POZOR: Crypto virus - Magento/WP
11 naročnikov
11 naročnikov
Nacrtno odpiram temo tukaj, se mi zdi bolj obiskana sekcija kot Administracija - ce se admin ne strinja, lahko prestavi.
V glavnem, na pohodu je nov virus.
Gre za klasicen cypto virus, ki kriptira datoteke in zahteva odkupnino za decodiranje.
Glavna razlika (zaenkrat se nevidena): nafuka se na server, kriptira Magento/WP fajle in zahteva odkupnino. Po spominu cca. 400+ USD/EUR.
Smo imeli na eni trgovini nesreco, da smo med prvimi fasal to nesnago. VPS, Magento 1.8.2, doloceni patchi (zadnji ne, ker nam pade vecina pluginov).
Pomagal je kompleten restore VPSja, na sreco image ni bil prevec zadaj.
Zaenkrat ni nobenih informacij - ne kako pride na server, ne ali je placilo odkunine uspesno. Prizadeta naj bi bila Magento in WP (informacija od sistemcev).
Ne najdem nobenih informacij na netu - zaenkrat - domnevam da je bil spuscen v divjino vceraj, tako da pojma nimam niti kako se zascititi. Ce uporablja kak 0-day ranljivost je tudi prakticno nemogoce.
17 odgovorov
perunpro:
V glavnem, na pohodu je nov virus.
Gre za klasicen cypto virus, ki kriptira datoteke in zahteva odkupnino za decodiranje.
Glavna razlika (zaenkrat se nevidena): nafuka se na server, kriptira Magento/WP fajle in zahteva odkupnino. Po spominu cca. 400+ USD/EUR.
Zaenkrat na SI-CERT nimamo podatkov o tovrstnem lockerju. Imate še kakšne shranjene podatke, kopije direktorijev, loge, slike diskov, backup kopije, ... na podlagi katerih bi lahko opravili preiskavo in poskusili najti zlonamerno kodo in metodo namestitve?
Gorazd Božič
prišlo na ušesa tudi kerbsu http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/
SI-CERT poslal informacije ki jih trenutno imamo - mislim da bi se bolj lahko pomagali ponudniki gostovanj, ki jih na IM ne manjka.
Obstaja velika verjetnost da gre za Linux.Encoder.1
iz povezave aaaccc:
According to Macadar, the instructions worked as described, and about three hours later his server was fully decrypted. However, not everything worked the way it should have.
“There’s a decryption script that puts the data back, but somehow it ate some characters in a few files, adding like a comma or an extra space or something to the files,” he said.
Torej pomaga samo popolen restore.
Ja te zadeve je skoraj nemogoče odkodirati. Na zadnjem varnostni konferenci v USA so FBI celo rekli, da priporočajo, da se plača zahtevan znesek saj je zelo težko odkodirati datoteke ter, da tisti, ki to delajo se držijo napisanega in po plačanem bitcoinu posredujejo geslo za restore datotek. Tako, da priporočam vsem, da si za vsak slučaj naredite backup datotek.
Še primer txt datoteke, ki jo pustijo na strežniku:
Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow to decrypt the files, located on a secret server at the Internet. After that, nobody and never will be able to restore files...
To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 1 bitcoin(s) (~420 USD).
Without this key, you will never be able to get your original files back.
!!!!!!!!!!!!!!!!!!!!! PURSE FOR PAYMENT(ALSO AUTHORIZATION CODE): 15Tq1pLArr9p96v4Vam51KybDP1TQZoPxo !!!!!!!!!!!!!!!!!!!!!
WEBSITE: https://z54n57pg2el6uze2.onion.toINSTRUCTION FOR DECRYPT:
After you made payment, you should go to website https://z54n57pg2el6uze2.onion.to
Use purse for payment as ur authorization code (15Tq1pLArr9p96v4Vam51KybDP1TQZoPxo).
If you already did the payment, you will see decryption pack available for download,
inside decryption pack - key and script for decryption, so all what you need just upload and run that script ( for example: http://http://test.domain.si/decrypt.php )Also, at this website you can communicate with our supports and we can help you if you have any troubles,
but hope you understand we will not answer at any messages if you not able to pay.!!!P.S. Our system is fully automatic, after payment you will receive you're decrypt pack IMMEDIATELY!!!
FAQ:
Q: How can I pay?
A: We are accept only bitcoins.Q: Where to buy bitcoins?
A: We can't help you to buy bitcoins, but you can check link below: https://en.bitcoin.it/wiki/BuyingBitcoins(thenewbieversion)Q: I already bought bitcoins, where i should send it.
A: 15Tq1pLArr9p96v4Vam51KybDP1TQZoPxoQ: What gonna happen after payment?
A: Download button for decryption pack will be available after you made paymentQ: I pay, but still can't download decryption pack
A: You need to wait 3 confirmations for bitcoin transaction.Q: How to use decryption pack?
A: Put all files from archive to your server and just run decrpyt.php (example: website.com/decrypt.php)Q: Can I pay another currency?
A: No.
coda:
Ja te zadeve je skoraj nemogoče odkodirati. Na zadnjem varnostni konferenci v USA so FBI celo rekli, da priporočajo, da se plača zahtevan znesek saj je zelo težko odkodirati datoteke ter, da tisti, ki to delajo se držijo napisanega in po plačanem bitcoinu posredujejo geslo za restore datotek. Tako, da priporočam vsem, da si za vsak slučaj naredite backup datotek.
Načeloma to drži za klasični ransomware na osebnih računalnikih. Tisti, ki nas spremljate na twitter.com/sicert ste že opazili, ostali pa nas hitro pofollowajte :-) -- ta konkretni primerek kripto-izsiljevalca ima v zasnovi napako in sicer to, da uporablja sistemosko rand() funkcijo, za seme pa uporabi timestamp. Nato je iz časovnih žigov datotek lahko ugotoviti primeren ključ.
http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/
LP, Gorazd
PS: Še vedno je dobro, da dobimo čim več informacij o tem, katere ranljivosti so bile uporabljene za drop programa ...
Perun:
Fajn je se link, drugace je tezko followat :P https://twitter.com/sicert
Vsak boljši heker zna iz besedila narediti hiperlink.
Se pa drugače strinjam.
Bistvo spleta je v hiperlinkih.