1. Reverse Engineering >
  2. Exploits >
  3. PoC >
  4. Backdoored Ransomware for Educational Purposes


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

Backdoored Ransomware for Educational Purposes

RSS Kategorie Pfeil PoC vom | Quelle: malwaretech.com Direktlink öffnen

Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. There two pieces were HiddenTear (a ransomware with deliberately insecure cryptography designed to make decryption of files always possible), and eda2 (a supposedly flawless ransomware with a vulnerable C&C panel designed to enable retrieval of keys). Although releasing backdoored 'educational' ransomware might seem like a good idea, it's really, really not.

Educational Purposes

I have a big problem with the word educational when it comes to malware: I get hundreds of emails per year asking for how to guides on writing  fully weaponized malware (for educational purposes of course). You see the problem here is, what exactly do those educational purposes entail? There is no university degree in effective malware development, nor is freelance malware developer a viable legal career path. If they were planning on doing malware development for red teaming, they'd need a lot more skills than just basic malware development and could seek one of them many paths into pentesting based careers. What it really comes down to is, anyone using the term educational purposes is under no illusion that what they're doing has next to no legitimacy at all. If I go into a hardware store to buy an nail gun for some DIY job, I don't look the shopkeeper dead in the eyes and tell him "Don't worry, I'm not using this to murder anyone", because now he's thinking either 'wow, this guy has issues' or 'am I about to become complicity in a murder'. Generally speaking the people who aren't guilty don't feel the need to ensure everyone is aware of the fact, I get plenty of normal emails asking for help with malware in the context of some research they're doing, rather than some badly worded emails from Russians using google translate. 

On the flip side it's no different; stating educational purposes when releasing some malware is really just another way of saying 'look at this great malware I wrote, I have no legitimate reason to post it but I'm going to anyway', and I would know because I've been guilty of this many times in the past. Now personally when posting any kind of malware proof of concept, I've made sure it's restricted to the exact context of the demo (I don't post a fully fledged banking trojan source code to demonstrate that malware can run on computers), and I also ensure that it would take more effort than it's probably worth for someone to weaponize any code I posted (though in the past this has still happened one or two times *shakes fist at sky*).

Now let's look at the pretense for the hidden tear ransomware:
While I was researching about ransomwares, all I can see that lots of fancy diagrams, assembly codes which are tries to explain how it works. It may be easy to understand who are familiar with assembly. But most of people not, especially the newbies. And there wasn’t any proper source code for a ransomware sample. My first motivation was provide a source code for newbies, students who are trying to understand the process.
Well to start off, yes it is usually is fairly difficult to understand assembly if you don't know assembly, but why? Why do you need to understand assembly code to understand ransomware? How is giving out the source code going to help people understanding it? Ransomware is so basic that you really can explain it to no coders in less than 500 words:
Ransomware is software which encrypts your computer's files using the AES-256 encryption algorithm; this algorithm is secure enough that it is used by the US government and cannot be broken easily. Once the files are encrypted, the encryption key is then sent to the ransomware owner and all traces of it are erased from your computer. The only way to recover the key to decrypt your files is by paying the owner to give it back.
From a coders perspective, if you understand how AES is used to encrypt files, you understand how ransomware is used to encrypt files, it's really not rocket science; which begs the question why does there need to be an open source fully functional piece of ransomware complete with payment method and C&C to explain how basic file encryption works? The answer is: there doesn't, this was the first open source ransomware for a very good reason.

File Recovery

As the author behind hidden tear and eda2 found out, a vulnerable C&C panel doesn't ensure recovery. Make no mistake that these aren't professional cyber-criminals using his open source code, they are bottom tier scriptkiddies who otherwise wouldn't be able to gather the code required to make even remotely functional ransomware, which is evident by the fact they hosted their C&C server on a free hosting site which had been terminated due to abuse complains before the researcher was able to recover the keys. Doh. 

Now it may look like tricking criminals into using backdoored malware is still a great idea, but as is evident by the stories of hidden tear and eda2, nobody is moving to the backdoored ransomware; rather it's giving new players a taste of the high life with code they aren't yet able to write, then smacking them back down with backdoored encryption. So what happens next? Do they give up or do they continue trying to fix the backdoored code until they get it right? Well seeming as the developer revealed how and where the ransomware is backdoored, it's probably the latter. 

