Stung By File-Encrypting Malware, Researchers Fight Back 85
itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."
Re:Wich only serves to further (Score:4, Informative)
Because, if you publicize how you caught their error, they can fix it.
So, now the next iteration of this will possibly NOT be fixable.
Someone found a way to fix it, and didn't tell how it was done. Someone else then publicized it ... and when you explain the ways and means, the bad guys can know how you did it.
What they've done is tell the ransomware folks how to 'improve' their malware.
Re:fake website (Score:4, Informative)
That's a pretty common ad-delivered site that's been around for a while. It has an "onunload" function that pops up an error message when you try to leave the site. Chrome added a checkbox to disable the message, so they made their error message so long it goes off the bottom of the screen and since its a dialog box, you can't scroll the text to get to the checkbox, you just have to trust it's there after the third or fourth alert: hit tab, space to check the box, tab again, space to hit ok.
Why the Antivirus Era Is Over (Score:5, Informative)
They can't keep up with the known threats
Comparative reviews since February 2009 - February 2014 [virusbtn.com]
Out-maneuvered by new threat vectors
Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt [nytimes.com]
Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started. [technologyreview.com]
Some of them even get it, Eugene Kaspersky admits :
The contemporary antivirus industry and its problems [securelist.com]
Re:Wich only serves to further (Score:4, Informative)
Symantec did exactly what gets private security researchers into hot water: They publicized an exploit in a program.
Ignoring the fact that the program is malware and the exploit was a means of defeating the malware, WHY is it okay for Symantec to do this?
Re:Of course Symantec did that... (Score:4, Informative)
What I find most interesting about this story is that both the white hats and the black hats share a common goal. It's your money.
The black hats are saying "Give me your money if you ever want to see your data again." The white hats are saying "Give me your money and we'll try to keep your data safe."
They're both picking your pockets, all you have to do is choose your master.
Re:Wich only serves to further (Score:3, Informative)
You'd think this would be the case... but the reality is that the malware authors updated their software the day after Symantec published the flaw. They didn't fix the flaw during the time when the "free tool" was available. Looks like a direct correlation to me.
The big thing here is that the authors probably couldn't be bothered to fix it before Symantec broke the news, as they were still getting lots of payments.