Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Critroni Crypto Ransomware Seen Using Tor for Command and Control

samzenpus posted about 2 months ago | from the protect-ya-neck dept.

Security 122

Trailrunner7 writes There's a new kid on the crypto ransomware block, known as Critroni, that's been sold in underground forums for the last month or so and is now being dropped by the Angler exploit kit. The ransomware includes a number of unusual features and researchers say it's the first crypto ransomware seen using the Tor network for command and control.

The Critroni ransomware is selling for around $3,000 and researchers say it is now being used by a range of attackers, some of whom are using the Angler exploit kit to drop a spambot on victims' machines. The spambot then downloads a couple of other payloads, including Critroni. Once on a victim's PC, Critroni encrypts a variety of files, including photos and documents, and then displays a dialogue box that informs the user of the infection and demands a payment in Bitcoins in order to decrypt the files.

"It uses C2 hidden in the Tor network. Previously we haven't seen cryptomalware having C2 in Tor. Only banking trojans," said Fedor Sinitsyn, senior malware analyst at Kaspersky Lab, who has been researching this threat. "Executable code for establishing Tor connection is embedded in the malware's body. Previously the malware of this type, this was usually accomplished with a Tor.exe file. Embedding Tor functions in the malware's body is a more difficult task from the programming point of view, but it has some profits, because it helps to avoid detection, and it is more efficient in general."

cancel ×

122 comments

Sorry! There are no comments related to the filter you selected.

Time to get rid of Tor (0, Troll)

Jay Maynard (54798) | about 2 months ago | (#47495741)

Tor has only ever been an enabler for spammers and other criminals, making it possible for them to hide their tracks. Time to get rid of it.

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47495779)

And bitcoin for the same reason.

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47495807)

And cash for the same reason.

Re:Time to get rid of Tor (1)

easyTree (1042254) | about 2 months ago | (#47498577)

...demands a payment in Bitcoins".

Seriously? way to reduce your pool of potential customers to those who know how to make a payment in BitCoin.

Is this is an ad for BitCoin?

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47497379)

Which OS does this malware run on?

Re:Time to get rid of Tor (-1)

Anonymous Coward | about 2 months ago | (#47495791)

NSA agent spotted

Re:Time to get rid of Tor (4, Insightful)

CRCulver (715279) | about 2 months ago | (#47495861)

It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter. The considerable soft power that the West gains over the youth in these often hostile or hermetic states is worth the occasional use of the network for financial crimes.

Re:Time to get rid of Tor (5, Insightful)

vux984 (928602) | about 2 months ago | (#47495947)

It has also been an enabler for millions of people in Iran, Syria and Turkmenistan to frequent social networks like Facebook and Twitter.

And get uncensored news from buzzfeed

Don't get me wrong, Tor is a great enabler for countering censorship, etc... but advocating that these people need access to facebook and twitter? Honestly. Nobody needs that.

Re:Time to get rid of Tor (1)

ComputersKai (3499237) | about 2 months ago | (#47496405)

For voicing opinions safely though...

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47498579)

News just in from Turkmenistan via Twitter:

"I like my stapler."

Re: Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47496831)

Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.

Re: Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47497183)

Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.

I can accept Twitter being useful due to it's straightforward simplicity, but you are the ignorant one if you find any use for Facebook other than to destroy any semblance of privacy.

Re: Time to get rid of Tor (1)

vux984 (928602) | about 2 months ago | (#47498513)

Fb and twit were instrumental for on location reports during rebellions ... Saying otherwise suggests that you are ... ignorant.

Instrumental yes. In the same sense that Bic pens were instrumental in me graduating university. However, if there were no bic pens I'd have found something else to use.

Likewise, twitter was instrumental, in the sense that it got used, but if there had been no twitter, they could have just as easily organized from something else.

Re:Time to get rid of Tor (1)

Gothmolly (148874) | about 2 months ago | (#47495987)

And those countries instantly became bastions of freedom? Hint: no they didn't. People think Internet = magical standard of living raiser, and it isn't. It's just another tool to control the population.

Re:Time to get rid of Tor (3, Insightful)

jeIIomizer (3670945) | about 2 months ago | (#47495989)

And those countries instantly became bastions of freedom?

It didn't instantly fix everything, so it's worthless.

Re:Time to get rid of Tor (4, Interesting)

DarkOx (621550) | about 2 months ago | (#47496319)

And while we are on the subject:

Its true that some protests and the beginnings of the Arab spring stuff apparently began on Twatter and Facespace; I wonder how much of that was going to happen anyway, especially given that in at least 3 of the four major uprisings the secular movements that seemed so popular online certainly have not proven to be what the people ultimately choose to support:

Egypt - went theocracy and is now back to essentially an autocracy that more or less resembles the one they started out with.

Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.

Syria - Ramains to be seen if the rebels will even succeed by if they do will probably be Islamist

Tunisia - Well that one might have kinda worked.

  One is left to wonder if much like Slashdot here in the states, were lots of radical (not to be necessarily read with a negative connotation), ideas get expressed on line, but it seems to amount to a lot of political masturbation because it does not get translated into actions that generate any sort of results at the ballot box. In some respects taking a longer view of the pamphleteers of the late 17th and 18th centuries, and the marchers and organizers of the mid 20th century seem to have had much more influence that the 21st century Internet critics. Oh sure the can manage to get a SOPA or PIPPA shot down once in awhile, but can't get it turned into the sort of third rail the politicians will shy away from touching again for even a year.

So is it possible the Internet is actually harmful to these movements, is it keeping people sitting at home posting on Facespace behind their proxies instead of actually out in the street doing something disruptive? Sure the organizing power of these things is clear but real widely supported political movements always have managed to organize before.

Re:Time to get rid of Tor (0)

dskoll (99328) | about 2 months ago | (#47496923)

The problem with Egypt, Syria, Libya and Tunisia is they've suffered over a thousand years of Islam. That has left their population with a fatalistic outlook, their leaders corrupt and their drive and innovation sapped. The Internet is not going to free the billion humans who live enslaved to Islam. Unfortunately, only the people themselves can do that by throwing off the stultifying oppression of Islam, and that's not happening any time soon.

Re:Time to get rid of Tor (-1)

Anonymous Coward | about 2 months ago | (#47497507)

s/Islam/religion/

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47498589)

s/religion/government/

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47498583)

Libya - If you're not an Obama apologist is a failed sate, run by gangs or would be tyrants.

Hint: every country is run by gangs.

Re:Time to get rid of Tor (1)

mysidia (191772) | about 2 months ago | (#47497013)

Tor has value, BUT it has no proper place running behind the firewall on the corporate intranet or in the home within the developed world -- it is a huge security risk, and it makes sense to block tor completely.

Tor has value for some people living in tyrannical regimes where free speech has been outlawed and internet users have a jealous government to worry about who may object to what they post or read, and may threaten them or their families based on it.

However.... these users also need some sort of VPN or anonymized onramp to get onto Tor, or else they may be busted for the crime of using Tor.

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47495871)

And Microsoft Windows ..

Re:Time to get rid of Tor (-1)

Anonymous Coward | about 2 months ago | (#47495881)

I agree. Let's get rid of Tor.
And then let's get rid of I2P, AnoNet And FreeNet. Nobody has any legit use for that.

The easiest solution would be to require a federal license to encrypt data, and outlaw all non regulated/non necessary use of encryption. Not only will we save money on having to buy dedicated servers to decrypt hostile traffic, we will save the planet.

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47496135)

And get rid of SSL. No-one has any legitimate reason for any kind of privacy after all. The government should know *everything* you do. So should your wife and boss.

Re:Time to get rid of Tor (1)

flyneye (84093) | about 2 months ago | (#47497849)

Why doesn't someone infiltrate the forums and out some of the fuckheads buying/selling this so someone can run some "extortionware/revengeware" on their piddly asses? Wouldn't it make great articles? Malware Ring Found Tortured Columbian Style with All Their Assets Missing.
It'd make a great hobby for some bored sociopath or open new Animal Friendly Hunting opportunities for those turned off by killing innocent animals for sport.
Name one person on the planet who would even care, besides their mothers. No? I thought not.
Seasons OPEN!

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47495911)

How's the astroturf doing Mr NSA Agent? Hope you get what's coming, oh and do remember, Snowden is a hero!

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47496003)

Come on, anything can be an enabler, like guns, alcohol, and narcotics. Take guns for example, if banned it would effectively enable the government to do anything they please with no risk of starting a civil war.

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47496189)

Criminals drive on roads. They also drink water. We should ban water.
But there is no risk at all of a civil war. We are far too controlled for that to ever happen. If you think a band of vigilantes or a citizens' militia could ever take down the government of any modern Western power, you are living in an alternate universe where reality is somewhat warped out. Get real. That possibility has not existed for a very long time. Politicians in western countries have no fear of the people.

Re:Time to get rid of Tor (0)

Anonymous Coward | about 2 months ago | (#47496145)

Tor has only ever been an enabler for spammers and other criminals, making it possible for them to hide their tracks. Time to get rid of it.

^^^^Genuine asshole.

Re:Time to get rid of Tor (3, Interesting)

IamTheRealMike (537420) | about 2 months ago | (#47496445)

There is no need to get rid of Tor: in theory, Tor could have a "hidden service policy" mechanism not much different to the exit policy mechanism. HS Policies would allow a node operator to state that they aren't willing to act as an introduction point for a list of hidden services (or point to lists maintained elsewhere to stop fast-flux type behaviour).

Tor already accepts that not all relay operators will want to support all kinds of behaviour and that some kinds of traffic can be abusive, that's why they implement exit policies which allow exits to ban port and IP ranges. Taking this philosophy to hidden services seems like the next natural step. After all, Tor volunteers are ultimately acting as human shields for other people's anonymous behaviour. Requiring them to shield everything just restricts the number of people who would be willing to donate bandwidth to general privacy but are not interested in enabling botnets.

Re:Time to get rid of Tor (1)

Mister Liberty (769145) | about 2 months ago | (#47496515)

Jay Maynard, collaborator anno 2014. There's a tree for you somewhere.

Re:Time to get rid of Tor (1)

retchdog (1319261) | about 2 months ago | (#47498025)

I think he has... ahem... balls [allvoices.com] to assert such a contrarian viewpoint on slashdot.

But, yeah, he's a loony reactionary. Just ignore him or laugh at him [youtube.com] . "Collaborator" is a bit too generous.

Antivirus (0)

Anonymous Coward | about 2 months ago | (#47495781)

not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.

Antivirus (4, Informative)

saloomy (2817221) | about 2 months ago | (#47495839)

not trying to blame the victim, but I wonder if antivirus or anti-malware software will detect these ransomware programs? Just asking. I guess firewalls might be able to detect the Tor server/connections.

All a firewall will see is encrypted traffic from the computer in the LAN (inside) initiate a connection to a random computer (IP address) on the Internet (outside interface). Its not able to see what is being sent/received, which is the entire reason for TORs existence.. protecting you from Man in the Middle attacks, which in this case, the firewall would be.

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47495887)

If the Firewall cannot see it, it should be blocked by default, many businesses already do this; the only exception being port 443 which gets MITM'd by use of an installed certificate clientside.

Re: Antivirus (0)

Anonymous Coward | about 2 months ago | (#47496071)

This is the wrong attitude. If you MITM https you are part of the problem.

Corporate MITM (1)

davidwr (791652) | about 2 months ago | (#47496157)

Which is more evil:
Telling employees "we block all encrypted traffic and snoop on everything else"

or telling them

"We MITM all encrypted traffic we can so we can snoop on it, we snoop on everything we can and block the rest"

or telling them

"we block all traffic except traffic to the few Internet resources we know you need, and oh by the way we snoop on that"

or telling the

"we don't think you need a computer to do your job, if you do need a computer to do your job then talk to your boss and he MAY give you the keys to the one room where there is a computer. Oh, by the way, there are TV cameras all over that room so don't even think about using it for non-business purposes."

Substitute "school," "institution," or "parent" for "employer" and substitute "student," "client/end-user," or "minor child who the parents deem too young/immature to use the Internet unsupervised" for "employee."

Speaking of parents, many parenting experts highly recommend that if a kid under a certain age/maturity level wants to use the Internet, he only be allowed to do so under close supervision, as in mom or dad in the room within eyesight of the screen. What age? Experts disagree, but almost all would put the cutoff age where mom can leave the room for a few minutes at somewhere in the elementary school (age 5-12) age range.

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47495931)

If a firewall is in the middle, IPS style: Simply have the Firewall deny/drop any packets from to and from any IP associated with the Tor network. Exit and non Exit nodes blocked.

Using bridge nodes? Harder to preempt. But again, if you're in the middle and can see the traffic it shouldn't be too hard to figure out the Tor protocol chatter.

