Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Crime Security Windows

Stung By File-Encrypting Malware, Researchers Fight Back 85

itwbennett (1594911) writes "When Jose Vildoza's father became the victim of ransomware, he launched his own investigation. Diving into CryptoDefense's code, he found its developers had made a crucial mistake: CryptoDefense used Microsoft's Data Protection API (application programming interface), a tool in the Windows operating system to encrypt a user's data, which stored a copy of the encryption keys on the affected computer. Vildoza and researcher Fabian Wosar of the Austrian security company Emsisoft collaborated on a utility called the Emsisoft Decrypter that could recover the encrypted keys. In mid-March Vildoza had launched a blog chronicling his investigation, purposely not revealing the mistake CryptoDefense's authors had made. But Symantec then published a blog post on March 31 detailing the error."
This discussion has been archived. No new comments can be posted.

Stung By File-Encrypting Malware, Researchers Fight Back

Comments Filter:
  • by Wapiti-eater ( 759089 ) on Thursday April 10, 2014 @11:29AM (#46714717)
    The myth that the 'security' industry is at the root of the problem
    • I hate that I have the compulsion to do this, but *which(title) && *doesn't or does not (signature).
    • How does that support that the security industry is somehow part of the problem? They found a simple and convenient way to give the ransomware the boot, what's your point?

      • by gstoddart ( 321705 ) on Thursday April 10, 2014 @12:07PM (#46715183) Homepage

        How does that support that the security industry is somehow part of the problem? They found a simple and convenient way to give the ransomware the boot, what's your point?

        Because, if you publicize how you caught their error, they can fix it.

        So, now the next iteration of this will possibly NOT be fixable.

        Someone found a way to fix it, and didn't tell how it was done. Someone else then publicized it ... and when you explain the ways and means, the bad guys can know how you did it.

        What they've done is tell the ransomware folks how to 'improve' their malware.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          Yeah, it would've been much harder for the attackers to reverse his utility right? Anything that monitors file accesses would've seen what files it was accessing. I don't disagree the AV company made a mistake because they wanted publicity but I don't think what they did was as significant as you might think.

          • by Calydor ( 739835 ) on Thursday April 10, 2014 @12:44PM (#46715527)

            Symantec did exactly what gets private security researchers into hot water: They publicized an exploit in a program.

            Ignoring the fact that the program is malware and the exploit was a means of defeating the malware, WHY is it okay for Symantec to do this?

            • by v1 ( 525388 ) on Thursday April 10, 2014 @01:19PM (#46715835) Homepage Journal

              WHY is it okay for Symantec to do this?

              The more relevant question to ask is "Why DID Symantec do this?" A more interesting question would be "Why did Symantec break the law?" They didn't do that, but the answer to all three is the same.

              "because it helps them make money".

              In this particular case, the fear of ransomware helps Symantec sell their product. So a researcher doing something to combat ransomware hurts Symantec's business. So they do what they can do, to protect their profits. In this case, it's even legal for them to do it. So it's a no-brainer.

              You simply have to expect this sort of behavior from any big business. There's no point in being confused or shocked by it.

              A month from now they will be able to make a new press release, "Two months ago security researchers dealt a blow to ransomware, protecting users and devaluating our product. Today, we're pleased to announce the ransomware developers have made the necessary fixes to their code outlined in our recent publication, and once again, Symantec is your only defense against ransomware!"

              • Re: (Score:3, Interesting)

                by Darinbob ( 1142669 )

                How about the question "why should they not do this?" The ransomware makers know that there's a recovery tool, so it's a short period of time before they figure out what their flaw is. There's no gain to be benefited by keeping the details secret. Do we want the situation where some security professionals know what the flaw is, the malware authors know what the flaw is, but the general public is kept in the dark?

                Security through obscurity does not work. Similarly, keeping security protection details li

          • Re: (Score:3, Informative)

            by Anonymous Coward

            You'd think this would be the case... but the reality is that the malware authors updated their software the day after Symantec published the flaw. They didn't fix the flaw during the time when the "free tool" was available. Looks like a direct correlation to me.

            The big thing here is that the authors probably couldn't be bothered to fix it before Symantec broke the news, as they were still getting lots of payments.

        • Oh, you mean what Symantec did. Sorry, you lost me there, at first there was talk about the security industry, for some odd reason I didn't associate Symantec with that...

        • One of the probably reasons they store the key on the box is because it's easier than having it on a remote server. A remote server can be taken out, unreachable, and you have the extra added problem of associating the decryption key with a specific box. That's a pain if the box isn't connected to the public network (i.e. it was infected through another vector).

          If the key is local it's easier. You can even mail them a USB stick with the decryption application if you wanted to.

        • This is Slashdot. Why aren't people up in arms over the published utilities source code being hidden. You want us to a run a binary off a website to decrypt our files? Sure, let me get right on that.
        • I'm for full disclosure. Let the user know about the vulnerabilities.

