Critroni Crypto Ransomware Seen Using Tor for Command and Control 122
Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.
"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."
Re: (Score:1)
Seriously? way to reduce your pool of potential customers to those who know how to make a payment in BitCoin.
Is this is an ad for BitCoin?
Re: (Score:2)
Comment removed (Score:5, Insightful)
Re:Time to get rid of Tor (Score:5, Insightful)
It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter.
And get uncensored news from buzzfeed
Don't get me wrong, Tor is a great enabler for countering censorship, etc... but advocating that these people need access to facebook and twitter? Honestly. Nobody needs that.
Re: (Score:1)
Re: (Score:2)
Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.
Instrumental yes. In the same sense that Bic pens were instrumental in me graduating university. However, if there were no bic pens I'd have found something else to use.
Likewise, twitter was instrumental, in the sense that it got used, but if there had been no twitter, they could have just as easily organized from something else.
Re: (Score:2)
And those countries instantly became bastions of freedom? Hint: no they didn't. People think Internet = magical standard of living raiser, and it isn't. It's just another tool to control the population.
Re:Time to get rid of Tor (Score:4, Insightful)
And those countries instantly became bastions of freedom?
It didn't instantly fix everything, so it's worthless.
Re:Time to get rid of Tor (Score:5, Interesting)
And while we are on the subject:
Its true that some protests and the beginnings of the Arab spring stuff apparently began on Twatter and Facespace; I wonder how much of that was going to happen anyway, especially given that in at least 3 of the four major uprisings the secular movements that seemed so popular online certainly have not proven to be what the people ultimately choose to support:
Egypt - went theocracy and is now back to essentially an autocracy that more or less resembles the one they started out with.
Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.
Syria - Ramains to be seen if the rebels will even succeed by if they do will probably be Islamist
Tunisia - Well that one might have kinda worked.
One is left to wonder if much like Slashdot here in the states, were lots of radical (not to be necessarily read with a negative connotation), ideas get expressed on line, but it seems to amount to a lot of political masturbation because it does not get translated into actions that generate any sort of results at the ballot box. In some respects taking a longer view of the pamphleteers of the late 17th and 18th centuries, and the marchers and organizers of the mid 20th century seem to have had much more influence that the 21st century Internet critics. Oh sure the can manage to get a SOPA or PIPPA shot down once in awhile, but can't get it turned into the sort of third rail the politicians will shy away from touching again for even a year.
So is it possible the Internet is actually harmful to these movements, is it keeping people sitting at home posting on Facespace behind their proxies instead of actually out in the street doing something disruptive? Sure the organizing power of these things is clear but real widely supported political movements always have managed to organize before.
Re: (Score:1)
The problem with Egypt, Syria, Libya and Tunisia is they've suffered over a thousand years of Islam. That has left their population with a fatalistic outlook, their leaders corrupt and their drive and innovation sapped. The Internet is not going to free the billion humans who live enslaved to Islam. Unfortunately, only the people themselves can do that by throwing off the stultifying oppression of Islam, and that's not happening any time soon.
Re: (Score:2)
Tor has value, BUT it has no proper place running behind the firewall on the corporate intranet or in the home within the developed world -- it is a huge security risk, and it makes sense to block tor completely.
Tor has value for some people living in tyrannical regimes where free speech has been outlawed and internet users have a jealous government to worry about who may object to what they post or read, and may threaten them or their families based on it.
However.... these users also need some sort o
Re: (Score:2)
Re:Time to get rid of Tor (Score:4, Interesting)
There is no need to get rid of Tor: in theory, Tor could have a "hidden service policy" mechanism not much different to the exit policy mechanism. HS Policies would allow a node operator to state that they aren't willing to act as an introduction point for a list of hidden services (or point to lists maintained elsewhere to stop fast-flux type behaviour).
Tor already accepts that not all relay operators will want to support all kinds of behaviour and that some kinds of traffic can be abusive, that's why they implement exit policies which allow exits to ban port and IP ranges. Taking this philosophy to hidden services seems like the next natural step. After all, Tor volunteers are ultimately acting as human shields for other people's anonymous behaviour. Requiring them to shield everything just restricts the number of people who would be willing to donate bandwidth to general privacy but are not interested in enabling botnets.
Re: (Score:2)
Jay Maynard, collaborator anno 2014. There's a tree for you somewhere.
Re: (Score:2)
I think he has... ahem... balls [allvoices.com] to assert such a contrarian viewpoint on slashdot.
But, yeah, he's a loony reactionary. Just ignore him or laugh at him [youtube.com]. "Collaborator" is a bit too generous.
Re: (Score:2)
Why doesn't someone infiltrate the forums and out some of the fuckheads buying/selling this so someone can run some "extortionware/revengeware" on their piddly asses? Wouldn't it make great articles? Malware Ring Found Tortured Columbian Style with All Their Assets Missing.
It'd make a great hobby for some bored sociopath or open new Animal Friendly Hunting opportunities for those turned off by killing innocent animals for sport.
Name one person on the planet who would even care, besides their mothers. No? I
Antivirus (Score:4, Informative)
not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.
All a firewall will see is encrypted traffic from the computer in the LAN (inside) initiate a connection to a random computer (IP address) on the Internet (outside interface). Its not able to see what is being sent/received, which is the entire reason for TORs existence.. protecting you from Man in the Middle attacks, which in this case, the firewall would be.
Corporate MITM (Score:1)
Which is more evil:
Telling employees "we block all encrypted traffic and snoop on everything else"
or telling them
"We MITM all encrypted traffic we can so we can snoop on it, we snoop on everything we can and block the rest"
or telling them
"we block all traffic except traffic to the few Internet resources we know you need, and oh by the way we snoop on that"
or telling the
"we don't think you need a computer to do your job, if you do need a computer to do your job then talk to your boss and he MAY give you the
Please do (Score:1)
am seriously considering assing client side resistance to the medical software I write designed for use across the public internet because of people like you who collect data you have no business collecting.
Please do.
The only one of the examples I listed in the grandparent post [slashdot.org] that I plan on implementing are those in a role of a parent.
When I have a 6 year old kid who is using the Internet, no amount of "client-side resistance" that you add is going to stop me from seeing what's on the screen as I watch my kid use the computer.
Re: (Score:1)
1. Where is the list of all IP addresses coming from
2. Who is supposed to manage the white list, or the now very large ruleset in your large organization
3. Who is supposed to whitelist EVERY SINGLE ip address your computer talks to? Track the connections in your ASA, and you will discover that with phones, tablets, and regular users, a 50 man organization will connect to literally tens of thousands of IPs a day. Its unrealistic to whitelist IPs, especially when y
Hiding bridges (Score:1)
If counteracting the detecting and blocking bridge notes becomes a problem - and it probably will as soon the the Chinese get good at it - someone will find a solution.
A resource-intensive solution would be to layer the TOR/bridge traffic on top of and steganographically embedded into some seemingly-normal traffic, such as an encrypted streaming video, so that a traffic analysis would say "it's probably just someone watching online TV."
Re: (Score:1)
Re: (Score:1)
All trojans/bots/ransomsware is designed to circumvent antivirus. It is a arms wars between viri and anti-virus. At the moment the viri are winning it :(.
And there is a nasty side effect: real legit tor usage will be detected as malware suspect by antivirus software. So if you have a "good"reason to use tor you might have to disable anti-virus
Re: Antivirus (Score:2)
So if I write an application for everyday users I get to pay/request to be added to the whitelist of every AV people use?
That probably wont kill independent software development.
Re: (Score:1)
Well it's a reactive business (hopefully) so that's to be expected.
Re: (Score:2)
the firewall - running locally - wont be worth shit, since the code already owns your computer on admin level and can change the firewall rules to whatever.
much easier if the AV just detects the embedded tor executable/process. generally speaking the av would detect this as it detects any other malware... the tricky part comes from that it's harder to see where the actual control and command for the whole network is.
Re:Angler PC malware? (Score:5, Insightful)
How is it you manages to not once mention Microsoft Windows in that whole article? How does the Critroni ransomware get onto the victim’s PC in the first place?
Most of this shit is installed by tricking the user with phishing style emails and general social engineering to download attachments. Certainly zero day stuff is a goldmine for malware, but under-informed end users are much more consistently available. The stuff that cryto ransom software holds hostage is heavily concentrated in the user's home directory, so no privilege escalation is required. It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack.
Re: (Score:2)
Most linux distros have software repositories, and when you only use them (no ppas) to install stuff, you are on the safe side. Windows store only includes metro apps. The lack of a proper software repository mechanism is nothing else than an invitation from microsoft to surf the web for software and download it from there. Another part of this problem is dice, which agrees to display "download here" ads on sourceforge, and google, which doesn't want to disable the "download here" ads.
Dice and Google make m
Re: (Score:2)
You're wrong. The Windows 8.1 app store does include traditional desktop apps. They're rare but the Adobe Reader XI is in the store.
Also, Microsoft can't very well force companies to only publish through their store...