Next up, whitelisting.

Re:Antivirus (1)

saloomy (2817221) | about 2 months ago | (#47495991)

Technically yes, it can be done, but...
1. Where is the list of all IP addresses coming from
2. Who is supposed to manage the white list, or the now very large ruleset in your large organization
3. Who is supposed to whitelist EVERY SINGLE ip address your computer talks to? Track the connections in your ASA, and you will discover that with phones, tablets, and regular users, a 50 man organization will connect to literally tens of thousands of IPs a day. Its unrealistic to whitelist IPs, especially when you can not guarantee targets will not update their DNS records when they obtain new IP addresses.
4. Forget about any P2P application.. not just file-sharing but chat and messaging programs that communicate directly to the client.

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47496037)

You can get the IP address of every Tor node old and current right now. You can scrape it yourself or you can simply download a daily list from the internet. Hell, don't SNORT rules have this by default?

http://torstatus.blutmagie.de/ - You can download a CSV file.

Bridge nodes are still a problem since anybody can basically act as a proxy to the Tor network. Might be able to block communications by traffic analysis.

Management of blocking is automated if it's a blacklist. Whitelist would take a lot of effort, I agree. Not very practical, and if you're running a whitelist type regime then Tor was probably never allowed to connect in the first place.

Hiding bridges (1)

davidwr (791652) | about 2 months ago | (#47496175)

If counteracting the detecting and blocking bridge notes becomes a problem - and it probably will as soon the the Chinese get good at it - someone will find a solution.

A resource-intensive solution would be to layer the TOR/bridge traffic on top of and steganographically embedded into some seemingly-normal traffic, such as an encrypted streaming video, so that a traffic analysis would say "it's probably just someone watching online TV."

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47496059)

You're missing the point, your firewall will already be destroyed before the virus even attempts to connect. These viruses use exploits to gain total control and have need to use tor until you're system is already taken. There is some good news though, you can hire Liam Neeson for $300! Your firewall will already be destroyed before the virus even attempts to connect.

Re:Antivirus (1)

leuk_he (194174) | about 2 months ago | (#47495893)

All trojans/bots/ransomsware is designed to circumvent antivirus. It is a arms wars between viri and anti-virus. At the moment the viri are winning it :(.

And there is a nasty side effect: real legit tor usage will be detected as malware suspect by antivirus software. So if you have a "good"reason to use tor you might have to disable anti-virus

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47496233)

the 'viruses' aren't winning,
the anti-viruses need them to stay alive - we have (please don't laugh) the technology to defeat 99% of this.
it just hasn't been deployed.
process-whitelisting
tpm's

the government isn't interested in securing you 100%, they gag microsoft and others to STFU about exploits.
the anti-virus companies aren't really interested either, all they have to do is keep the bar low and keep swatting the flies.
by doing that they maintain their source of income, if they set the bar too high then there will only be TRUE hacks not all the bullshit we're used to now-a-days.

there's alot more we could be doing to keep our society and our computers cleaner, but until our opsec improves and our government cares...
FAT CHANCE CUZ NOBODY who's supposed to have your back DOES

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47496253)

process-whitelisting
tpm's

Disgusting draconian nonsense. No thanks.

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47496533)

then turn it off. :)

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47497271)

What's wrong with that. It could even be used as a utility that is off by default (or even installed like EMET.)

What I would like is a utility like AIX's trustchk. I install my system and update it, then fire off trustchk to do a scan like Tripwire/AIDE and make a list of OK executables. After that, then set it to only execute stuff on the manifest with something like BSD's security level (where it can be changed up, but moving it back down requires a reboot.)

Unlike Tripwire/AIDE, this would actively block execution of anything that isn't on the whitelist.

Windows does have this functionality (AppLocker.) Linux desperately needs it. It doesn't have to be signed binaries, but a system that one can run a Tripwire like scan, then lock it down once scanned.

Re:Antivirus (0)

Anonymous Coward | about 2 months ago | (#47498981)

process-whitelisting
tpm's

Disgusting draconian nonsense. No thanks.

More FUD, there's nothing wrong with either of those, as long as the user retains complete control, TPM and even its evil brother, SecureBoot, are only dangerous when you don't have the master keys and cannot instruct how they operate, they can actually improve user security if the user knows what he's doing, they don't need to be disabled because of this ZOMG THEY WANT TO TAKEOVER OUR PCs mentality.

Re:Antivirus (1)

goarilla (908067) | about 2 months ago | (#47496277)

All trojans/bots/ransomsware is designed to circumvent antivirus. It is a arms wars between viri and anti-virus. At the moment the viri are winning it :(.

Well it's a reactive business (hopefully) so that's to be expected.

Antivirus reactive tech loses (I don't)... apk (-1)

Anonymous Coward | about 2 months ago | (#47496433)

Even Aryeh Goretsky of NOD32/Eset won't take my challenge on it here the other day -> http://it.slashdot.org/comment... [slashdot.org]

Why? See my subject above!

Heck - Even Symantec/Norton KNOWS & ADMITS their tech is "Only 55% effective" vs. TODAY'S threats http://it.slashdot.org/story/1... [slashdot.org] ...

Why??

They're mostly delivered via bogus javascript & using self-altering .exe files (which is what I lead to here http://it.slashdot.org/comment... [slashdot.org] using program resources to store things, which is a viable way of doing that, altering the file vs. detection, as well as using self-encrypting exe's to go with it + exe compression also)

Fairly "complex" techniques yet once you've mastered them they ARE effective vs. antivirus detection methods.

I noted that in a program I wrote there that IS NOT "REACTIVE" TECH, that I wrote, that is actually PROACTIVE in nature instead, by way of comparison! It also self-checks itself @ startup vs. std. exe alteration (every program SHOULD do that, but they don't).

(It works on a simple principle of "what you can't touch, can't harm you" by blocking out the SOURCE + C&C Servers used in a hosts file it generates from 12 reputable & reliable sources in the security community e.g. MalwareBytes' hpHosts (who host it for me & recommend it as "best of breed" in fact), MVPS, etc.)

It works vs. these resource embedding malicious executables, since it blocks the SOURCE of them (once the C&C is known)

As a BONUS?

Even IF you are infested/infected with it, this method also STALLS THE MALWARE'S ABILITY TO "talk back to HQ for orders" as well

Multiple bonus + MORE speed, security, reliability, & even anonymity from 1 single file you already have.

