There’s a new crypto-ransom scheme currently in-the-wild targeting Linux-based systems. It’s called “Linux.Encoder.1” by the folks at Dr.Web. Basically, instead of setting up phishing sites or exploit kit redirects on vulnerable web-servers, the Linux.Encoder.1 extortionists are targeting the web-server owners directly by encrypting their content.
As a consequence, Google is indexing numerous victims.
Here’s a copy of the extortion note via Google’s cache.
“Can I pay another currency?”
So, hopefully victims of Linux.Encoder.1 have backups… or else they’ll be forced to acquire a Bitcoin. No word yet on whether or not the extortionists will honor payment with an actual decryption key. And their Tor hidden service is currently offline. Which is less then promising.
Edited To Add:
Daavid Hentunen, a researcher on our Threat Intelligence team, estimates the extortionists have made €11934 in 1 month.
This is what was shown to visitors of websites that used this PageFair service:
To give you a feel of how popular PageFair is, at least in terms of our user base, we pulled out hit statistics and found that it is ranked at 293 for the past 14 days. That’s higher than flickr.com (295), spotify.com (399), steampowered.com (406) and paypal.com (413). So this domain is quite a celebrity, which explained the spike that we saw during the breach.
During that time, we saw the malicious adobe_flashplayer_7.exe (6ad0393f506bc6e0a84f1325b3d75cca019c21bc) downloaded from these locations:
The malware served from these links is a RAT called NanoCore. NanoCore provides plugins such as those related to Network, Security products and Surveillance.
The C&C of the particular malware sample related to the PageFair compromise was alotpro2.dynu.com (184.108.40.206).
Users that had our product enabled were protected against this threat at the time of the compromise through the detection Trojan:W32/Golroted.6ad0393f50!Online.
For more information about the PageFair breach and the status, you may read more about it from this link.
“Payment is made successfully.”
This is CryptoWall’s Decrypter Service after ransom has been paid.
And this (decrypt.zip) is what you get for your
It’s really not much to look at. But without a copy of your keys… you’ll never decrypt your files.
Which is probably why the FBI says:
Don’t want to find yourself needing to follow the FBI’s advice?
Then do this:
First, let’s take look at SLocker versus Lollipop.
Malvertising is typically used to bait men (yeah, probably just men) into downloading an app called “Porn Droid”.
Typically all-too-common sorts of overreaching permissions are requested.
So that’s a small social engineering barrier at best.
If you have a good security app installed, you’ll see something such as this.
But if you don’t, and open the app, this is the prompt you’ll receive.
That “Continue” button? It’s obfuscating a request for device administrator permissions. (A very big flaw, indeed.) And if you click to continue, SLocker will use its newly acquired admin privileges to launch its extortion scheme.
The FBI apparently accepts “PayPal My Cash” to pay the
In its effort to intimidate the victim, SLocker takes a forward facing photo.
This example is pointed towards the ceiling above Zimry’s desk.
And a PRISM logo is thrown in for good measure.
It’s worth mentioning at this point that it seems surprisingly easy to grant administrator rights to Android applications. Apple’s iOS requires a passcode for setting up something such as basic as a VPN. But Android only requires a simple “yes” to a prompt for administrator rights.
A good best computer security practice is to run as “user” from a restricted profile which limits installations. Applications seeking administrator rights then need to be installed from the “admin” profile and require a passcode. So we attempted to configure a restricted profile for ordinary use but found it difficult to manage. Android’s restricted profiles are designed for and focus on parental control and tablets. Setting up an additional profile on our test phone didn’t really result in the sort of device management we wanted. It only created an additional profile, not a restricted one.
By comparison, Apple’s iOS Restrictions are much more useful even for the primary device user.
How does Android Marshmallow fare against SLocker?
Good news! SLocker’s “continue” obfuscation fails on a phone running Marshmallow and so you’ll see just what giving administrator rights entails. It’s bad. The power to erase all data, to change the screen lock, and to set storage encryption. In other words, if you give SLocker administrators rights… you’re done. If the phone’s data isn’t backed up, there’s no getting it back other than giving into the extortioners.
But then the bad news: Android Marshmallow was released on October 5th and isn’t yet prevalent. So SLocker likely has a viable attack vector for quite some time to come.
