Wednesday, 31 December 2014

Vacancies - "FBI Looking For IT Experts Who Want To Become Cyber Cop"

The FBI has launched a campaign to recruit more technical skills, such as computer scientists, IT specialists and engineers. According to the investigation department is investigating hacked websites, cyber intrusions, data theft, botnets, and DoS attacks a top priority and there are more cyber cops needed to keep pace with developments.

Bank robberies are an example of how the landscape has changed, so the FBI says. Traditional agents would protect the crime scene, interview witnesses and collects evidence such as fingerprints and video recordings. However, if money is stolen online is needed a different approach, such as requesting firewall logs and forensic copies of hard disks.

Important requirements to become a cyber cop enduring screening and fitness test and should agents are at least 23 and up to 37 years. Furthermore, it is searching for experience in computers and technology, with backgrounds in programming and security, database management, malware analysis, digital forensics and ethical hacking preferred. In announcing let the FBI know that especially the type and extent of investigations, teamwork and camaraderie are things that no one else can offer. Cyber ​​Agents can the FBI a salary of between 59,000 and earn $ 76,000 per year, according to the vacancy.

Kim Dotcom - "Promises The End Of NSA Surveillance With New Chat Service"

Internet entrepreneur Kim Dotcom will soon launch an encrypted service for video and chat conversations that are not only competing with Skype needs to engage, but also to put an end to the surveillance of the NSA. Last Sunday Dotcom was the advent of "Mega Chat" known as the service should be called.

Many details about the new chat service are not yet known, except that invitations be sent in the coming weeks to participate in the beta test. Yesterday Dotcom made ​​on Twitter know that Mega Chat Skype competitor not only as intended. "This will be the end of large-scale NSA surveillance and you will love it!" He remarked. Earlier Dotcom already launched the encrypted cloud storage service Mega, which now has over 15 million registered users.

Tuesday, 30 December 2014

Researcher hacks Facebook with Word document .Docx

A researcher has managed to execute malicious code on the Facebook servers by uploading a specially prepared Word document. The vulnerability was on Facebooks career website where people who want to work with Facebook to upload their CV as pdf or docx document. Researcher Mohamed Ramadan , however, knew docx files actually are zipped XML files.

He opened his cv.docx with zip utilities 7zip and discovered several XML files. Then he added code so that the server of Facebook connection with his server would. Initially Ramadan thought his code did not work, until he saw that after a quarter of a server Facebook indeed made its server connection.

According to the investigator, he could make use of it in various ways, such as performing a Denial of Service, TCP-scans and other commands. Facebook initially thought there was no problem and that a recruiter file cv.docx had opened and had clicked on the link. However, not much later the social networking site that it indeed was a vulnerability, which has now been resolved. Ramadan received for his bug melding an amount of 6300 dollars.

CTB (Curve Tor Bitcoin) Locker Ransomware - Specifically Aimed at Dutch Internet Users

Critroni Malware
Researchers have discovered a new variant of a particular ransomware which now specifically aimed at Dutch Internet users. It involves CTB Locker, which stands for Curve Tor Bitcoin, which for the first time in mid-July appeared and encrypts files for ransom.

CTB Locker, called Microsoft Critroni, stands out because of the methodology used. Thus, the ransomware uses the Tor network to communicate with infected computers. Instead of the file to use Tor.exe, as is done by other malware, the maker of CTB Locker has the code of Tor made part of the ransomware code.

Where ransomware also strikes a different path to the encryption used. Most ransomware uses a combination of AES and RSA encryption to encrypt the files of victims. CTB-Locker uses an asymmetric cryptographic protocol known as ECDH (Elliptic Curve Diffie-Hellman). Another new development for the first time at the CoinVault-ransomware was seen is the free decrypt files. Let CoinVault victims one file free decrypt, CTB Locker decrypts free five files.

Bitcoin Address
The ransomware is distributed through hacked WordPress sites. On the websites of malicious code is placed that uses vulnerabilities. However, it is unknown to what vulnerabilities it exactly. In the case, the attack is successful is CTB-Locker placed on the system and will encrypt the ransomware existing files. Security Researcher ' JuK 'of the blog Malware Do not Need Coffee discovered the latest version, which also supports Italian alongside Dutch.

MD5: 10f0eaa794f48ad0b15034e0683cb15f

Monday, 29 December 2014

Thousands of fake servers Tor network removed

The administrators of the Tor network have removed thousands of fake servers that had been added by the group Lizard Squad. The group claimed earlier this week to sit behind attacks on Xbox Live and the Playstation Network and would now plans have been to attack the Tor network.

In a short time appeared some 3,000 new servers in the Tor network. Thereby Lizard Squad had a considerable share in the network, which came out with the new servers at 10.000 "relays". In theory this is a risk for Tor users, for a party that has a large part of the network owned'd users can unmask. In this case, Tor users were however no danger. The capacity of the new servers was 20 kilobytes per second per server too small.