APK

P.S.=> Another simple & VERY effective principle it works on, is this (that even the disassembler of the MORRIS worm, Spafford, recommends, since it uses what you already have vs. bolting on more complexity & room for breakdown or exploit) - "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apkEven Aryeh Goretsky of NOD32/Eset won't take my challenge on it here the other day -

Re:Antivirus reactive tech loses (I don't)... apk (0)

Anonymous Coward | about 2 months ago | (#47496587)

by way of comparison! It also self-checks itself @ startup vs. std. exe alteration (every program SHOULD do that, but they don't).

you're right, self-checks are another good under-used protection, even if they can be bypassed through tunneling etc.
another thing is, CA enforcement of websites is one thing - standard CA enforcement of signed-executables would be nice at the OS level.
not just driver subsystem.
sure it wont defeat scripts and exploits as mentioned earlier.
but man would that cut down on fast-flux executables.
and it's waaaaaaaaay better than a traditional white-list.

By "tunneling": Explain that term please... apk (-1)

Anonymous Coward | about 2 months ago | (#47496677)

What I meant by "self-checking" was in a post on CODING FOR DEFCON I did that did well here -> http://it.slashdot.org/comment... [slashdot.org]

It details specifics, as to regarding what is is I do for a "self-testing .exe", which functions AS "built-in" rudimentary antivirus protection in the program itself... It's also very simple, in a sizecheck @ BYTE level, if the exe "changes weight" even by 1 byte? Warn the user (that it is infected by a std. function jump table + added code @ tail end of .exe type std. virus - you *could* also use CRC-32 checks for example, too) & SELF-TERMINATE...

FastFlux &/or Dynamic DNS (the most advanced designs) DO fail vs. hosts on the simple "Sun-Tzu" like principle I noted though. I take advantage of what they ABSOLUTELY need - hostnames, by blocking them off for C&C + payloads servers.

APK

P.S.=> The security community I work with noted "tunneling" adbanners to me once (how they're trying to defeat ad blockers, along with ClarityRay which uses native browser methods to dump what addons you use, & IF it detects AdBlock? It rotates in NEW ads, but that all can't be done to hosts via those addon dumping native browser methods (as hosts operates @ lower levels BEFORE addons do in browsers - which slows browsers, & hosts operate in a faster/higher priority one in kernelmode) - I don't *think* we're "on the same page" here though, as far as my protective methods... apk

What about the opposite? (0)

Anonymous Coward | about 2 months ago | (#47497639)

On the opposite side, even though this sounds horrid, maybe ransomware might do some good. Back in the MS-DOS/early Windows days, it took viruses blasting out the BIOS firmware, bricking motherboards, zapping controllers on hard disks, and frying monitors (back in the days where you tell a multisync monitor to use a frequency it didn't know, it blew the flyback transformer.)

Maybe ransomware being common may be a good thing. It would spur users to be proactive and not depend on the OS to protect them against themselves.

Re:Antivirus (1)

gl4ss (559668) | about 2 months ago | (#47498955)

the firewall - running locally - wont be worth shit, since the code already owns your computer on admin level and can change the firewall rules to whatever.

much easier if the AV just detects the embedded tor executable/process. generally speaking the av would detect this as it detects any other malware... the tricky part comes from that it's harder to see where the actual control and command for the whole network is.

Angler PC malware? (0)

lippydude (3635849) | about 2 months ago | (#47495853)

How is it you manages to not once mention Microsoft Windows in that whole article?

How does the Critroni ransomware get onto the victim’s PC in the first place?

Re:Angler PC malware? (0)

Anonymous Coward | about 2 months ago | (#47495903)

How is it you manages to not once mention Microsoft Windows in that whole article?

How does the Critroni ransomware get onto the victim’s PC in the first place?

#1, learn to read english.
#2, learn to write english.
#3, who gave him a score of 1?

Re:Angler PC malware? (4, Insightful)

ttucker (2884057) | about 2 months ago | (#47495929)

How is it you manages to not once mention Microsoft Windows in that whole article? How does the Critroni ransomware get onto the victim’s PC in the first place?

Most of this shit is installed by tricking the user with phishing style emails and general social engineering to download attachments. Certainly zero day stuff is a goldmine for malware, but under-informed end users are much more consistently available. The stuff that cryto ransom software holds hostage is heavily concentrated in the user's home directory, so no privilege escalation is required. It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack.

Re:Angler PC malware? (1)

NotInHere (3654617) | about 2 months ago | (#47496035)

Most linux distros have software repositories, and when you only use them (no ppas) to install stuff, you are on the safe side. Windows store only includes metro apps. The lack of a proper software repository mechanism is nothing else than an invitation from microsoft to surf the web for software and download it from there. Another part of this problem is dice, which agrees to display "download here" ads on sourceforge, and google, which doesn't want to disable the "download here" ads.

Dice and Google make money from being used to spread malware, and tor is blamed for routing C&C? This is just stupid.
Of course, i've read this [slashdot.org] , but somehow their efforts were in vain, as I've tried today and got a "free trial windows drivers download now" ad on the vlc download page.

Re:Angler PC malware? (1)

Rhywden (1940872) | about 2 months ago | (#47496267)

You're wrong. The Windows 8.1 app store does include traditional desktop apps. They're rare but the Adobe Reader XI is in the store.

Also, Microsoft can't very well force companies to only publish through their store...

Re:Angler PC malware? (1)

ComputersKai (3499237) | about 2 months ago | (#47496409)

Not all Linux applications come from repositories, either.

Re:Angler PC malware? (1)

ttucker (2884057) | about 2 months ago | (#47496987)

Have you ever actually asked where the software in repositories comes from?

Re:Angler PC malware? (1)

NotInHere (3654617) | about 2 months ago | (#47497125)

I haven't reviewed the source code for every single application and update I install. Nor have my distro's packagers. And the software is compiled on some server I don't know, and the server is a single point of failure.
But still I trust this model more as randomly installing blobs from various websites.
When I randomly install software from my package repo no ads pop up from the taskbar, and I don't see CPU constantly at 100%. Don't have tried it for randomly downloading windows software from the internet.

unpatched wetware (2)

davidwr (791652) | about 2 months ago | (#47496201)

but under-informed end users are much more consistently available

Question: What's more common and arguably more dangerous than a Windows XP computer that hasn't received any OS updates in the last 2 months?

Answer: An "unpatched" (naive/uninformed) human operating the keyboard.

