The first Linux ransomware 马失前蹄: encryption vulnerabilities can be compromised-the vulnerability warning-the black bar safety net

ID MYHACK58:62201569092
Type myhack58
Reporter 佚名
Modified 2015-11-17T00:00:00


In Windows have long had ransomware(ransom ransomware, until Linux in Linux. Encoder. 1, which is the first linux ransomware. This software acts with CryptoWall And TorLocker and other infamous Trojan horse software is very similar. Hackers use ransomware cases In hack remote use of popular applications Magento content management system vulnerabilities, he will be the victim of a Linux machine running Linux. Encoder. To 1. Once executed successfully, this Trojan will be in/home,/root,/var/lib/mysql which several of the directory to traverse the file, trying to encrypt the files inside the content. Such as Windows ransomware as, it uses AES, a symmetric key encryption algorithm against these file content is encrypted, this period will not be on the system resource usage is too large. This AES symmetric key with RSA, a symmetric encryption algorithm to encrypt, and then use the AES initialization vector to encrypt the file. Once these files are encrypted, the Trojan will attempt to spread to the system root directory. It just need to skip to system files so as not to play the transmission, so the encryption after theoperating systemis able to start normally. At this point, a hacker can ensure that users in the not to pay them a fee before, is unable to return for the RSA private key to decrypt the AES symmetric encryption. However, this encryption Trojan is a huge vulnerability, Bitdefender researchers use it without the RSA private key can decrypt the AES symmetric encryption. Encryption entry In 2 0 1 5 years, most of the encryption type of ransomware Trojan will use a hybrid encryption algorithm, to the hijacking of valuable files. In order to quickly and effectively encrypt large amounts of data, such Trojan uses the Advanced Encryption Standard AES. In order to avoid the server and the broiler is sent directly to the encryption key is capture, the hackers will use the AES and RSA hybrid encryption. These key typically in hacking on a server is generated, only the public key is sent to the broiler on the computer. Due to the RSA for a large amount of data to be encrypted occupy system resources less, the public key itself will only encrypt a small fraction of the important information, that is the AES algorithm in the locally generated key. The RSA encrypted AES key, it will use the original file permissions and the AES algorithm initialization vector, the encrypted system files. Million dollar vulnerability We have previously mentioned, the most critical of the AES key is in the broiler locally on your computer generated. Therefore, we reverse the lab Linux. Encoder. 1 samples, trying to study out the key and initialization vector is generated. We found that it did not use random security key and initialization vector, but the use of the libc Library for the rand()function, with the current system time stamp is encrypted. These information by retrieving the file's timestamp, we can be very easy to obtain. Through this vulnerability, do not use the hack of the RSA public key will be able to obtain the AES key. Automatic decryption tool released Bitdefender is the first to publish the decryption tool manufacturer, The tool will automatically restore all hijacked the encrypted file. This tool will be through the analysis of the file, detects the initialization vector and the AES key, then the file is decrypted. Finally, for those file permissions can also be restored. If you can boot your system, you can download this script and as root user run it. The following is the data recovery steps of: 1. From the Bitdefender Labs website, the following script; The ransomware is likely to also affect some of your system files, so you may need to use a live CD boot, or from the other machine mount the affected partition.) 2. With/dev/encrypted_partition such a form to mount the encrypted partition; 3. Generate an encrypted list of files, you need to enter the following command: /mnt # sort_files. sh encrypted_partition > sorted_list Get the first file name: /mnt # head -1 sorted_list Run the decryption script, obtain the decryption information: /mnt # python decrypter. py –f [first_file] To decrypt those files: /mnt # python /tmp/new/decrypter. py-s [timestamp] -l sorted_list Considering these work is more complex, we provide users with FREE help. You can through the comment form to ask questions, we will try to for your questions. Most ransomware hackers is to generate a key way is extremely important, like the above kind of Oolong vulnerability is actually not very common. In order to prevent secondary infections, Please note the following other matters: 1. Don't in as the root user running untrusted applications, it may damage your machine and data. 2. Remember to frequently backup the system, if your computer has been ransomware the intrusion, the best solution is to reinstall the system. You gotta remember, money will tempt hackers to write these Trojans, and will over time gradually improve it. And if they make money less and less, it won't take much more effort to update the Trojan. 3. How you Linux the device is in the internal network, you can try to do security reinforcement programmes. 4. Note that as often as possible to give you the WEB application to update the patch, to prevent CMS remote code execution vulnerability. The decryption tool by cryptography experts Radu Caragea development, we also want to thank the Bitdefender anti-virus expert Codrut Marinescu And Razvan Benchea And Cristina Vatamanu and Alexandru Maximciuc of the research contribution. Subsequent updates Ransomware has a new breakthrough in the particular case, the decryption tool will not take effect. After the investigation, we found that some of the victims in the decryption of the file system in the future will again be infected. This means that some of the files using a separate key to encrypt other files using another set of keys. However, such words, competitive conditions will lead some of the file is completely corrupt(its contents will be truncated to zero). In some cases, even the ransomware are encrypted.