A “charitable” ransomware

This is not a joke. Heimdal Security disclosed a new variant of ransomware combining CryptoWall 4 and CryptXX. It has all the usual components of ransomware. The ransom itself is high: five bitcoins (about $2,200). Usually, ransoms are around $500.

In addition to the exceptional price, the ransomware adds some social engineering tricks. In the ransom screen, you will find: Your money will be spent for the children charity. So that is mean that You will get a participation in this process too. Many children will receive presents and medical help!

And We trust that you are kind and honest person! Thank You very much! We wish You all the best! Your name will be in the main donors list and will stay in the charity history!

So do not hesitate to pay, it is for the kiddies L

Moreover, there is an additional benefit.

Also You will have a FREE tech support for solving any PC troubles for 3 years!

Trust us L

Remember the best practices for avoiding ransomware:

  • Backup your computer(s) regularly; Use a physical backup (air gaped) rather than a cloud-based one (unless it is disconnected). A new generation of ransomware also encrypts remote or cloud-based servers.
  • Do not be infected; do no click on suspicious attachments or links in emails; avoid ‘suspicious’ websites.
  • Protect your computer(s); up to date OS and antivirus

Lessons from RSA hack

It is now six months since RSA suffered from the hack that compromised secureID.  RSA had a positive attitude regarding the hack by providing some details and good visibility.  Thus, we can learn many things about it.

We know now how RSA was penetrated.  It was through a targeted email using an excel file.  The excel file had an embedded flash object inside.   The object, using a zero-day vulnerability, installed Poison Ivy Backdoor.  For more details see F-secure’s analysis.  The attacker used the backdoor to get access to the sensitive data to break SecureID.  The mail was addressed to four members of RSA, thus a targeted attack.  Once SecureID compromised, the attackers could access Lockeed Martin.

This is the first publicly known instance of Advanced Persistent Threat (APT).   This corresponds to extremely targeted attack that works stealthily, slowly in order not to be detected, and performed by extremely skilled attackers.  It was currently reserved to warfare.   As the final target was Loockhed Martin, we may believe that it as a high-profile attack.  They used a zero-day exploit which passed under the radar of any anti-virus scanner.

RSA and Kapersky Labs presented an interesting analysis of the attack.


What can we conclude:

  • The perimetric defense is not anymore sufficient, at least in a professional environment.  Skilled hackers will try to attack from inside.  We need new tools to detect suspect behaviour within the enterprise network.  For instance, an alert should be triggered when a device communicates with “exotic” IP addresses.  Unfortunately, they will be more complex to administrate and probably need more manual monitoring. :Weary:
  • Targeted attacks will be more and more used against industrial targets.  Security awareness will become key.  People must also be aware of business intelligence.  It is a reality that is too often downplayed by people.
  • I will rant against all these software that are used for other purposes than the initial ones.  How often did I see Excel used for other things than calculating!  For instance, to display tables of text.   As a result, software editors add new features.  Why should we have to add flash object in calculus?  In security, KISS (Keep It Simple & Stupid) is a golden rule.  The more features, the more potential  vulnerabilities.





Lenovo distribution with virus

On a regular basis, the security newsletter reports devices that are distributed with viruses. That CE devices are not security aware can be understood (although not excusable). But when a serious PC company delivers some software packages with malware in it, this is not acceptable. This what happened to Lenovo for their Lenovo Trust Key software for Windows XP. (Trust key with malware :Sad: ! Law 4: Trust no one is really true)
It would be interesting to learn when the malware infected the package. Nevertheless, it highlights that the package was not thoroughly tested before signature.
This must be the fear of any product line manager: shipping an infected software to the customers. The remedy is known: check all the package with a maximum of anti virus software before signature. This of course requires some financial investment (low compared to the cost in reputation) and some time investment. The databases of each anti-virus software have of course to be up to date. The remedy is so simple.
This highlights the need of security awareness at every level of an organization. Security is not stronger than its weakest link.

Adobe fake flash player

A new worm seems to use social engineering to install malware. The worm asks to load a newer version of Adobe Flash Player and of course provides a link to this upgrade. The upgrade in fact is a fake one with real malware. The social engineering part is nicely done because it uses one of the most freely available software in the world (Adobe Flash Player) and nobody knows when an upgrade is available. Today, it is extremely current to upgrade the installed software.