Make it embedded XP ... (1)

CaptainDork (3678879) | about 2 months ago | (#47497237)

There's a registry hack [pcworld.com] that I've applied to Windows XP and I'm getting security updates ...

Re:Angler PC malware? (1)

phantomfive (622387) | about 2 months ago | (#47496227)

Indeed, the rest of us are lucky that there are enough clueless users to distract malware writers. If the focus were on finding all the vulnerabilities in our OS, all of us would be owned.

Re:Angler PC malware? (1)

NotInHere (3654617) | about 2 months ago | (#47496257)

And desktop linux is unfortunately less secure [mupuf.org] than windows to 0day attacks. I hope wayland fixes this through isolation and privilege separation.

Re:Angler PC malware? (0)

Anonymous Coward | about 2 months ago | (#47496361)

> I hope wayland fixes this through isolation and privilege separation.

X already has that [slashdot.org] with the latest systemd integration.

Re:Angler PC malware? (1)

NotInHere (3654617) | about 2 months ago | (#47496403)

No, not at all. What you are referring to is that X server doesn't need uid 0 to run. But still there is, amongst others, the problem that every x application can keylog you: http://hamsterbaum.de/index.ph... [hamsterbaum.de]
And taking screenshots from the whole screen or faking user input (also for the whole screen) is also possible for every X application.

Re:Angler PC malware? (0)

Anonymous Coward | about 2 months ago | (#47496603)

> No, not at all. What you are referring to is that X server doesn't need uid 0 to run. But still there is, amongst others, the problem that every x application can keylog you

Well, on that note wayland is no better. Wayland doesn't really prevent keylogging -- the use of client-side decoration allows a malicious client to create a transparent window covering the entire screen in order to get all input events. Even if that were somehow accounted for, the linux environment provides plenty of other opportunities like malicious use of LD_PRELOAD. [github.com]

Re:Angler PC malware? (1)

NotInHere (3654617) | about 2 months ago | (#47497925)

The ldpreload attack is not a problem of the compositor, but the configuration of apparmor or SELinux:
http://mupuf.org/blog/2014/02/... [mupuf.org]
http://blog.siphos.be/2011/04/... [siphos.be]
The transparent window attack doesn't work, does it? It seems that it is possible to make a transparent window, but then I doubt the events will be passed on onto the below applications. The keylogger would need to fake user input, which isn't possible AFAIK.

Re:Angler PC malware? (1)

Billly Gates (198444) | about 2 months ago | (#47496453)

Not really
  Java is easy to exploit and almost everyone has an obsolete version with dozens of exploits. Double bonus if the user is running XP as a local admin.

Re:Angler PC malware? (1)

ttucker (2884057) | about 2 months ago | (#47497017)

Even a Java plugin exploit requires some level of social engineering to convince the user to visit the attack page.

Re:Angler PC malware? (1)

Billly Gates (198444) | about 2 months ago | (#47497089)

The problem is if you install java 6 and early java 7 it will install plugins for your browsers.

Visit a website and you are 0wned as it runs as full admin since javaw.exe runs as a freaking service with admin privledges! ... facepalm.

I think the old myth do not click on ads is 2004 knowledge. Unfortunately recent operating systems have terrible GUI's so many run older flavors like 7 and XP which do not have the same level of protections.

It pulls my hair out to see java 5 and the same users whine I AM INFECTED week after week after week because some beancounter does not want to upgrade to save $1,000 means $10,000 in lost productivity.

Re:Angler PC malware? (0)

Anonymous Coward | about 2 months ago | (#47496281)

Except that most linux users aren't retards that happy click for Bieber screensavers. No, sorry, this is 99.999% a Windows problem.

Re:Angler PC malware? (0)

Anonymous Coward | about 2 months ago | (#47496385)

So does this exact exploit work on Linux then, or is your whole argument founded on Fear, Uncertainty and Doubt?

Re:Misconception (1)

Billly Gates (198444) | about 2 months ago | (#47496441)

Once I imaged a computer and opened IE to go download Firefox and other apps and my webcam went on instantly! Ad appeared doing a fake AV scan all from msn.com since computer had 0 updates yet it was 0wned.

Had to reimage again.

XP users really are in trouble and you don't need social engineering. Just IE, no updates, reader, or Java. Scary stuff.

It is why I don't run ancient operating systems, updates, and never use a root or admin account.

Re:Misconception (1)

ttucker (2884057) | about 2 months ago | (#47497011)

I think XP users are in trouble too, and there is not much to save them.

Re:Angler PC malware? (1, Informative)

Arker (91948) | about 2 months ago | (#47496817)

"It is good to be proud of your operating system of choice, but it is smug to think that Linux/OSX/BSD/Solaris will do anything technical to protect from such an attack."

Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.

Is it conceivable that a very similar attack could be written specifically for your OS of choice and do the same job? Yes, it's conceivable, that's right. But it's not in evidence.

More generally, regardless of OS, this attack wont even trigger if your browser is configured sanely. The exploit kits and injectors all rely heavily on javascript. Make sure it is disabled and you have not only defeated this exploit before it even got started, along with all the others, but you have also taken a positive step towards making the web readable again!

Re:Angler PC malware? (1)

ttucker (2884057) | about 2 months ago | (#47496971)

Well unless you have configured your *nix box to automatically privilege and run windows executables somehow, using a real OS is probably sufficient to stop this attack.

You are trying to say that users needing to type chmod +x ./latest_flash_player_youtube.sh , is sufficient protection to prevent end users from running things they shouldn't....

Ransomware is not prevalent in Linux, but again, it is absurdly naive to think that it couldn't, or that the OS is doing much to prevent it. Again, end user education is key, regardless of OS. Implying to under-informed users that OSX is magically secure against cryptoware, is a recipe for disaster.

Re:Angler PC malware? (1)

Billly Gates (198444) | about 2 months ago | (#47497207)

Linux users are incredibly prideful and niave and feel vulnerable and will not believe you when you claim you are infected. The perfect demographic.

Arstechnica had something a few months back on Linux malware. It is easier to infect linux users because they feel they are secure and do not run AV software and many run outdated versions because they do not like gnome 3

Re:Angler PC malware? (0)

Arker (91948) | about 2 months ago | (#47497243)

"You are trying to say that users needing to type chmod +x ./latest_flash_player_youtube.sh , is sufficient protection to prevent end users from running things they shouldn't.... "

I did not actually say that, but it is probably true. Most users are either a) smart enough to realize they do not actually want to do this or b) not actually capable of pulling it off without help (hopefully, from someone who belongs in category a).)

