Stung By File-Encrypting Malware, Researchers Fight Back

itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."

Wich only serves to further

[Wapiti-eater]

The myth that the 'security' industry is at the root of the problem

Re:

[Tmackiller]

I hate that I have the compulsion to do this, but *which(title) && *doesn't or does not (signature).

Re:

[Opportunist]

How does that support that the security industry is somehow part of the problem? They found a simple and convenient way to give the ransomware the boot, what's your point?

Re:Wich only serves to further

[gstoddart]

How does that support that the security industry is somehow part of the problem? They found a simple and convenient way to give the ransomware the boot, what's your point?

Because, if you publicize how you caught their error, they can fix it.

So, now the next iteration of this will possibly NOT be fixable.

Someone found a way to fix it, and didn't tell how it was done. Someone else then publicized it ... and when you explain the ways and means, the bad guys can know how you did it.

What they've done is tell the ransomware folks how to 'improve' their malware.

Re:

[Anonymous Coward]

Yeah, it would've been much harder for the attackers to reverse his utility right? Anything that monitors file accesses would've seen what files it was accessing. I don't disagree the AV company made a mistake because they wanted publicity but I don't think what they did was as significant as you might think.

Re:Wich only serves to further

[Calydor]

Symantec did exactly what gets private security researchers into hot water: They publicized an exploit in a program.

Ignoring the fact that the program is malware and the exploit was a means of defeating the malware, WHY is it okay for Symantec to do this?

Re:Wich only serves to further

[v1]

WHY is it okay for Symantec to do this?

The more relevant question to ask is "Why DID Symantec do this?" A more interesting question would be "Why did Symantec break the law?" They didn't do that, but the answer to all three is the same.

"because it helps them make money".

In this particular case, the fear of ransomware helps Symantec sell their product. So a researcher doing something to combat ransomware hurts Symantec's business. So they do what they can do, to protect their profits. In this case, it's even legal for them to do it. So it's a no-brainer.

You simply have to expect this sort of behavior from any big business. There's no point in being confused or shocked by it.

A month from now they will be able to make a new press release, "Two months ago security researchers dealt a blow to ransomware, protecting users and devaluating our product. Today, we're pleased to announce the ransomware developers have made the necessary fixes to their code outlined in our recent publication, and once again, Symantec is your only defense against ransomware!"

Re:

[Darinbob]

How about the question "why should they not do this?" The ransomware makers know that there's a recovery tool, so it's a short period of time before they figure out what their flaw is. There's no gain to be benefited by keeping the details secret. Do we want the situation where some security professionals know what the flaw is, the malware authors know what the flaw is, but the general public is kept in the dark?

Security through obscurity does not work. Similarly, keeping security protection details li

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

You'd think this would be the case... but the reality is that the malware authors updated their software the day after Symantec published the flaw. They didn't fix the flaw during the time when the "free tool" was available. Looks like a direct correlation to me.

The big thing here is that the authors probably couldn't be bothered to fix it before Symantec broke the news, as they were still getting lots of payments.

Re:

[Opportunist]

Oh, you mean what Symantec did. Sorry, you lost me there, at first there was talk about the security industry, for some odd reason I didn't associate Symantec with that...

Re:

[TangoMargarine]

Sounds logical to me ;-)

"Symantec(tm): Hey, at least we're not wanted for murder in Bolivia!"

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TangoMargarine]

Meh; they're both in Asia ;-)

Not really bad

[mveloso]

One of the probably reasons they store the key on the box is because it's easier than having it on a remote server. A remote server can be taken out, unreachable, and you have the extra added problem of associating the decryption key with a specific box. That's a pain if the box isn't connected to the public network (i.e. it was infected through another vector).

If the key is local it's easier. You can even mail them a USB stick with the decryption application if you wanted to.

Re:

[Tharkkun]

This is Slashdot. Why aren't people up in arms over the published utilities source code being hidden. You want us to a run a binary off a website to decrypt our files? Sure, let me get right on that.

Re:

[TangoMargarine]

Well, if all your files are already compromised...how much worse can it really get?

Re:

[fustakrakich]

I'm for full disclosure. Let the user know about the vulnerabilities.

Re:

[Lumpy]

But it is easy to keep off your system. http://www.foolishit.com/vb6-p... [foolishit.com] completely neuters it before it is ever launched, and it also makes changes that blows up 90% of the trojans infection vectors out there.

Re:Wich only serves to further

[mysidia]

Because, if you publicize how you caught their error, they can fix it.

Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.

Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.

It also helps their product by making sure the authors of ransomware learn from mistakes, so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.

Not a Myth

[Martin S.]

The so-called security industry is big part of the problem.

While they continue to peddle their snake oil and sticking plaster solutions that the underlying problem. Microsoft and company will continue to peddle insecure crap ware.

Why the Antivirus Era Is Over

[Martin S.]