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
I haven't reviewed the source code for every single application and update I install. Nor have my distro's packagers. And the software is compiled on some server I don't know, and the server is a single point of failure.
But still I trust this model more as randomly installing blobs from various websites.
When I randomly install software from my package repo no ads pop up from the taskbar, and I don't see CPU constantly at 100%. Don't have tried it for randomly downloading windows software from the internet.
Re: Angler PC malware? (Score:2)
No need. I have this newfangled feature called "sources.list."
Re: (Score:2)
No need. I have this newfangled feature called "sources.list."
That file barely tells you where the repositories are. The main question still remains, where did the programs actually come from, who compiled them, and why do you trust any of the parties involved?
I trust the Ubuntu repositories much more than any app store, but the principle is similar... they could conceivably contain malicious code.
Re: (Score:2)
You do have a point, but I trust the Debian repos 100%. They are so behind that I figure if there was malware in them...someone would have said so by now.
I have yet to hear of a single case of this happening. Granted, that could just mean they are better at covering their tracks..
unpatched wetware (Score:2)
but under-informed end users are much more consistently available
Question: What's more common and arguably more dangerous than a Windows XP computer that hasn't received any OS updates in the last 2 months?
Answer: An "unpatched" (naive/uninformed) human operating the keyboard.
Make it embedded XP ... (Score:1)
There's a registry hack [pcworld.com] that I've applied to Windows XP and I'm getting security updates ...
Re: (Score:2)
Re: (Score:2)
And desktop linux is unfortunately less secure [mupuf.org] than windows to 0day attacks. I hope wayland fixes this through isolation and privilege separation.
Re: (Score:2)
No, not at all. What you are referring to is that X server doesn't need uid 0 to run. But still there is, amongst others, the problem that every x application can keylog you: http://hamsterbaum.de/index.ph... [hamsterbaum.de]
And taking screenshots from the whole screen or faking user input (also for the whole screen) is also possible for every X application.
Re: (Score:2)
The ldpreload attack is not a problem of the compositor, but the configuration of apparmor or SELinux:
http://mupuf.org/blog/2014/02/... [mupuf.org]
http://blog.siphos.be/2011/04/... [siphos.be]
The transparent window attack doesn't work, does it? It seems that it is possible to make a transparent window, but then I doubt the events will be passed on onto the below applications. The keylogger would need to fake user input, which isn't possible AFAIK.
Re: (Score:2)
Not really
Java is easy to exploit and almost everyone has an obsolete version with dozens of exploits. Double bonus if the user is running XP as a local admin.
Re: (Score:2)
Re: (Score:2)
The problem is if you install java 6 and early java 7 it will install plugins for your browsers.
Visit a website and you are 0wned as it runs as full admin since javaw.exe runs as a freaking service with admin privledges! ... facepalm.
I think the old myth do not click on ads is 2004 knowledge. Unfortunately recent operating systems have terrible GUI's so many run older flavors like 7 and XP which do not have the same level of protections.
It pulls my hair out to see java 5 and the same users whine I AM INFECT
Re:Misconception (Score:2)
Once I imaged a computer and opened IE to go download Firefox and other apps and my webcam went on instantly! Ad appeared doing a fake AV scan all from msn.com since computer had 0 updates yet it was 0wned.
Had to reimage again.
XP users really are in trouble and you don't need social engineering. Just IE, no updates, reader, or Java. Scary stuff.
It is why I don't run ancient operating systems, updates, and never use a root or admin account.
Re: (Score:2)
Re: (Score:1, Informative)
Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.
Is it conceivable that a very similar attack could be written specifically for your OS of choice and do the same job? Yes, it's conceivable, that's right. But it's not in ev
Re: (Score:2)
Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.
You are trying to say that users needing to type chmod +x ./latest_flash_player_youtube.sh , is sufficient protection to prevent end users from running things they shouldn't....
Ransomware is not prevalent in Linux, but again, it is absurdly naive to think that it couldn't, or that the OS is doing much to prevent it. Again, end user education is key, regardless of OS. Implying to under-informed users that OSX is magically secure against cryptoware, is a recipe for disaster.
Re: (Score:2)
Linux users are incredibly prideful and niave and feel vulnerable and will not believe you when you claim you are infected. The perfect demographic.
Arstechnica had something a few months back on Linux malware. It is easier to infect linux users because they feel they are secure and do not run AV software and many run outdated versions because they do not like gnome 3
Re: (Score:2)
didn't take look for Windows hate to hijack this thread.
Re: (Score:1)
So, how does the Critroni ransomware get onto the victim’s Windows PC in the first place?
