New Encryption Ransomware Targets Linux Users

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
All you alternative OS users out there should be on the lookout for this new encryption ransomware that is targeting Linux operating systems.

First, Linux.Encoder.1 encrypts all files in home directories and directories related to website administration. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (“/”). At that, the Trojan encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.
 
This stuff has become so big on Windows, then Macs, it was obvious that Linux was next. Bottom line, an OS may not be targeted as much because of its market share. That doesn't make it immune.
 
weird how they dont mention how you get this ransomware. to encrypt /, id imagine you need to have downloaded it and then ran it as root. People who would do that should not have root
 
bisby said:
weird how they dont mention how you get this ransomware. to encrypt /, id imagine you need to have downloaded it and then ran it as root. People who would do that should not have root
Click to expand...

or it's taking advantage of some exploit to gain root
 
Impossible!!!

Linux is inmmune to any security/vulnerability issues by nature. :rolleyes::rolleyes:
 
heatlesssun said:
This stuff has become so big on Windows, then Macs, it was obvious that Linux was next. Bottom line, an OS may not be targeted as much because of its market share. That doesn't make it immune.
Click to expand...

No, no operating system is immune. Linux has more working to its advantage than just obscurity though. (but obscurity sure helps)

The open source model leads to the detection of more vulnerabilities, which are then patched very quickly, and the use of full featured package managers mean that the patches wind up on user machines much faster than with Windows or OS X.

What this means is that very few Linux systems are compromised through security vulnerabilities. When they are compromised it is more often than not due to weak (or in some cases no) passwords.

There is a huge trend of Asian (for some reason) linux game servers in which people who don't know what they are doing are setting up boxes with either default passwords, or no passwords at all. These linux boxes are getting compromised at an alarming rate, and contributing DDOS botnets, not because Linux is vulnerable, but because the idiots couldn't be bothered to choose strong passwords, or set up passwords at all.

Through a combination of the advantages of the open source model, and all encompassing package managers which update all installed software, not just the OS itself, as well as the best user account and privilege system of any operating system, Linux and other Unix-like systems are by far the most secure when properly set up.

No system can protect someone who can't be bothered to set up a password, or disables patches though.
 
jonathonball said:
or it's taking advantage of some exploit to gain root
Click to expand...

This is relatively unlikely on a patched machine.

Most compromised linux machines are either brute forced weak passwords, or Asian gaming servers with no, or default passwords.

To a lesser extent there are also users who run root as their user account (!?!?!, that's just as idiotic as having your Windows administrator account be your daily driver account) and those who disable or don't run updates.
 
So pretty much if you are fooling around with the Magneto CMS, you should make sure that your outward facing HTTP server is not running as root.
 
Stoly said:
Impossible!!!

Linux is inmmune to any security/vulnerability issues by nature. :rolleyes::rolleyes:
Click to expand...

No system is immune, but Linux/Unix IS the gold standard. If you have talented enough people who want to compromise your system, even disconnecting your computers from the internet and hiding them away in an underground bunker won't help.

Linux has several advantages though.

  • As mentioned before, the open source methodology results in more eyes on the code, and thus more frequent patches as more holes are found, leaving fewer open out there in the wild as potential 0-day attacks.

  • Also mentioned before, a package manager that instantly updates everything on your system, including installed software, is HUGE. Managing software vendor by vendor, never has the same effect.

  • Some of the best user account / privilege management in computer history, helps minimize the extent of problems if a system is compromised.

  • Most distributions will set themselves up by default making your user account separate from your root account, and making you choose a unique password.

  • And then of course there is the obscurity factor which is the icing on the cake. GUI type programs tend to have more vulnerabilities than behind the scene services, and th eoverwhelming majority of *nix boxes are servers without a GUI. Desktop linux users are such a small group that they aren't worth writing special code for, and (at least historically) have tended to be mroe savvy, and less likely to be fooled by phishing attempts.


That's not to say there isn't room for improvement.

  • Old /dead / abandoned projects sometimes linger on unpatched for a long time before they are killed off, or adopted by someone else.

  • Why brute force protections like fail2ban aren't installed by default on all major distributions is beyond me. This is a no brainer.[/url]


    So, nothing is impossible. *nix systems are about as secure as they get, much more so that OS X or Windows, but they all have room for improvement, and if you have a dumb user, none of them can fix stupid.
 