        • by Lumpy ( 12016 )

          But it is easy to keep off your system. [] completely neuters it before it is ever launched, and it also makes changes that blows up 90% of the trojans infection vectors out there.

        • by mysidia ( 191772 ) on Thursday April 10, 2014 @02:11PM (#46716473)

          Because, if you publicize how you caught their error, they can fix it.

          Exactly. They publicized the methods solely for marketing purposes -- so they could write a "ME TO" article, showing how their "researchers" are "On top" of security, and stealing thunder from the developer of the free Decryption software.

          Because we're big Symantec, and we can't have third parties scooping us on antimalware techniques.

          It also helps their product by making sure the authors of ransomware learn from mistakes, so future ransomware is more robust, AND therefore, users will have greater damage by ransomware in the future, increasing the demand for Symantec's products.

    • The so-called security industry is big part of the problem.

      While they continue to peddle their snake oil and sticking plaster solutions that the underlying problem. Microsoft and company will continue to peddle insecure crap ware.

    • by mysidia ( 191772 )

      The myth that the 'security' industry is at the root of the problem

      I would argue: not entirely a myth; while it may be unintentional on the part of players in the security industry (at least ethical ones). Much of security researchers' work can enable and facilitate attackers. Some researchers even SELL exploits, AND attackers may be the buyers.

      In many cases... they share too much information with attackers that attackers can use to improve their processes. They also in some cases PROVIDE motive.

  • by Last_Available_Usern ( 756093 ) on Thursday April 10, 2014 @11:40AM (#46714871)
    It's in Symantec's interest that the authors mitigate the weakness in their malware so the threat will permeate through media and people will continue to be terrified into buying copious amounts of security software that in most cases won't even mitigate the risk.
    • by dcollins117 ( 1267462 ) on Thursday April 10, 2014 @01:58PM (#46716321)

      What I find most interesting about this story is that both the white hats and the black hats share a common goal. It's your money.

      The black hats are saying "Give me your money if you ever want to see your data again." The white hats are saying "Give me your money and we'll try to keep your data safe."

      They're both picking your pockets, all you have to do is choose your master.

  • by DriveDog ( 822962 ) on Thursday April 10, 2014 @11:45AM (#46714943)
    At first Symantec's actions sounded dismaying, but in the long run using every opportunity to publicize the folly of using that API is probably beneficial. I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.
    • Re:disclosure (Score:4, Insightful)

      by Last_Available_Usern ( 756093 ) on Thursday April 10, 2014 @11:55AM (#46715049)
      It must be at least mildly effective if the only legitimate means of unencrypting the data was a copy of the keys that only a set of researchers dedicated to the issue were able to find.
    • by Zmobie ( 2478450 )

      It half ass works. I mean if you need REAL security, you're right, no way in hell I would trust my files to the built in windows encryption (other than maybe BitLocker drive encrypting, but that is an entirely different mechanism). I do find it funny/interesting/depressing the "security culture" that is now marketed to the general populace. They basically throw buzzwords at them until people believe they know what they're talking about.

      • by mlts ( 1038732 )

        The ironic thing is that "real" security is pushed to the side. Old fashioned things like gpg, PGP, proper backups [1][2], sandboxing, and other basic items tend to fall into disuse while "lets just stash it in the cloud and take their word for it, as they use 'encryption' and 'firewalls'" seems to be the mode of operation of the day.

        For example, I've seen some "cloud encryption" systems that require one to set up an account... and where the actual encryption key is stored can be anyone's guess (the websit

        • by Zmobie ( 2478450 )

          A lot of it seems to be liability for large groups. An IT department can outsource data backups and data security to "the cloud provider" and if something goes bad they only get a bit into trouble for picking the wrong provider. Meanwhile they can just point the finger at their provider and say "not our fault."

          Individuals on the other hand just want their damn data, but so few are even educated on IT security at all. I know so many software developers and IT workers even that don't know the first thing a

          • by mlts ( 1038732 )

            A secure home server only makes sense. If you get a machine with hardware RAID, mirror the OS drive, then use RAID-Z2 [1] or RAID-Z3 for the data. If using Windows, then you get a choice between bit rot resilience with Storage Spaces + ReFS or deduplication with Storage Spaces + NTFS.

            [1]: RAID-Z will find bit rot on a zfs scrub, but won't be able to fix it. RAID-Z2, RAID-Z3 and RAID-1... even ditto blocks can both find and fix it.

    • Re:disclosure (Score:4, Insightful)

      by marciot ( 598356 ) on Thursday April 10, 2014 @12:48PM (#46715567)

      I've spent years trying to dissuade people from using (old) Excel's password "protection" due to the false sense of security. That Win API has the same effect—convinces the masses they're employing secure means when in fact they're not.

      I think recent events have shown that relying on security of any kind leads to a false sense of security (examples: NSA backdoors, OpenSSL bugs, WEP vunerabilities, etc). We'd all be much safer if we simply assumed there was no such thing as security.