0f25cefa85a0822a08ad23caca24a622fbf4aef0 12dc90592c1945fe647d04902b2707e756e88037 25311dfbc4961a661494a2767d2fb74c532539cc 68e7879074b9e2635d895616d4862383fe5960db 84b541957d7e42b4b7d95763fb48d03fcca21ffd c0784e974da5b7e82e9921763f957e1f3ec024e7
Analysis of Trojan:Android/Slocker.BJ provided by Zimry Ong.
The UK National Crime Agency together with the FBI and the US Department of Justice recently filed charges against the author of Bugat/Cridex/Dridex. Andrey Ghinkul was arrested on August 28, 2015 in Cyprus and the US is now seeking his extradition. Dridex has reportedly caused multi-million dollar losses to financial institutions and businesses globally.
Dridex is known to propagate via Microsoft Word documents which pretend to be legitimate but contain malicious macro code. These macros will eventually download an executable from its C&C and/or a compromised website. F-Secure has generic detection (Trojan:W97M/MaliciousMacro.GEN) that specifically looks for malicious macros inside Office document files.
As the authorities are cleaning up the Dridex botnet, detections for malicious macros has been felt and a spike can be seen in our back end statistics.
F-Secure customers are protected by our Hydra (scanning engine) and DeepGuard (behavioral-based) technologies.
Besides having generic signature detection of malicious macros, our DeepGuard behavioral engine also blocks. Two layers of protection are better than one.
A document dropping an executable? Yeah, that’s never a good thing.
Q: Are these Dridex activities all related to authorities taking down the botnet?
A: We don’t know.
Android 6.0 a.k.a. “Marshmallow” is now rolling out and its best new feature, from my point of view, is the introduction of a new permissions model.
Well-crafted applications can now ask for permissions as they are needed, rather than all at once during installation.
Apps designed for older versions of Android will still ask for numerous permissions upfront, but Marshmallow will allow for iOS-like granular control.
Not all apps will fail gracefully if permissions are denied.
But if for example you don’t want to use Facebook’s Find Friends feature, then there really shouldn’t be any need for the Facebook app to access your Contacts. I’d suggest denying various permissions and testing the “necessary evils” that you might have installed on your Marshmallow phone.
Conscientious developers will update their apps sooner than later.
And if they don’t… well, that’s what reviews are for. Right?
See all of the changes to Android 6.0 here.
On September 10, 2015 the US House (Select) Intelligence Committee held a hearing on World Wide Cyber Threats.
Here’s the full relevant text.
So there you have it, the purpose of CISA is “to share malware.”
Q: And should you believe that?
A: Yeah, that’s its purpose: information sharing equals sharing malware samples.
Q: Is CISA a surveillance bill?
A: No it isn’t… not from where I sit at least.
Q: But is CISA a good bill?
A: No, I don’t think so.
A: Because from my point of view, CISA appears to be nothing more than corporate welfare for the military-digital complex.
Q: Will CISA become law?
A: All signs point to… yes.
The latest episode of Radiolab has what is without a doubt the best malware victim interview I’ve ever heard. Inna Simone’s computer was infected by CryptoWall late last year and based on her telling of it, the worst part of the experience was trying to buy the Bitcoin she needed to pay off the extortionists. In her words she was a “double victim!”.
Inna’s daughter, journalist Alina Simone, wrote about the experience in the January 2, 2015 edition of the New York Times. Both later appeared in an 8 minute segment on the April 18, 2015 airing of PBS NewsHour. But to get the full effect of Inna’s darkly humorous point of view, listen to the Radiolab story.
Here’s a screenshot of the related CryptoWall “Decrypter Service” which includes recommendations for numerous Bitcoin vendors.
So, just how many people have been in the same situation as Inna? Good numbers are difficult to come by, but least 82,000 people have watched this CryptoWall Decrypter demo video.
In the image above, do you see the dip in daily views during January? Looks to me like CryptoWall took time off for Orthodox Christmas.
The amount of money CryptoWall demands varies based on location, but $500 USD seems to be fairly common. At that amount, if just 10 percent of 82,000 people pay, it’s worth 4.1 million dollars to the gang of extortionists.
Or a “little fee” as “Goldpis Isda” calls it.