Firewalls that block suspicious activity (Score:2)
Time will come when firewalls inspect all outgoing packets and use heuristics to guess how dangerous encrypted traffic might be.
For example:
Re: (Score:2)
Yes it should be possible, if and when then cash it.
Re: (Score:2)
I guess your host file program is very superior (it uses 64 bit, that is very future-proof) and so on and so on, but even *if* the C&C servers were known, they could only be defeated if your host program were installed on the tor exit relays. As I guess most run linux, you should port your host program to linux, and encourage its installation on the tor mailing list. Tor doesn't use "normal" DNS -- it uses its own which is routed through the tor network also. The exit relays do the DNS request for you.
Re: (Score:2)
The C&C Servers are what is communicated back against (as well as serving up exploits payloads etc. @ times also & IF they don't? Blocking out the payloads servers does the job... which hosts CAN do) - IF/WHEN I block that, should it NOT be disabled for communication, even via TOR?
blocking C&C can at least stop the bad guys from integrating your computer into a botnet. correct me if I'm wrong, but hosts only changes the host file? The host file blocks a website only when the OS' DNS is used, but tor has its own DNS, not even using the usual DNS port, but tunneling everything through a https-like connection.
* Fill me in...
(As far as "porting" it to Linux? I've thought about it... wouldn't be hard - & I WISH Borland didn't KILL Kylix (was Delphi for Linux for the most part) - however - there IS FreePascal & it's "Lazarus" IDE, which is VERY CLOSE to the Delphi IDE, & from what I understand, an ALMOST clone of its compiler commandset too! Thus, it IS, doable...)
APK
P.S.=> See - I guess I don't *fully* understand TOR (as I don't use it myself, tried it once - TOO damned slow, just like anonymous proxies are, same idea iirc for the most part afaik - correct me IF I am wrong/off here too... I can stand to learn by it as I *admit* I do NOT "know it all" & can learn as much as the next guy since this field changes so fast & dynamically)
... apk
The first time I've tried tor it was also very slow, but after some years I've tried again and now its usually fast enough even for videos. Sometimes (seldom) a relay is slow,
Re: (Score:2)
That might be true if the application is using the OS provided network stack, e.g. with DnsQuery [microsoft.com]. However AFAIK nothing prevents an application to bring its own DNS stack which queries external DNS, ignoring the host file. Does the OS block outgoing requests on port 53?
And, as I've said before, the DNS in TOR doesn't use the OS provided DNS. It uses its own one.
Blocking the C&C perhaps stops communication to the hq, but that doesn't help when the virus is written to first encrypt the HDD and then wait f
Re: (Score:2)
Blocking ips using a hosts file... I'm sorry but I don't know of any way of doing this.
Even it it were possible, there tor uses no "rogue DNS" servers, and not using any DNS directly, the DNS is tunneled to the exit relay which then invokes the DNS request. Any block by any firewall or ISP DNS fails here -- not just DNS request blocks like the hosts files, but also IP level blocks. This is what TOR was invented for.
Re: (Score:2)
To bring this back to the original topic: you know what a command and control is? I hope so. My posts only have covered the time the malware already was installed on the device. Not before. Of course you won't get the virus when you click a link "download here" which leads into nothingness. And yes, you are true, single ips are easier to fight than dns entries in remote countries, spread over the world. I just said that IPs cannot be blocked by a host file, and I say that it makes no sense to give a DNS ser
OK you CAN take down onion addresses (Score:2)
but no one wants to do that. Doing it would mean to be responsible for subsequent takedowns, and what is seen as illegal in one country may be the opposite in another country, and you would need to establish a system for takedown, which can be misused for censorship.
Backups (Score:2)
Re: (Score:2)
I wonder how many generations of ransomware we will see before backups come back into "style". It used to be in the '90s that people actively did some type of backups, and even PCs shipped with some form of tape drive. Then disks got cheap, and offsite storage become viable, so backups were not done, or if done, were just kicked to the cloud.
Any backup is better than none, but I wouldn't be surprised if the next generation of ransomware would either encrypt files slowly (but use a shim driver to decrypt s
Re: (Score:2)
As so often, the solution is called "Backup".
Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.
Re: (Score:2)
As so often, the solution is called "Backup".
Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.
That will only take you so far. With so many programs defaulting to the My Documents folder, it'd be annoying at best to have to point to c:\realdocs "because viruses". The user could point the "My Documents" folder to c:\realdocs, but now we're in the same boat again. Even if a user decided it was worth the hassle to deprecate the use of the system variable, c:\realdocs would still be accessible by the same user. From Windows' security standpoint, there's no difference between the user being attacked by ra