Adobe proposes the following remedies:

  • Load upgrade and installers only from adobe.com site
  • Verify that the installer is signed with a certificate belonging to Adobe.

The two remedies are very good ones that should be generalized to every installation. Although they have some limits:

  •  It is rather common to download installation from many sites that are not the sites of the developing team. It is less convenient to search for the issuer site than take the first site offering it. For instance Adobe Flash Player is available in many places. I tried to search on Google France. Fortunately, the first site proposed was adobe.com. But I found many other ones. Should I trust them?
  • How many people are able to analyze a digital certificate? Furthermore, some very respectable companies use expired certificates or with an unknown root certificate.

Once more, we end up with the need to educate users. A lot of work to do here.

Malware in mails

We are used to the typical malware hosted in mails. They are often based on basic human instincts such as lust or greed. How often are we proposed pictures of nude artists? By the way, this could be an excellent way to decide who is believed to be the sexiest woman in the world: Measure their occurrence in the malware mails. Normally, you should only use the most attractive ones.In view of my junk mails, it seems that Angelina Jolie is leading these last weeks.

Often these mails are so rudimentary that they may be spotted even by unaware people. Often wrong spelling and weak grammar are a good signature. Nevertheless, I received an interesting one, that was better elaborated than the usual ones. It is why I looked at it rather than deleting it immediately. It was titled customs, please read. Here is the text

Good day,

We have received a parcel for you, sent from France on July 9. Please fill out the customs declaration attached to this message and send it to us by mail or fax. The address and the fax number are at the bottom of the declaration form.

Kind regards,
Frederick Shepard
Your Customs Service

Of course, the attached file was containing a Trojan named BKDR_AGENT.SHH. This Trojan is known for more than one year and detected
by anti viruses. Nevertheless, from the social engineering point of view, it was a nice piece:

  • It presents itself as coming from customs. Customs are official entities, thus in theory trusted. You are always careful with customs.
  • The address and the fax were supposed to be in the attached declaration form. Thus, you would have to open it, and trigger the malware.
  • The email address was customs_service@bluejeanc.com.tr. Looks very official. Blue jean mail lead to believe that it is a selling site (this is not the case).

There is still one error. I am located in France. So why should a parcel sent from France need any custom clearance. Still some effort to do for the malware writers. But they progress.

Ransomware virus (3)

Kapersky labs has given up their unrealistic tentative to guess the key used by Gpcode (see blog entry from 10th June). Their conclusion is that the best countermeasure is regular backup.

Nevertheless, thanks to a “common” mistake of the virus’s author, there may be some hope for careless users who did not backup. When encrypting the file, the virus creates a new files that it renames with the expected extension and then deletes the original file. The deletion is not secure. It is common knowledge (at least in the security community) that a simple deletion does not erase the file. It mainly erases the fields in the file system’s indexing tables. Thus, if the data are on the hard disk as long as they are not be overwritten by a new file. If there was not too much activity on the hard drive, typical recovery tools may retrieve the “deleted” files. Kapersky Labs proposes such a tool from the open source community.

No doubt that the author of the virus will add a secure deletion in the new already announced releases of Gpcode. The author claims that he will use stronger algorithm and new keys. Secure deletion is performed by overwriting every bytes of the file to delete with random data several times before removing it. Tools exist that perform such secure erasing

Two lessons:

  • Backup, backup, and backup
  • Developers if you want to delete a file, use a secure procedure.


Ransoming virus (2)

The story continues.

Dving a little bit more in the available information. Gpcode is actually using RSA 1024. Kapersky labs have extracted the public keys. The virus uses two public keys depending on the version of the Operating System. The virus calls Microsoft cryptographic library.

Having the public key is useless. Kapersky labs is calling for the help of crypto community to help to crack the private key. In other words, they launch their own RSA-1024 challenge (See RSA number challenges that apply only to factorization). This is illusory. It would require too much power calculation (else it would have been decided that RSA 1024 is not anymore safe). And there are two keys to crack!!!

The only effective countermeasure against Gpcode is backup your data.

Thanks Alain for the link to the blog  :Wink: