
Encryption ransomware threatens Linux users - tomkwok
http://news.drweb.com/show/?i=9686&lng=en&c=5
======
hwh
This reminds me of my first mention in a Linux kernel commit message:
[https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux....](https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0a489cb3b6a7b277030cdbc97c2c65905db94536)
It's the fix for a bug I found in the kernel. This sounds quite boring, but
the fun part is the background story: Antivirus vendor X (actually forgot
which one) bragged about a new, dangerous virus that can spread on Windows as
well as Linux platforms. Joe Barr reported on that for NewsForge, claiming
that the Virus didn't work at all (on Linux). I jumped in and tested too, and
found that it wouldn't work (meaning: infect other binaries) on newer kernels
since there was an actual bug in the kernel preventing it from doing so.

Why I'm reciting that story is this: It is perfectly fine for a binary to
write executable code to other files. Your typical compiler does. The kernel
isn't there to prevent that. The kernel is supposed to prevent it if you
configure a security policy that forbids it - starting with things as simple
as file ownership and permissions. This is pretty much clear for anyone who
knows some things about what the computer does. For people who only have some
fuzzy ideas, fixing the Linux kernel to make (in this case) a virus work again
sounded a bit weird.

Well, ransomware is in the news these days because of the raid in the
Netherlands, and here there's another "security specialist" trying to use this
for its PR. But again there is nothing that indicates that this is all about
standard functionality. Yes, you can encrypt all your own files on a typical
machine. Yes, a piece of software can do it for you. Yes, you can run such
software. And if you're careless and follow orders easily, someone else might
give you the software to do it.

------
tux3
No information on how it spreads?

"Once launched with administrator privileges, the Trojan loads into the memory
of its process files containing cybercriminals' demands"

This sounds like it needs to run as root, is there any vulnerability involved
and do I need to patch things?

Is it just a particularly crazy spam campaign that would somehow trick
"website administrators" into running malware as root on their servers?

~~~
hjek
According to Dr. Web, it spreads through USB disks and the internet, and Dr.
Web has great solution to that problem:

"Dr.Web Office Control access restriction system: Restricts or completely
prohibits access to Internet resources and removable devices, and therefore,
excludes the possibility of a virus invading via those sources."

"Users should only have access to the local resources they require to perform
their jobs. It's no use trying to convince staff that flash drives are
dangerous. It is much easier to centrally disable access to such devices."

------
hannob
Not sure why this made it on the HN frontpage.

It seems its lacking any relevant information and is mostly some marketing for
an antivirus vendor that tries to tell Linux users they need antiviruses, too.

~~~
wila
Exactly that.

> Doctor Web security researchers presume that at least tens of users have
> already fallen victim to this Trojan.

"presume" .. tens of users ..

Right, a bit more details on the infection vector would have helped to
properly validate the concerns. But when you start presuming and pull numbers
out of a high hat I'm almost ready to discard it.

The only thing we know now is that "something" needs to be run with admin
privileges.

Just make sure your backups are OK.

------
Hello71
It is somewhat suspicious that their screenshot of the alleged ransom file
appears to be taken from Notepad++, a text editor available only on Windows.

~~~
morganvachon
This, combined with the fact that so far only Dr. Web is reporting on it,
makes it appear suspect.

Besides, once someone has root access to your *nix server, or at least
privilege escalation (either of which would be required for this exploit to
work), they already own you and can do whatever they want anyway. If you have
a good backup scheme in place this is little more than a headache and a few
hours of work to recover from. The only way I see this being a catastrophic
exploit is if you end up with it on your home box with no offsite or air
gapped backup. This holds true for Windows based ransomware attacks that do
actually exist; nothing about this is unique, if it's even real.

------
squidlogic
Unlike a lot of other malware out there, crypto lockers don't require
privlidge escalation to be effective.

Got to hand it to them, its actually a pretty cool attack vector.

~~~
w8rbt
A lot of attacks don't require root/admin to be effective. Some Key stroke
loggers run entirely in user space.

    
    
        edit: https://github.com/w8rbt/keycap

~~~
squidlogic
Good point, you're right that gaining root/admin isn't the only way to ruin
someone's day.

------
chris_wot
Exactly how is this being executed on Linux systems?

Dr Web are selling anti-virus. I'd like more info on how it infects systems.

 _Edit:_ You know, this is really ONLY being reported by Dr Web. Funny that.

~~~
zyztem
There is more technical details at
[http://vms.drweb.com/virus/?i=7704004&lng=en](http://vms.drweb.com/virus/?i=7704004&lng=en)

~~~
chris_wot
It doesn't give much info.

------
CzarSpider
Lively discussion over on reddit:
[https://www.reddit.com/r/linux/comments/3rv78j/linux_ransomw...](https://www.reddit.com/r/linux/comments/3rv78j/linux_ransomware_is_now_attacking_webmasters/)

------
tegansnyder
Google has some popping up in their index. See:
[https://www.google.com/search?q=inurl:%22README_FOR_DECRYPT....](https://www.google.com/search?q=inurl:%22README_FOR_DECRYPT.txt%22&biw=1979&bih=1075&tbs=qdr:w&filter=0)

------
AnkhMorporkian
I have to say, I'm surprised this didn't happen a lot sooner. While there
aren't as many linux systems that won't have backups, there are a lot of very
valuable systems out there, and some percentage of them must not have backups.

------
andor
Here's the Virustotal entry for one of the unpacked versions:

[https://www.virustotal.com/en/file/18884936d002839833a537921...](https://www.virustotal.com/en/file/18884936d002839833a537921eb7ebdb073fa8a153bfeba587457b07b74fb3b2/analysis/)

Enough evidence for me to believe that the malware exists. Apparently it uses
mbed TLS for encryption and communicates via UDP.

------
tankenmate
[https://www.google.com/search?num=50&safe=off&q="index.html....](https://www.google.com/search?num=50&safe=off&q="index.html.encrypted")

------
purplepilot
1) Flatten the server/VM/whatever 2) Load the last clean backup image 3) Apply
updates made since the last backup 5) Carry on .... You do have back ups don't
you? You do develop off-line and push deployments to servers don't you? No?
Then remember to renew the notice in the front window of your house telling
the potential burglars you didn't lock the place up and there all the valuable
are stored.