The final issue here is assuming everything had gone to plan, C&Cs stayed online, all encryption keys were recovered, how many people will get their files back (and for free)? It's not like you can just call up the victims and tell them they're infected with probably the only recoverable ransomware and that you have the key for them, most of these people don't even know what ransomware is. Although I don't have a fulltime job, I sometimes do incident response based work for a couple of people so I have had multiple encounters with the real world effects of ransomware. Recently I was tasked to help a DFIR guy identify the ransomware used to encrypt a companies files and see if they could recover them. In this case they were lucky, I was able to identify the ransomware and provide them with a list of methods for file recovery as well as confirm that if the worst comes to the worst this ransomware will give their files back if the pay; but, had they not called an incident response firm, what would have happened then?

Conclusion

It's unrealistic to think that even if the encryption keys are recovered that even 50% of the victims will get their files back for free. It relies on the the victim is first able to identify they're infected with ransomware based on hidden tear or eda2, then find who to call up to recover their files. I have a hard time identifying most ransomware and I've been working with malware for many years now, what hope do the victims have. Essentially the whole scheme is a variant of 'create the sickness sell the cure', as it's ignorant to think the backdoored ransomware is used only by existing groups and not just providing new tools to scriptkiddies.


...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu Backdoored Ransomware for Educational Purposes






Ähnliche Beiträge

  • 1. Backdoored Ransomware for Educational Purposes vom 339.42 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T
  • 2. Backdoored Ransomware for Educational Purposes vom 339.42 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T
  • 3. Backdoored Ransomware for Educational Purposes vom 339.42 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T
  • 4. Backdoored Ransomware for Educational Purposes vom 339.42 Punkte ic_school_black_18dp
    Here is an interesting article I found this week, it's about how A researcher released two pieces of 'educational' ransomware which were secretly backdoored in order to own some advanced and prolific cyber-criminals a small number of scriptkiddies. T
  • 5. How Just Opening an MS Word Doc Can Hijack Every File On Your System vom 97.74 Punkte ic_school_black_18dp
    If you receive a mail masquerading as a company's invoice and containing a Microsoft Word file, think twice before clicking on it.Doing so could cripple your system and could lead to a catastrophic destruction.Hackers are believed to be carrying out social engineering hoaxes by adopting eye-catching subjects in the spam emails and compromised websites to lure the vic
  • 6. TA17-132A: Indicators Associated With WannaCry Ransomware vom 93.67 Punkte ic_school_black_18dp
    Original release date: May 12, 2017 | Last revised: May 19, 2017Systems Affected Microsoft Windows operating systems Overview According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with repor
  • 7. 17 Backdoored Images Downloaded 5 Million Times Removed From Docker Hub vom 86.38 Punkte ic_school_black_18dp
    An anonymous reader writes: "The Docker team has pulled 17 Docker container images that have been backdoored and used to install reverse shells and cryptocurrency miners on users' servers for the past year," reports Bleeping Computer. "The malicious Docker
  • 8. Ransomware Hits City of Atlanta vom 81.45 Punkte ic_school_black_18dp
    A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police dep
  • 9. Ransomware Hits City of Atlanta vom 81.45 Punkte ic_school_black_18dp
    A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police dep
  • 10. Statistics Say Don't Pay the Ransom; but Cleanup and Recovery Remains Costly vom 73.3 Punkte ic_school_black_18dp
    Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of
  • 11. New Ransomware Variant RobbinHood Attack in US City vom 69.23 Punkte ic_school_black_18dp
    The major ransomware attack on US city, Baltimore. Cyber Criminals used NSA developed software for Ransomware. The new variant of Ransomware named RobbinHood. The... The post New Ransomware Variant RobbinHood Attack in US City appeared first on HackersOnlineClub.
  • 12. Google Pulls 500+ Backdoored Apps With Over 100 Million Downloads From Google Play vom 67.71 Punkte ic_school_black_18dp
    Orome1 shares a report from Help Net Security: Security researchers have identified over 500 apps on Google Play containing an advertising software development kit (SDK) called Igexin, which allowed covert download of spying plugins. The apps in question