However that is NOT what I was saying. The exploits we are discussing rely on Win32 executables, NOT SHell scripts. Even if the user manages to slide in between case a) and b) somehow, setting an executable bit on a win32 application will not magically make it work on *nix. You would need to also install WINE and do some intricate configuration magic with it before this would work.

"Ransomware is not prevalent in Linux, but again, it is absurdly naive to think that it couldn't"

Notice I explicitly agreed with you that it could be done.

"Again, end user education is key, regardless of OS. Implying to under-informed users that OSX is magically secure against cryptoware, is a recipe for disaster."

Yes and no. Certainly end-user education is key, regardless of OS. And certainly it's true that no OS is magically secure against malware. And I think it's correct to say that the OS does nothing to prevent it. But that's looking at it backwards.

What OSX, and *nix systems in general, should get credit for is not that they *do something to prevent infection* but that they do *less to facilitate infection*.

Of course, the same things that make Windows an extraordinarily easy target for malware also makes it an extraordinarily easy target for more legitimate programming as well.

And that, ultimately, is why it was designed that way. Developers, developers, developers! Windows is ultra-friendly to developers, it goes out of its way to make life easy for them, and guess what? A subset of those developers make malware. And the same things that makes Windows easy for one set of developers makes it easy for the other.

OSX actually deserves some kudos because it *does* make development a little harder here and there, for the benefit of the user. And while saying OSX is 'virus-immune' would be clear BS, saying that it's an effective way for a technically challenged computer user to dramatically reduce their risk of being infected is actually true.

Linux can be deployed to even better effect on the security front, of course, though I would not recommend it for the technically-challenged unless said user has a friend or family member to help with setup and ssh in occasionally to administer it.

Re:Angler PC malware? (0)

Anonymous Coward | about 2 months ago | (#47497435)

Linux users tend to be not as vulnerable to dancing pigs exploits for a few reasons:

1: Generally, most Linux stuff is either sitting on a repo and fetchable by yum or apt-get. If it isn't, the user will tend to look for a website with the software and fetch it. If some site demanded a user download stuff, unzip it, chmod 755 it, and run it as root without any explanation, it raises a -lot- more flags than something that appears to be a flash update which gets downloaded and run with 1-2 mouse clicks. Because installing a Trojan on Linux takes a -lot- more work, and is far more different than just clicking "OK" and answering a UAC dialog on Windows.

2: Linux (and Mac) users as a whole tend to at least have a clue. Some website proffers a "pr0n viewer", they will refuse. Or in reality, Adblock/NoScript stop that stuff before it even displays.

3: Linux (and Mac) users tend to have some insulation between their systems and E-mail. An attachment on Windows is usually just 1-2 clicks away from being run. However, on Linux, the attachment must be downloaded, extracted, chmod 755, then run.

4: Cleaning a user account in Linux is fairly easy, due to the limited number of startup areas. Windows, this can be extremely hard since there are a lot of places something can burrow into.

Re:Angler PC malware? (1)

murdocj (543661) | about 2 months ago | (#47496311)

didn't take look for Windows hate to hijack this thread.

Re:Angler PC malware? (1)

lippydude (3635849) | about 2 months ago | (#47497305)

"didn't take look for Windows hate to hijack this thread."

So, how does the Critroni ransomware get onto the victim’s Windows PC in the first place?

Firewalls that block suspicious activity (2)

davidwr (791652) | about 2 months ago | (#47495971)

Time will come when firewalls inspect all outgoing packets and use heuristics to guess how dangerous encrypted traffic might be.

For example:

  • Whitelisted sites Encrypted traffic to an IP address previously whitelisted by the firewall vendor or end user? It's whitelisted, let it pass.
  • Heuristically safe sites Encrypted traffic to an IP address known to be associated with a well-known domain whose DNS is known to be valid and who is known to typically use encryption over this port and whose recent activity hasn't been suspicious? Probably safe.
  • Suspicious traffic to an okay site Encrypted traffic to whitelisted or probably-safe web sites that is uncharacteristic in size or other known details? Possibly not safe.
  • Unknown site Encrypted traffic to anyone else who isn't blacklisted? Possibly not safe.
  • Blacklisted site Encrypted traffic to a blacklisted site? Block it.

In the middle three groups, give the user a chance to approve/block/whitelist the traffic or, if the user just wants such traffic logged or just wants to see an on-screen alert but doesn't want to be bothered with the "should I block it" question, log it and/or put up a visible notification to the end-user.

But Bitcoin is traceable? (0)

Anonymous Coward | about 2 months ago | (#47496123)

If Bitcoin if traceable, shouldn't it be possible to trace these malware assholes cashing in?

They're using embedded resources... apk (0)

Anonymous Coward | about 2 months ago | (#47496357)

To place the Tor.exe file INSIDE the main executable!

Fairly clever, & FAR easier than duplicating Tor functionality in the exe used itself, by far!

I've done something QUITE like it in a "Dr. Who" screensaver I wrote in 2006 in fact...

(I.E./E.G.-> Embedding the .avi for the introduction sequence of the "new" Dr. Who series INSIDE the screensaver & then extracting it out of the .scr Win32 Portable Executable, and playing it back from memory... very fast, & worked - even the folks @ the BBC liked it, but gave me guff over "copyright infringement" & I was giving it away free, no charge, & even offered it to them (more efficient than "FLASH" based ones by far is why, it was a TRUE "stand-alone" Win32 Portable Executable written in Borland Delphi 7.1 is why))

Anyhow/anyways:

The technique used, in & OF itself, is cool (& like bitmaps you use in programs, you can store ANYTHING YOU LIKE in an executable really) in & of itself , except these morons (which is what I think of ANY malware maker) are using that technique for bogus stuff like this instead...

APK

P.S.=> I don't care HOW they *try* to "hide" their C&C Servers either... why? Once they're known, they are EASILY DEFEATED by another program of mine (even FastFlux &/or Dynamic DNS utilizing botnets, the MOST dangerous + advanced type there is which also functions on host-domain names as well) here & EASILY mind you -> http://start64.com/index.php?o... [start64.com] using a TRUE "Sun-Tzu like idea" of taking advantage of the strengths &/or nature of the opponent himself (in these botnets' usage of host-domain names in this case)... apk

Re:They're using embedded resources... apk (1)

NotInHere (3654617) | about 2 months ago | (#47496461)

I guess your host file program is very superior (it uses 64 bit, that is very future-proof) and so on and so on, but even *if* the C&C servers were known, they could only be defeated if your host program were installed on the tor exit relays. As I guess most run linux, you should port your host program to linux, and encourage its installation on the tor mailing list. Tor doesn't use "normal" DNS -- it uses its own which is routed through the tor network also. The exit relays do the DNS request for you. Otherwise it would be too simple to trace the traffic from the DNS usage.