  • Symansuck (Score:1, Interesting)

    Symantec are the dumbest bunch of dumbfucks ever.

    Combine that with shit software and the worst customer support in the business and the only conclusion is that Symantec can't die fast enough. Die Symantec, Die.
  • by leereyno ( 32197 ) on Thursday April 10, 2014 @01:42PM (#46716097) Homepage Journal

    Future victims of this criminal organization should sue Symantec.

    Class action lawsuit.

    I also think that criminal charges for aiding and abetting would apply as well.

  • Paging file? (Score:4, Interesting)

    by Dwedit ( 232252 ) on Thursday April 10, 2014 @02:03PM (#46716375) Homepage

    Okay, stupid question time...
    If someone took a disk image during the time when the virus was in the process of encrypting files, would it be possible to find the key in the paging file?

    • I would also think that Microsoft could come out with a fix to the software that would store that key that's accessible/decrypted by the PC Admin's/User's password via a utility (but not writable by other programs) in order to "recover" files where the key has been lost/'stolen'/etc. This would only work of course IF the hackers were using the local copy of the encryption DLL and not a downloaded/hacked copy (if it would even work that way).
  • This is excellent evidence to advocate shutting down bitcoin and all it's kin.

    The only use of these 'currencies' seems to be criminal activity, and frankly, malware of this nature probably wouldn't even be feasible if it wasn't for bitcoin and it's kin. There'd be no way to anonymously extort money from victims.

    • malware of this nature probably wouldn't even be feasible if it wasn't for bitcoin and it's kin. There'd be no way to anonymously extort money from victims.

      Not the case.

      CryptoLocker’s creators also recently shifted their monetization tactics, giving willing users additional time to pay the ransom with bitcoin or MoneyPak.

      Strains of this in the past were using MoneyPak (prepaid cash card) to extort money just fine. []

    • Ah, blaming the tool again.
      • by mmell ( 832646 )
        You're right. Bitcoin is only the gun, not the criminal.

        All cryptocurrency holders must immediately give their government a full accounting of all cryptocurrency transactions; any unreported transactions may reasonably be considered evidence of criminal wrongdoing (especially since such transactions are required by law to be declared, at least to the IRS in the United States - if you want to cheat, fine. Don't cheat the tax man; Al Capone can tell you all about that one).

        Since cryptocurrency use is (of

      • When the tool appears to have no legitimate usages, yeah I'm gunna say this tool is inherently bad, I could even go as far as to say the tool encourages illegal behavior.

        Sort of like Napster of the late 90's. It simply had no other use than to STEAL music. Bitcoin has no other use than to hide financial transaction data. I simply don't buy we need a currency that's not attached to one of the many governments in the world. What advantages do bitcoins offer over US Dollars? Besides the fact they're hard

        • Oh one other thing, if you're going to reply with legitimate uses, please also add in why it is better to use a bitcoin instead of US Dollar in your legitimate use. Legitimacy should also have advantage over it's predecessor, otherwise, there's no point in the legitimate use. You wouldn't use one sharp knife over another just because it looks different. It's just as sharp.

          • I'm not, because it's not my job to do your thinking for you.

            I have no personal interest in cryptocurrencies outside of academic curiosity. But I am able to admit that my range of speculation isn't all-encompassing, which is where we appear to differ. You feel justified in basing your decisions on the premise that if you can't imagine something, it doesn't exist.
    • by mmell ( 832646 )
      (PERSONAL ANECDOTE). I have to admit to experiencing a parallel from back in the seventies. I found this really outta sight sandwich joint. It had the best (and the cheapest) steak and mushroom sandwich I've ever had. I was really sad when I found out it was a money-laundering front for organized crime - but only because I found out after the Fed shut it down under the RICO act.

      (PERSONAL OPINION). Is cryptocurrency any different? I can make money for free by "mining" for valid cryptostrings (there's

  • by mmell ( 832646 ) on Thursday April 10, 2014 @02:29PM (#46716635)
    I keep seeing people essentially criticizing Symantec for releasing the details of this exploit. I'm sure the obsecurity model has worked quite well for all of you, hasn't it?

    Security through obscurity is a long-debunked myth. You people need to get over it - hiding an exploit only guarantees its continued effectiveness (obsecurity works both ways, protecting the exploit as well as the exploited). Exposing an exploit causes people to work to close the exploit and put it out of business. There's a short-term loss as every script-kiddie takes advantage of their newly discovered toy, but a greater long-term advantage in securing systems against said exploit.

    To be sure, secrecy can be used to add to security - but the secret should be what you've done to close the holes, not the fact that those holes exist.

  • by uvajed_ekil ( 914487 ) on Thursday April 10, 2014 @10:06PM (#46721449)
    Now I finally know what API means.

Any sufficiently advanced technology is indistinguishable from a rigged demo.