They can't keep up with the known threats

Comparative reviews since February 2009 - February 2014 [virusbtn.com]

Out-maneuvered by new threat vectors

Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt [nytimes.com]

Conventional security software is powerless against sophisticated attacks like Flame, but alternative approaches are only just getting started. [technologyreview.com]

Some of them even get it, Eugene Kaspersky admits :

The contemporary antivirus industry and its problems [securelist.com]

Re:

[Richy_T]

Absolutely. This is an OS design problem.

Re:

[TangoMargarine]

Linux? :)

(I'm fairly sure every article that's popped up on /. in the last few years about privilege escalation on Linux has turned out to be "oh, but you had to have already given it permission.")

Oh, I'm sorry...was I supposed to say Mac? Sorry for stealing your thunder.

Re:

[HiThere]

OpenBSD?

Re:

[TangoMargarine]

has turned out to be "oh, but you had to have already given it permission."

Citations please.

Re:

[Richy_T]

Good point. My mind was on viruses and trojans for some reason.

Re:

[Richy_T]

Wait, this was malware, not the heartbleed thing. It should never have been run and never had access to the files it was affecting. An OS could be designed to be document-centric rather than application-centric (amongst other design choices) and many of these vulnerabilities just not available to exploit.

Re:

[mysidia]

So which OS that has a large marketshare has never had a privilege escalation bug?

VMware ESXi. (*Privilege escalations within a Windows guest operating system don't count; only, escalations from a lower privileged user, or OS running in the hypervisor, to privileged hypervisor control).

Re:

[lgw]

Not even a little. Modern malware is largely OS indifferent. Windows XP had security issues, but that's a loooong time ago.

Re:

[mysidia]

The myth that the 'security' industry is at the root of the problem

I would argue: not entirely a myth; while it may be unintentional on the part of players in the security industry (at least ethical ones). Much of security researchers' work can enable and facilitate attackers. Some researchers even SELL exploits, AND attackers may be the buyers.

In many cases... they share too much information with attackers that attackers can use to improve their processes. They also in some cases PROVIDE motive.

Of course Symantec did that...

[Last_Available_Usern]

It's in Symantec's interest that the authors mitigate the weakness in their malware so the threat will permeate through media and people will continue to be terrified into buying copious amounts of security software that in most cases won't even mitigate the risk.

Re:Of course Symantec did that...

[dcollins117]

What I find most interesting about this story is that both the white hats and the black hats share a common goal. It's your money.

The black hats are saying "Give me your money if you ever want to see your data again." The white hats are saying "Give me your money and we'll try to keep your data safe."

They're both picking your pockets, all you have to do is choose your master.

Re:

[mlts]

Another item is that a lot of enterprises have a data recovery agent. That way, if EFS is used, one just cracks open that key, decrypts everything, calls it done.

I'm sure this will be fixed in the next version of the software. Malware is the most well written and meticulously supported software being created in the computer industry these days.

disclosure

[DriveDog]

At first Symantec's actions sounded dismaying, but in the long run using every opportunity to publicize the folly of using that API is probably beneficial. I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.

Re:disclosure

[Last_Available_Usern]

It must be at least mildly effective if the only legitimate means of unencrypting the data was a copy of the keys that only a set of researchers dedicated to the issue were able to find.

Re:

[Zmobie]

It half ass works. I mean if you need REAL security, you're right, no way in hell I would trust my files to the built in windows encryption (other than maybe BitLocker drive encrypting, but that is an entirely different mechanism). I do find it funny/interesting/depressing the "security culture" that is now marketed to the general populace. They basically throw buzzwords at them until people believe they know what they're talking about.

Re:

[mlts]

The ironic thing is that "real" security is pushed to the side. Old fashioned things like gpg, PGP, proper backups [1][2], sandboxing, and other basic items tend to fall into disuse while "lets just stash it in the cloud and take their word for it, as they use 'encryption' and 'firewalls'" seems to be the mode of operation of the day.

For example, I've seen some "cloud encryption" systems that require one to set up an account... and where the actual encryption key is stored can be anyone's guess (the websit

Re:

[Zmobie]

A lot of it seems to be liability for large groups. An IT department can outsource data backups and data security to "the cloud provider" and if something goes bad they only get a bit into trouble for picking the wrong provider. Meanwhile they can just point the finger at their provider and say "not our fault."

Individuals on the other hand just want their damn data, but so few are even educated on IT security at all. I know so many software developers and IT workers even that don't know the first thing a

Re:

[mlts]

A secure home server only makes sense. If you get a machine with hardware RAID, mirror the OS drive, then use RAID-Z2 [1] or RAID-Z3 for the data. If using Windows, then you get a choice between bit rot resilience with Storage Spaces + ReFS or deduplication with Storage Spaces + NTFS.

[1]: RAID-Z will find bit rot on a zfs scrub, but won't be able to fix it. RAID-Z2, RAID-Z3 and RAID-1... even ditto blocks can both find and fix it.

Re:disclosure

[marciot]

I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.

I think recent events have shown that relying on security of any kind leads to a false sense of security (examples: NSA backdoors, OpenSSL bugs, WEP vunerabilities, etc). We'd all be much safer if we simply assumed there was no such thing as security.

Re:fake website

[Qzukk]

That's a pretty common ad-delivered site that's been around for a while. It has an "onunload" function that pops up an error message when you try to leave the site. Chrome added a checkbox to disable the message, so they made their error message so long it goes off the bottom of the screen and since its a dialog box, you can't scroll the text to get to the checkbox, you just have to trust it's there after the third or fourth alert: hit tab, space to check the box, tab again, space to hit ok.

Re:fake website

[gstoddart]

It has an "onunload" function that pops up an error message

And this is why I don't allow javascript to run on arbitrary sites.

Because javascript can be used to do way too many annoying things. Like websites which think they can disable my right click (so I can use the back button) because they think I'm going to steal their images.

It's also why Flash doesn't get installed on machines I control.

Re:fake website

[Richy_T]

I take special delight in stealing the images of sites like that.

Re:

[omnichad]

While personal preference lets you do what you want, I'm fine with having that control with Javascript. The browser balances out the bad with user control. For pop-up dialogs, there is the checkbox to stop more. For right-click - well - there's always the inspector.

Dialog boxes that are too long need to be modal only to the tab and size limited, with scrolling enabled for long content.

Re:

[Guest316]

And people wonder why I get pissy about sites which don't work without JS/Flash/whatever-gizmo-du-jour.

Re:

[Fr33z0r]

I haven't seen one of those for a while, but the right-click menu comes up on release. On sites that pop up a "right click disabled" messagebox on *click* you can just hold the button down, OK the popup, and then release the right button to trigger the menu.

Of course that doesn't work on sites that disable it silently.

Re:

[GTRacer]

<AlGore> You fool! You foolish fool! </AlGore>

Now you've really done it! You've gone on and told them we know what their popup UI exploit was! Now they're going to add their OWN buttons above Chrome's and God help you if you try selecting it and entering!

Symansuck

[callmetheraven]

Symantec are the dumbest bunch of dumbfucks ever.

Combine that with shit software and the worst customer support in the business and the only conclusion is that Symantec can't die fast enough. Die Symantec, Die.

Future victims should sue Symantec

[leereyno]

Future victims of this criminal organization should sue Symantec.

Class action lawsuit.

I also think that criminal charges for aiding and abetting would apply as well.

Paging file?

[Dwedit]

Okay, stupid question time...
If someone took a disk image during the time when the virus was in the process of encrypting files, would it be possible to find the key in the paging file?

Re:

[phillk6751]

I would also think that Microsoft could come out with a fix to the software that would store that key that's accessible/decrypted by the PC Admin's/User's password via a utility (but not writable by other programs) in order to "recover" files where the key has been lost/'stolen'/etc. This would only work of course IF the hackers were using the local copy of the encryption DLL and not a downloaded/hacked copy (if it would even work that way).

Bitcoins?

[duke_cheetah2003]

This is excellent evidence to advocate shutting down bitcoin and all it's kin.

The only use of these 'currencies' seems to be criminal activity, and frankly, malware of this nature probably wouldn't even be feasible if it wasn't for bitcoin and it's kin. There'd be no way to anonymously extort money from victims.

Re:

[egranlund]

malware of this nature probably wouldn't even be feasible if it wasn't for bitcoin and it's kin. There'd be no way to anonymously extort money from victims.

Not the case.

CryptoLocker’s creators also recently shifted their monetization tactics, giving willing users additional time to pay the ransom with bitcoin or MoneyPak.

Strains of this in the past were using MoneyPak (prepaid cash card) to extort money just fine.

http://blog.trendmicro.com/cry... [trendmicro.com]

Re:

[Guest316]

Ah, blaming the tool again.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TangoMargarine]

Yeah, good luck with convincing the people who use a currency specifically because it's not controllable by the government to report said use to said government.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[duke_cheetah2003]

When the tool appears to have no legitimate usages, yeah I'm gunna say this tool is inherently bad, I could even go as far as to say the tool encourages illegal behavior.

Sort of like Napster of the late 90's. It simply had no other use than to STEAL music. Bitcoin has no other use than to hide financial transaction data. I simply don't buy we need a currency that's not attached to one of the many governments in the world. What advantages do bitcoins offer over US Dollars? Besides the fact they're hard

Re:

[duke_cheetah2003]

Oh one other thing, if you're going to reply with legitimate uses, please also add in why it is better to use a bitcoin instead of US Dollar in your legitimate use. Legitimacy should also have advantage over it's predecessor, otherwise, there's no point in the legitimate use. You wouldn't use one sharp knife over another just because it looks different. It's just as sharp.

Re:

[Guest316]

I'm not, because it's not my job to do your thinking for you.

I have no personal interest in cryptocurrencies outside of academic curiosity. But I am able to admit that my range of speculation isn't all-encompassing, which is where we appear to differ. You feel justified in basing your decisions on the premise that if you can't imagine something, it doesn't exist.

Re:

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Great summary

[uvajed_ekil]

Now I finally know what API means.