Correct me *IF* I am wrong, but... apk (0)

Anonymous Coward | about 2 months ago | (#47496641)

The C&C Servers are what is communicated back against (as well as serving up exploits payloads etc. @ times also & IF they don't? Blocking out the payloads servers does the job... which hosts CAN do) - IF/WHEN I block that, should it NOT be disabled for communication, even via TOR?

* Fill me in...

(As far as "porting" it to Linux? I've thought about it... wouldn't be hard - & I WISH Borland didn't KILL Kylix (was Delphi for Linux for the most part) - however - there IS FreePascal & it's "Lazarus" IDE, which is VERY CLOSE to the Delphi IDE, & from what I understand, an ALMOST clone of its compiler commandset too! Thus, it IS, doable...)

APK

P.S.=> See - I guess I don't *fully* understand TOR (as I don't use it myself, tried it once - TOO damned slow, just like anonymous proxies are, same idea iirc for the most part afaik - correct me IF I am wrong/off here too... I can stand to learn by it as I *admit* I do NOT "know it all" & can learn as much as the next guy since this field changes so fast & dynamically)

... apk

Re:Correct me *IF* I am wrong, but... apk (1)

NotInHere (3654617) | about 2 months ago | (#47497055)

The C&C Servers are what is communicated back against (as well as serving up exploits payloads etc. @ times also & IF they don't? Blocking out the payloads servers does the job... which hosts CAN do) - IF/WHEN I block that, should it NOT be disabled for communication, even via TOR?

blocking C&C can at least stop the bad guys from integrating your computer into a botnet. correct me if I'm wrong, but hosts only changes the host file? The host file blocks a website only when the OS' DNS is used, but tor has its own DNS, not even using the usual DNS port, but tunneling everything through a https-like connection.

* Fill me in...

(As far as "porting" it to Linux? I've thought about it... wouldn't be hard - & I WISH Borland didn't KILL Kylix (was Delphi for Linux for the most part) - however - there IS FreePascal & it's "Lazarus" IDE, which is VERY CLOSE to the Delphi IDE, & from what I understand, an ALMOST clone of its compiler commandset too! Thus, it IS, doable...)

APK

P.S.=> See - I guess I don't *fully* understand TOR (as I don't use it myself, tried it once - TOO damned slow, just like anonymous proxies are, same idea iirc for the most part afaik - correct me IF I am wrong/off here too... I can stand to learn by it as I *admit* I do NOT "know it all" & can learn as much as the next guy since this field changes so fast & dynamically)

... apk

The first time I've tried tor it was also very slow, but after some years I've tried again and now its usually fast enough even for videos. Sometimes (seldom) a relay is slow, then wait 10 minutes or choose another circuit.

Hosts override ANY DNS (even local)... apk (0)

Anonymous Coward | about 2 months ago | (#47497521)

Hosts are, as I stated in my original reply you 1st replied to, the 1st resolver queried (overriding ALL others, especially external ones, & iirc, even a local DNS server you run yourself, needless complexity & redundancy though it is unless it is specifically a DNS server for a network that is, & yes, ROOM for BREAKDOWN).

E.G. from Windows registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\ServiceProvider]
"Class"=dword:00000008
"DnsPriority"=dword:00000007
"HostsPriority"=dword:00000006
"LocalPriority"=dword:00000005

(LOWER = more priority/first in order)

Hosts ARE part of the IP Stack, & thus? Even a DNS "rides on that" & has to obey them...

---

Blocking the C&C Servers also STOPS communicaie BACK to the "hq" of the botnet, even IF/WHEN you are already infested too (not just stopping integration BEFORE it can even start mind you, because of that blockage I just noted...)

* :)

APK

P.S.=> I don't bother with TOR - from what I understand, it puts you on an "NSA hitlist" & other law enforcement agencies as well (NOT worth it for that reason alone, as well as slowness, imo @ least)... apk

Re:Hosts override ANY DNS (even local)... apk (1)

NotInHere (3654617) | about 2 months ago | (#47498085)

That might be true if the application is using the OS provided network stack, e.g. with DnsQuery [microsoft.com] . However AFAIK nothing prevents an application to bring its own DNS stack which queries external DNS, ignoring the host file. Does the OS block outgoing requests on port 53?
And, as I've said before, the DNS in TOR doesn't use the OS provided DNS. It uses its own one.
Blocking the C&C perhaps stops communication to the hq, but that doesn't help when the virus is written to first encrypt the HDD and then wait for further commands from C&C.

Block rogue DNS servers via hosts (0)

Anonymous Coward | about 2 months ago | (#47499075)

I've got tons of rogue DNS servers blocked in hosts, so that's not effective either. In fact, THAT's why it's done: Those rogue DNS servers are provided by the makers of the hosts file data my application imports it from (12 of them from the security community in fact) for that very reason...

APK

P.S.=> Your point on encrypting the HDD is also moot when blocking access to the infestor/infector in the 1st place (which hosts does) occurs - you can't get sick by what you can't be exposed to, period... apk

Re:Block rogue DNS servers via hosts (1)

NotInHere (3654617) | about 2 months ago | (#47499163)

Blocking ips using a hosts file... I'm sorry but I don't know of any way of doing this.
Even it it were possible, there tor uses no "rogue DNS" servers, and not using any DNS directly, the DNS is tunneled to the exit relay which then invokes the DNS request. Any block by any firewall or ISP DNS fails here -- not just DNS request blocks like the hosts files, but also IP level blocks. This is what TOR was invented for.

