Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Linux

Linux Ransomware Has Predictable Key, Automated Decryption Tool Released (csoonline.com) 78

itwbennett writes: Last week a new piece of ransomware was discovered that targets Linux servers. Yesterday, researchers at Bitdefender discovered a critical flaw in how the ransomware (dubbed Linux.Encoder.1) operates while testing a sample in their lab and released a free tool that will automatically decrypt any files on a victim's system that were targeted.
This discussion has been archived. No new comments can be posted.

Linux Ransomware Has Predictable Key, Automated Decryption Tool Released

Comments Filter:
  • Linux.Encoder.2 (Score:4, Insightful)

    by bloodhawk ( 813939 ) on Wednesday November 11, 2015 @08:39PM (#50912117)
    soo Linux.Encoder.2 out soon?
  • by Anonymous Coward

    I'm still waiting to hear how this thing gets on servers in the first place.

    • by grahamsz ( 150076 ) on Thursday November 12, 2015 @01:32AM (#50913163) Homepage Journal

      I had a server hit by this a few weeks ago. Got the same ransom message shown there. I'm fairly sure it didn't require root, in fact it only encrypted files that were writable by www-data and not the handful in /var/www that were owned by root. The README_FOR_DECRYPT.txt file that was left in every directory was also owned by www-data.

      I'm not sure what was posted in, but the infection mechanism appears to be this single request

      46.160.xxx.xxx - - [19/Oct/2015:05:14:06 -0400] "POST /wp-content/include.php HTTP/1.0" 404 135395 "-" "Mozilla/5.0 (Windows NT 6.1; rv:10.0.1) Gecko/20100101 Firefox/10.0.1"

      I'm still not really sure how that caused an infection, but i'm guessing it exploited something in the wordpress 404 handler? I don't see any other request from that IP and the server load spiked right after that as the files starting being encrypted.

      • I think the 404 doesn't necessarily mean something is wrong with the WP 404 handler. It could have been generated by the malware itself with <?php header("HTTP/1.1 404 Not Found"); ?> Seeing a 404 in the logs will probably make a lot of victims believe that line was not related to the intrusion.

        • I no longer have the damaged machine, but i'm pretty sure there wasn't a php file available called wp-content/include.php but mod_rewrite ends up catching that and routing the request into the main wordpress scirpt.

          Still it's good subterfuge, and my first instinct was to discount it.

          Wish I had that post body logged somewhere, would be really interested to see what came in

  • by nickweller ( 4108905 ) on Wednesday November 11, 2015 @09:00PM (#50912225)
    "Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such as shopping cart programs. ref [krebsonsecurity.com]

    "Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:" ref [drweb.com]
    • I don't know how easy it is to get administrator privileges under Windows now (I don't use it any more.) but I'm sure most of us can remember when most Windows users either ran as Administrator or automatically granted those privileges to any program that asked. It's never been that easy under Linux, simply because very few users have ever felt the need to run as root unless they needed to. Of course, there are always going to be those who grant root access to any Linux programs that ask, but just keeping
      • by cdrudge ( 68377 )

        I don't know how easy it is to get administrator privileges under Windows now

        If the user has the privileges of Administrator, a UAC pop up window shows and asks the user if they want to allow the program admin access. If the user doesn't have privileges, it asks for the admin password to temporarily gain privileges.

        So you're warned, but most users probably are the admin user so it's pretty common that people just click through it granting permission.

      • very few users have ever felt the need to run as root unless they needed to.

        So, no need unless there is need?


        Heh. You made perfect sense. I just thought the wording was humorous :).

    • How does it get admin?

      • by gl4ss ( 559668 )

        apparently it doesn't. it just does what it can as whatever you have wordpress set up as.

        of course, next version could have it try any number of elevate to root exploits available - or simply lay dormant until some maintanence that requires root is done with the wp install.

    • So basically linux is completely secure from this. The ONLY time I use root to install something is when it comes out of a repository and is intended to be system wide. If anything is ever downloaded it gets installed at a user level. Seriously who the fuck would give admin rights to a random piece of software in Linux? There simply isn't any need.

      It's not like windows where you get a pop-up asking for admin rights press ok and that appears for every bloody damn piece of software under the sun.

      • Linux yes, Linux webservers with usual use cases no.

  • This is a C program that when run as root does bad things. Which is totally unexpected result compared to what any other C (or python or perl or bash or lisp) program that does bad things can do when run as root (or just having bad person logged in as root could do)

    Yeah.

    I swear "security experts" and "antivirus companies" are pandering to morons to justify their existence.

  • Mistaking rand(3) as a source of randomness is freshman mistake. Did the malware author skip C language 101 course?
    • Almost as bad as using the Spaceballs luggage password...
    • At least in my "C 101" class they said using rand() is good enough.
      For this class.
      I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

      • by urdak ( 457938 )

        At least in my "C 101" class they said using rand() is good enough.
        For this class.
        I didn't know better than srand(time(NULL)) until the course in cryptography. Perhaps this just means my university wasn't "world class" :(

        I guess you needed to also take the "advanced cryptography" course, where they would teach you that if you use stand(time(NULL)) and then make the time at that moment easily guessable (e.g., by leaving behind a file created at the exact same time), your supposedly-unguessable seed becomes easily guessable...

      • At least in my "C 101" class they said using rand() is good enough.

        Good enough for what?

  • Also, does this fix needs "Administrator" rights to run ?

  • This just goes to show that getting cryptography right can be just as hard for the bad guys as the good guys. There are so many ways to get it wrong. Just ask Bruce: https://www.schneier.com/essay... [schneier.com]
  • I heard about one over the last week or so that encrypts home folders then throws away the key with the expectation that a skeleton key would do to decrypt once the ransom is paid... something about the author then either lost or trashed the skeleton key, so any systems which got crunched had to be scuttled - no way to retrieve the home folder whatsoever absent backups.

  • It was based on srand(time(0)) ?

  • It always contains bugs.
  • 1) Install Ransomware
    2) Profit!
    3) Do gooders release tool to remove Ransomeware

    Darn do gooders are ruining my business model!
  • by hawk ( 1151 )

    Watch now for the litigation for this horrendous DMCA violation, which ruined the business model of the pirates^H^H^H^H^H^H^H entrepreneurs . . .

    hawk

"Don't tell me I'm burning the candle at both ends -- tell me where to get more wax!!"

Working...