Shmee said:
So pretty much if you are fooling around with the Magneto CMS, you should make sure that your outward facing HTTP server is not running as root.
Click to expand...

Plus, if you were running as some http user, the only possible result would be a broken Magento installation, since that user shouldn't have access to your personal files.

So, to sum it up, user stupidity strikes again.
 
Also, let's be clear.

If you have valuable data, you should have an offsite backup of said data.

The most they should be able to hold ransom is the inconvenience of having to restore from a backup (which can be a big deal, if you are downtime sensitive, and have lots of data)
 
This attack has already been resolved. There was a serious flaw in the encryption mechanism of this program. Whoever coded it thought it would be a good idea to use the targeted systems time stamp as a seed for the "randomly" generated encryption key. Obviously, a time stamp takes the ran out of random and just leaves dumb.

Basically the malware derives these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s creators.

If you are affected by this issue, Bitdefender has released a script that will fix your woes.
 
Got hit with this on a staging machine that had been opened up for a third party vendor. Thanks for the info Crixus.
 
Zarathustra[H];1041963170 said:
Also, let's be clear.

If you have valuable data, you should have an offsite backup of said data.

The most they should be able to hold ransom is the inconvenience of having to restore from a backup (which can be a big deal, if you are downtime sensitive, and have lots of data)
Click to expand...

Wow. I'm surprised I had to scroll this far down till someone mentioned to backup their web server. Obviously if downtime is an issued you should also be hardening your server, having a fall over server to take over and keeping up with updates.
 
heatlesssun said:
This stuff has become so big on Windows, then Macs, it was obvious that Linux was next. Bottom line, an OS may not be targeted as much because of its market share. That doesn't make it immune.
Click to expand...

Linux has a much bigger market in servers than on desktop. The ransomeware is made for servers.
 
So a program that requires running as admin that then does bad stuff is now called malware? Normally we just call that a shitty program. Real Malware needs to gain root by itself or it's just another program. I wouldn't call this malware on any OS as you have to actually get the user to run the program with elevated privileges and on all OS's no one logs in as root. Carry on nothing to see here.
 
JosiahBradley said:
So a program that requires running as admin that then does bad stuff is now called malware? Normally we just call that a shitty program. Real Malware needs to gain root by itself or it's just another program. I wouldn't call this malware on any OS as you have to actually get the user to run the program with elevated privileges and on all OS's no one logs in as root. Carry on nothing to see here.
Click to expand...

It is more about labeling what the software is meant to do, not defining how it achieves it. Kinda like those nasty scarletJ_nude.jpg .exe files that get people to click them. It still required user interaction to enable it to get access to the system.
 
bisby said:
weird how they dont mention how you get this ransomware. to encrypt /, id imagine you need to have downloaded it and then ran it as root. People who would do that should not have root
Click to expand...

Even if you install your own linux distro; by default even as admin you are not given root access unless you jump though some hoops.
 
bisby said:
weird how they dont mention how you get this ransomware. to encrypt /, id imagine you need to have downloaded it and then ran it as root. People who would do that should not have root
Click to expand...

Negative. It was a CMS hack of some sort.
 
Dr. Righteous said:
Even if you install your own linux distro; by default even as admin you are not given root access unless you jump though some hoops.
Click to expand...

lol what? the default user you create first is root on any RHEL distro like CentOS (which runs a LOT of www servers)

unless you mean ubuntu, which you can just sudo su...
 
FLECOM said:
lol what? the default user you create first is root on any RHEL distro like CentOS (which runs a LOT of www servers)

unless you mean ubuntu, which you can just sudo su...
Click to expand...

I didn't say you couldn't get access; that wouldn't make any sense. But about every desktop distro I have tried you were not given root access by default. You had to know how to go get it.
 
JosiahBradley said:
So a program that requires running as admin that then does bad stuff is now called malware? Normally we just call that a shitty program. Real Malware needs to gain root by itself or it's just another program. I wouldn't call this malware on any OS as you have to actually get the user to run the program with elevated privileges and on all OS's no one logs in as root. Carry on nothing to see here.
Click to expand...

It is a hack that exploits the CMS Magneto vulnerability. It is not "just another program". Just another program would be MSPaint.
 
You must log in or register to reply here.
Back
Top