Antivirus LiveCDs - boot and scan your system (0)

Anonymous Coward | about 2 months ago | (#47496449)

+ AVG:
http://www.avg.com/us-en/avg-r... [avg.com]

+ AVG ARL: The latest release version of the AVG Rescue CD GNU/Linux (ARL) with daily updated virus database,
latest alpha or beta version of the ARL and all the resources needed to build the ARL from scratch.
Releases are signed!
https://share.avg.com/arl [avg.com]

+ Avira:
https://www.avira.com/en/downl... [avira.com]

+ BitDefender:
http://download.bitdefender.co... [bitdefender.com]

+ Comodo Rescue Disk (CRD):
https://www.comodo.com/busines... [comodo.com]

+ Dr.Web LiveCD & LiveUSB:
http://www.freedrweb.com/livec... [freedrweb.com]
http://www.freedrweb.com/liveu... [freedrweb.com]

+ F-Secure:
https://www.f-secure.com/en/we... [f-secure.com]
https://www.f-secure.com/en/we... [f-secure.com]

+ Kaspersky:
http://support.kaspersky.com/f... [kaspersky.com]
http://support.kaspersky.com/v... [kaspersky.com]
http://forum.kaspersky.com/ind... [kaspersky.com]

Backups (1)

fisted (2295862) | about 2 months ago | (#47496797)

As so often, the solution is called "Backup".

Re:Backups (1)

mlts (1038732) | about 2 months ago | (#47497795)

I wonder how many generations of ransomware we will see before backups come back into "style". It used to be in the '90s that people actively did some type of backups, and even PCs shipped with some form of tape drive. Then disks got cheap, and offsite storage become viable, so backups were not done, or if done, were just kicked to the cloud.

Any backup is better than none, but I wouldn't be surprised if the next generation of ransomware would either encrypt files slowly (but use a shim driver to decrypt stuff until it is done, and then completely zap all decryption keys and tell the user to pay up), or if it does notice a backup program being run, actively or passively corrupt it... or just erase the hard disk or the file share it is being backed up to. A simple TRIM command would make the data on a SSD unrecoverable. An overwrite of a directory synced with a cloud service will make that unrecoverable.

I wouldn't mind seeing tape come back, as it isn't slow, and it is relatively cheap (I've seen ads for LTO-6 tapes for $10 each.) The drives are pricy [1], but tapes are reliable [2], LTO4 and newer have AES-256 encryption in hardware (and very easy to turn on, be it by third party software, the tape silo's web page, or the backup utility.) A tape sitting on a shelf takes zero energy to store (other than HVAC), and if dropped, unless there is major physical damage, it is almost certain the media will be usable.

Will tape be 100% against malware? Nope. However, it keeps the data offline, so that a single "erase everything" command won't touch the data [3]. One can buy WORM tapes to protect against erasure/tampering as well, as well as flip a write protect tab.

In a ransomware scenario, WORM tapes would be very useful, especially if the malware decides to try to force an erase on all backups. The fact that tapes tend to be offline brings even more security since if the tape isn't physically in the drive, it can't be touched. Again, nothing is 100%, but the barrier for ransomware to destroy all backups goes a lot higher with offline media than with cloud storage or an external HDD.

I wouldn't mind seeing backups be done again, and done in a smart, time-tested way... done to local, archival grade media that is very inexpensive, but yet super reliable.

[1]: I think there is a market niche for USB3 tape drives at the consumer level. Newer drives have variable speeds to minimize/prevent "shoe-shining", and with all the space on a tape, if areal densities similar to HDD are present, it would store quite a lot of data, even with multiple layers of forward-ECC. LTO tape drives are even bootable so a bare metal restore can be done with just the tape in hand and the drive on the machine, no other media.

[2]: In the past decade at multiple IT shops, I've gone through thousands, possibly tens of thousands of LTO tapes. The total number of tapes that I introduced to the degausser were fewer than five, and all the errors thrown when read/written were all soft errors, so all data was recoverable. This is pure anecdotal evidence, but it has impressed me personally on the reliability of these drives. It is wise to have a backup process of rotating tapes and having some task just verify data when nothing else is going on, and goes without saying to use multiple media just in case hard read errors do happen.

[3]: One can tell a tape silo to zero out all tapes sitting in it, but that is going to take some time, and not be instant. It can be done... but if one has a basic offsite procedure in place (where all tapes leaving get the write protect tab sent), even this can be mitigated without much time and effort.

Re:Backups (1)

Nyder (754090) | about 2 months ago | (#47498083)

As so often, the solution is called "Backup".

Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.

Re:Backups (1)

Voyager529 (1363959) | about 2 months ago | (#47498595)

As so often, the solution is called "Backup".

Also you could not store your documents in the "My Documents" folder, make a folder on your C drive, store your docs, pics & important stuff in that. So if you do get cryptoransomed they will have done the wrong files.

That will only take you so far. With so many programs defaulting to the My Documents folder, it'd be annoying at best to have to point to c:\realdocs "because viruses". The user could point the "My Documents" folder to c:\realdocs, but now we're in the same boat again. Even if a user decided it was worth the hassle to deprecate the use of the system variable, c:\realdocs would still be accessible by the same user. From Windows' security standpoint, there's no difference between the user being attacked by ransomware, and the user adding a password to an Excel sheet. Thus, ransomware doesn't need root privileges to mess up a user's files.

Even beyond that, the next generation of ransomware wouldn't exactly need a foundational rewrite to go to %user%\recent and see where those files point to and encrypt all the .docx, .xlsx, and .qif files there. I'm sure that somewhere in userland, there's some indication as to where the Dropbox/OneDrive/Gdrive folders are, and encrypting all that stuff. Even less complicated would be to search all available hard drives for user generated file types. .dll files wouldn't be worth it, but .qbw files very much would be. Ultimately, trying to thwart an attack of this nature would be of limited success, because from the most literal of standpoints, the virus is doing nothing different than what a user would be doing.

Amongst the things that makes this kind of attack so successful is that very problem: if you're trying to prevent outbound traffic at the firewall, you've already lost, basically. How does security software distinguish. technically, between a cryptovirus taking a file hostage, and a user passwording a file with WinRAR and uploading it to SpiderOak? That, good friends, is a question that I pay ESET a nontrivial sum to discuss and determine.

Silver Lining (0)

Anonymous Coward | about 2 months ago | (#47499493)

The 'silver lining' of all this is of course that millions more people will get added to the NSA/GCHQ/etc 'watch lists' for using Tor. That's great news for everyone because:

1) It floods the watchlists with lots of innocent people, all of whom have to be checked, verified and cleared in some manual (aka. expensive) way
2) Should anyone ever say "you use Tor, that means you must be a terrorist/paedo/whatever", you can probably say "Tor? No, I don't use that, but I did have a nasty bout of malware on my kids computer".
3) Tor gets in the news some more. Any publicity is good publicity and all that

Yay! bring on the malware - remember folks, to take advantage of this fantastic offer, please don't use Linux ;-)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>