Hacker News new | past | comments | ask | show | jobs | submit login
Putting an end to Retadup: A malicious worm that infected hundreds of thousands (avast.io)
68 points by gilad 52 days ago | hide | past | web | favorite | 14 comments

> we can see that the malware authors mined 53.72 XMR (~4,200 USD at the time of publishing this article) during the near month that the above address was active.

Anyone a little surprised by how small the profits are?

With control over 850,000 infected machines with an average of 2.94 cores each, I expected him to do something that will make him much more than a regular software engineering day job.

Considering this is a South-American virus, I suspect that it actually is making more than most SW devs over there...

Part of the reason might be that the malware was designed to be benign and not use all available resources

> benign

For the computers running on renewable power (Costa Rica, maybe?), it would truly be benign and not just stealthy. Long live green PoW!

> The authors probably weren’t sure where they stood in the tabs versus spaces argument so both tabs and spaces were used in the controller. Sometimes, the indentation of source code was so bad that it would enrage even the most forgiving software engineers.

absolutely barbaric

> The Gendarmerie also obtained a snapshot of the C&C server’s disk from its hosting provider and shared parts of it with us so we could start to reverse engineer the contents of the C&C server.

That's surprising. Would full disk encryption even help to counter this ?

It depends on how the server was hosted. If it was on a cloud, the provider could have suspended the vm and slurped the encryption key directly from memory.

Bare metal would have been a bit harder, but still possible by probing the memory bus.

One could counter this by storing the disk encryption key in a hardware enclave (e.g., SGX).

Or you know, just copy the entire drive while the machine is running....

That would not help you, since the contents on the disk are encrypted. You need to get the key from RAM while the server is turned on AND mirror the disk. Doing just the mirror will not help you.

The copy uses the OS's system calls to transfer data. Thus it will definitely decrypt. If the OS can function, it can read the decrypted data.

An Linux OS with full disk encryption can easily be copied while running as root with a simple rsync. Same with Windows.

Yes, but you need access to the OS, which means you need a login exploit AND privilege escalation exploit, or a hardware-based backdoor or to mess with the RAM bus while the computer is on.

Source with technical details: https://decoded.avast.io/janvojtesek/putting-an-end-to-retad...

Saved you a click

I'm confused, that's the article linked

probably when he wrote the comment, it was redirecting to another article

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact