ID Ransomware you have been hit with

April 16, 2016 – 1:39 PM

ID Ransomware is a new online service that allows you to upload ransom notes or encrypted file samples to identify the ransomware used to attack you.

So-called ransomware is an ever growing and evolving threat that is attacking computer systems to either hold files hostage by encrypting them, or locks access to the computer instead.

Most request Bitcoin payments promising that files or the system will be unlocked once the payment has been received. This alone can be problematic as users who are affected by a successful ransomware attack may not know how to obtain the Bitcoin needed to make the payment.

What many users affected by ransomware don’t know is that decryption or removal tools are available for certain kinds of ransomware which allow them to regain access to encrypted files or a locked computer without paying the ransom.

For that however, it is necessary to identify the ransomware first which can be a challenge in itself.


Experts crack nasty ransomware that took crypto-extortion to new heights

April 11, 2016 – 5:29 PM

A nasty piece of ransomware that took crypto-extortion to new heights contains a fatal weakness that allows victims to decrypt their data without paying the hefty ransom.

When it came to light two weeks ago, Petya was notable because it targeted a victim’s entire startup drive by rendering its master boot record inoperable. It accomplished this by encrypting the master boot file and displaying a ransom note. As a result, without the decryption password, the infected computer wouldn’t boot up, and all files on the startup disk were inaccessible. A master boot record is a special type of boot sector at the very beginning of partitioned hard drive, while a master boot file is a file on NTFS volumes that contains the name, size and location of all other files.Petya performs fake CHKDSK, and instead encrypts the master file table on disk.

Now, someone who goes by the Twitter handle @leostone has devised a tool that generates the password Petya requires to decrypt the master boot file. To use the password generator, victims must remove the startup drive from the infected computer and connect it to a separate Windows computer that’s not infected. The victim then extracts data from the hard drive, specifically (1) the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0 and (2) the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21). By inputting the data into this Web app created by @leostone, the victim can retrieve the password Petya used to decrypt the crucial file.

Obtaining the hard drive data the Web app needs to derive the password isn’t a straight-forward undertaking for many. Fortunately, a separate researcher has developed a free tool called the Petya Sector Extractor that obtains the data in seconds. The app must be run on the computer that’s connected to the infected hard drive.


NoScript and other popular Firefox add-ons open millions to new attack

April 5, 2016 – 5:19 PM

NoScript, Firebug, and other popular Firefox add-on extensions are opening millions of end users to a new type of attack that can surreptitiously execute malicious code and steal sensitive data, a team of researchers reported.

The attack is made possible by a lack of isolation in Firefox among various add-ons installed by an end user. The underlying weakness has been described as an extension reuse vulnerability because it allows an attacker-developed add-on to conceal its malicious behavior by invoking the capabilities of other add-ons. Instead of directly causing a computer to visit a booby-trapped website or download malicious files, the add-on exploits vulnerabilities in popular third-party add-ons that allow the same nefarious actions to be carried out. Nine of the top 10 most popular Firefox add-ons contain exploitable vulnerabilities. By piggybacking off the capabilities of trusted third-party add-ons, the malicious add-on faces much better odds of not being detected.

“These vulnerabilities allow a seemingly innocuous extension to reuse security-critical functionality provided by other legitimate, benign extensions to stealthily launch confused deputy-style attacks,” the researchers wrote in a paper that was presented last week at the Black Hat security conference in Singapore. “Malicious extensions that utilize this technique would be significantly more difficult to detect by current static or dynamic analysis techniques, or extension vetting procedures.”

Of the top 10 most popular add-ons vetted by Mozilla officials and made available on the Mozilla website, only Adblock Plus was found to contain no flaws that could be exploited by a malicious add-on that relied on reuse vulnerabilities. Besides NoScript, Video DownloadHelper, Firebug, Greasemonkey, and FlashGot Mass Down all contained bugs that made it possible for the malicious add-on to execute malicious code. Many of those apps, and many others analyzed in the study, also made it possible to steal browser cookies, control or access a computer’s file system, or to open webpages to sites of an attacker’s choosing.


Never10 – New utility to prevent Windows 10 upgrades

March 29, 2016 – 5:03 PM

Steve at GRC put together a utility that configures older versions of Windows to never upgrade to Windows 10.  Description from his site:

The name “Never 10” is a bit of an overstatement, since this utility may also be used to easily re-enable Windows operating system automatic upgrading. But the primary reason for using this is to disable Windows’ pestering insistence upon upgrading Windows 7 or 8.1 to Windows 10.

Many users of Windows 7 and 8.1 are happy with their current version of Windows, and have no wish to upgrade to Windows 10. There are many reasons for this, but among them is the fact that Windows 10 has become controversial due to Microsoft’s evolution of their Windows operating system platform into a service which, among other things, aggressively monitors and reports on its users activities. This alone makes many users uncomfortable enough to cause them to choose to wait. In line with this, a few months into 2016, Windows 10 started displaying unsolicited advertisements on its users’ desktops. Others dislike the changes Microsoft made by merging their failed “tiled” smartphone user-interface into the Windows UI. And, finally, some object to being force-fed whatever Microsoft wants and simply wish to choose for themselves.

In July of 2015, responding to the significant user backlash, Microsoft added features to its Windows Update facility which allow it to be configured, on a machine-by-machine basis, to not forcibly upgrade qualifying Windows 7 and 8.1 operating systems to Windows 10. However, Microsoft did not make this configuration simple. It requires the use of the group policy editor (which is not present in some qualifying systems) and/or the system registry. In other words, they created some deep internal configuration options but chose not to provide a simple user-interface to give their users the choice. “Never10” provides that choice.


PETYA Crypto-ransomware Overwrites MBR to Lock Users Out of Their Computers

March 25, 2016 – 7:14 AM

As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread crypto-ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead.

This is the routine of a new crypto-ransomware variant dubbed “Petya” (detected by Trend Micro as RANSOM_PETYA.A). Not only does this malware have the ability to overwrite the affected system’s master boot record (MBR) in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service (in this case, via Dropbox).

We do note that this isn’t the first time that malware has abused a legitimate service for its own gain; however, this is the first time (in a long time) that leads to crypto-ransomware infection. It is also a departure from the typical infection chain, wherein the malicious files are attached to emails or hosted in malicious sites and delivered by exploit kits.