Probably true, I have been using open source since well before XP came out so I cannot confirm. But many/most 'computing idiots' have moved from windows to smart phones. Just look at security craziness occurring over that fence, both by the users and the companies selling/supporting these phones.

Re:

[iggymanz]

Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

In short, the idiots are out there and working hard at it

Re:

[Applehu Akbar]

Many of the lusers at my employer of 900 people get malware often. they click on links in obvious scam emails, open attachments that are promised to be cool, etc.

In short, the idiots are out there and working hard at it

Ransomware is not as blatant as that because the most lucrative targets are businesses. Typically the vector is an official-looking email that says something like "Track the package you ordered by clicking here..."

Re:

[iggymanz]

and our dumb-asses would click on it. we even have people that filled in their checking account number for "bank error" in spam. can we neuter such people before they reach puberty?

Re:

[zwarte piet]

I never had an infection even on XP..... only window 98 got borked once, an installation that was clean for 5+ years till I clicked a link on Google, the browser crashed, windows hung & after restarting I got ads everywhere. That's when I switched to xp.

Re:

[dave420]

So it's just like requesting superuser access in linux, then? Gotcha.

Re:

[Gallefray]

At least in linux most libraries are documented, and things are generally transparent.

Mistake from C language 101 course

[manu0601]

Mistaking rand(3) as a source of randomness is freshman mistake. Did the malware author skip C language 101 course?

Re:

[by (1706743)]

Almost as bad as using the Spaceballs luggage password...

Re:

[ihtoit]

you mean the one that's the same as my doomsday weapon insta-bang password?

Re:

[CurryCamel]

At least in my "C 101" class they said using rand() is good enough.
For this class.
I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

Re:

[urdak]

At least in my "C 101" class they said using rand() is good enough.
For this class.
I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

I guess you needed to also take the "advanced cryptography" course, where they would teach you that if you use stand(time(NULL)) and then make the time at that moment easily guessable (e.g., by leaving behind a file created at the exact same time), your supposedly-unguessable seed becomes easily guessable...

Re:

[manu0601]

At least in my "C 101" class they said using rand() is good enough.

Good enough for what?

Does it install the Yahoo Search Bar ?

[TME1040]

Also, does this fix needs "Administrator" rights to run ?

Crypto is hard

[Sean0michael]

This just goes to show that getting cryptography right can be just as hard for the bad guys as the good guys. There are so many ways to get it wrong. Just ask Bruce: https://www.schneier.com/essay... [schneier.com]

now, that is funny haha (not funny ooh-er)

[ihtoit]

I heard about one over the last week or so that encrypts home folders then throws away the key with the expectation that a skeleton key would do to decrypt once the ransom is paid... something about the author then either lost or trashed the skeleton key, so any systems which got crunched had to be scuttled - no way to retrieve the home folder whatsoever absent backups.

Lemme guess

[bytesex]

It was based on srand(time(0)) ?

Never buy version 1 of anything

[DrXym]

It always contains bugs.

Darn Do Gooders

[cgfsd]

1) Install Ransomware
2) Profit!
3) Do gooders release tool to remove Ransomeware

Darn do gooders are ruining my business model!

DMCA?

[hawk]

Watch now for the litigation for this horrendous DMCA violation, which ruined the business model of the pirates^H^H^H^H^H^H^H entrepreneurs . . .

hawk