Today we release a new whitepaper on an APT group commonly referred to as “the Dukes”. We believe that the Dukes are a well-resourced, highly dedicated, and organized cyber-espionage group that has been working for the Russian government since at least 2008 to collect intelligence in support of foreign and security policy decision-making.
The Dukes (sometimes also referred to as APT29) are known to employ a wide arsenal of malware toolsets including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka HAMMERTOSS [PDF]).
Despite the extensive technical research by us and others into many of the toolsets of the Dukes, we felt that we were still missing crucial parts of the story. Meanwhile, others had envisioned how the story might look, but had concluded that “it is difficult to lead the defense against that which one is not aware of or does not comprehend.” (Maldre, 2015)
With this in mind, we recently set out on a journey back through all of our previous research on the Dukes looking for clues and threads that we might have missed or whose importance we might not have understood at the time. Through this process, we were able to uncover clues pointing to the existence of two previously unidentified Duke malware toolsets, PinchDuke and GeminiDuke.
While we had previously analyzed malware from both toolsets, what we hadn’t understood at the time was their context. With the discovery of new clues such as these two toolsets, we went rummaging through our troves of old malware searching for cases that we had previously not known to attribute to the Dukes. Through this process of proverbial connect-the-dots, we were able to slowly build a bigger, better picture of the Dukes and uncover new details of their over 7 years of activities.
The whitepaper [PDF], with all of these juicy details (plus sample hashes), is available here.
According to LinkedIn, 11 of my connections can introduce me to someone who “knows” Anna. I’m not so sure about that. According to IMDb, Anna Sentina is really Anna Akana. Maybe LinkedIn should start charging to “verify” recruiter accounts? At the moment, there’s zero overhead when creating a recruiter sockpuppet. Adding at least some amount […]2015-09-15
In December 2010, journalist Matt Thompson predicted a future in which “automatic speech transcription will become fast, free, and decent.” He called this future the “Speakularity” – playing on the concept of the technological singularity. In Thompson’s words: “So much of the raw material of journalism consists of verbal exchanges — phone conversations, press conferences, […]2015-09-14
Labs Fellow Edilberto Cajucom recently tested¹ our Freedome VPN‘s Tracking Protection feature to measure its effect on the page load speed and size of numerous popular sites. Here’s a graph of speed comparisons using a subset of sites from Alexa’s news category. As you can see, there’s quite a measurable effect on several sites; Huffington […]2015-09-11
Apple’s September Event 2015 takes place today so 9/9 = iOS 9 announcements. Apple is promising improved security with iOS 9. Implementing six-digit passcodes for Touch ID is one well publicized example. Security researcher Frederic Jacobs has an excellent summary of other documented changes on Medium. A small change that I’ve noticed while testing iOS […]2015-09-09
1. Introduction The Sofacy Group (also known as Pawn Storm or APT28) is well known for deploying zero-day exploits in their APT campaigns. For example, two recent zero-days used by the Sofacy Group were exploiting vulnerabilities in Microsoft Office CVE-2015-2424 and Java CVE-2015-2590. If the exploit is successful, it installs a Sofacy downloader component, which is different from […]2015-09-08
Our Freedome sales team ran a special promotion over the weekend and when I Tweeted about it, several people asked about the privacy of our payments processor. Short answer is this: we don’t get any access to your personal information. But what if you still don’t want to deal with ecommerce? No problem. You can […]2015-09-07
Software engineers automate everything… Goodbye “Markov”!2015-09-04
Multiple LinkedIn accounts recently targeted numerous security specialists in an attempt to map their social graphs. Several of our researchers received these LinkedIn invitations themselves and Daavid from our Threat Intelligence team decided to investigate. Here’s an example of one so-called “recruiter” account. Areas of interest include pen testing and social engineering? You don’t say. […]2015-09-03
I listened to the BBC World Service’s Click podcast this morning during my commute and learned that Posti (Finland’s postal services provider) is testing drone delivery. Posti has a video of the “robottikopteri” in action on its YouTube channel. Coincidentally, on my walk home last night, I heard the sound of a quadcopter flying around […]2015-09-02
Modern web analytics and tracking are completely out of control. And it’s not even a privacy issue for me at this point – it’s more about usability. Trackers are practically recreating the “dial-up Internet” experience. (Ask your parents, kids.) It’s 2015 – but a lot of websites load like it’s 1999. And it seems like […]2015-09-01