Tor Network List
The total capacity of the Lizard Squad servers accounted for only 0.27% of the entire Tor network. The servers would become the first three days are not selected as a server for Tor users, let security researcher Nadim Kobeissi opposite The Verge know. Meanwhile, the fake servers are removed, according to the list of Tor servers. On Twitter Kobeissi states that were hosted many of these servers in the Google Cloud. He also suspects that it was thousands of small virtual machines with limited bandwidth.

In previous post we discussed about the Tor Network is Under Attack

Sunday, 28 December 2014

German Defense Minister von der Leyen's fingerprint copied by Hacker

A hacker by the German Chaos Computer Club (CCC) has managed to get a fingerprint of German Defense Minister Ursula von der Leyen, with no physical objects were used Von der Leyen had touched.

Recent years has been shown several times that fingerprints are easy to steal objects that are touched by a person, such as a glass or a smartphone. During the CCC hacker conference in Hamburg showed hacker "Starbug" yesterday to see how with just a regular camera, the fingerprint of the defense minister was able to capture. The print could be used for biometric authentication.

 "After this presentation, politicians if they publicly speak probably wear gloves," Starbug let know . The hacker demonstrated during his presentation also different ways to bypass fingerprint systems. In 2013, he already knew the biometric security of Apple's TouchID defeat .

Saturday, 27 December 2014

Security company claims that Sony hackers are Russian

The hackers who knew at Sony Pictures Entertainment to break his Russian and not Korean, says the American security firm Taia Global. Linguists of the company performed several analyzes of twenty messages that were left by the attackers.

Rather let the FBI still know that North Korea was behind the attack. According Taia Global is the technical evidence supplied by the FBI, however vague and unconvincing. The company therefore decided to look at the written evidence that the attackers left behind. Through Native Language Identification (NLI) and "L1 interference" was to see whether the attackers Korean, Chinese, are Russian or German.

Analysts looked for phrases not normally used in English. Then the sentences were translated into the selected language. Of the twenty sentences were found fifteen directly from Russian are translated, nine were found to be Korean, and none was from German or Chinese origin. In a second test looked at the misuse of English grammar and sentence structures or the wrong or were valid in any of the tested languages. Three of the five were correct in Russian, while one corresponded to Korean, said one of the analysts across from the New York Times .

"Our preliminary results show that the attackers Sony probably were Russian, possible but not probable Korean and certainly not Chinese or German," as the company wrote in a blog posting . Many experts doubt whether North Korea really behind the Sony hack is, as alleged by the United States. Another American security company this week suggested that even an ex-employee of Sony was probably involved in the attacks.

Friday, 26 December 2014

Google disables 39,000 WordPress sites for malware

Google has already put more than 39,000 Wordpress websites on a blacklist because they are infected with malware. Attackers use a leak in the WordPress Slider Revolution Premium plug-in attempts to infect to get access to the sites and then add malicious code that visitors with malware. The leak in the plug-in has long been known, and a patch is available. Many sites that have not been installed.

According to security firm Sucuri involves three different campaigns where the SoakSoak campaign is responsible for most infections. According to Google, the malware of this website to over 17,000 detected domains. Through the wpcache blogger campaign are spacious 12,000 sites have come to the blacklist of the search giant. Finally, there is an IP address that the attackers and code to 8500 was found websites.

Once Internet users to visit these Web sites via eg Google Chrome or Firefox they'll see a warning. Sucuri Commission on the basis of own research that more than 50,000 websites have been infected, but they have not all been indexed by Google.

Affected websites are advised to do a "complete cleaning" of the website, since installing WordPress alone is not enough again. The attackers would in fact leave too many backdoors. Additionally WordPress administrators are urged to update their plugins. With over 74 million websites WordPress is the most popular online content management system.

Thursday, 25 December 2014

Dridex Malware - "Christmas Offers Conatins Macro Malware"

Christmas Offers.Docx

Spammers have Christmas as a chance to send e-mails that seem to contain a Christmas special initially look, however truly unfold malware. The e-mails going around currently feature a Word document referred to as "Christmas Offerings" hooked up. Once opened, attempt the macros within the document to transfer a malicious executable file.

The authors have created several macros in fact

Because of the protection risks interference Microsoft office standard macros and users also get to check a security warning that the macros are disabled. within the same warning might opt for, however, users need to to show the content of the document. The user selects this, then the Dridex Trojan is downloaded to the pc. this can be a Trojan specifically designed to steal cash from on-line bank accounts, according to anti-virus company Malwarebytes.

VBA code

Virustotal Report:- Christmas Offers.Doc

Virustotal Analysis Report of Christmas Offers.Docx

MD5: 9d0b2db07a5c5a903e0d599c8fcc63ca

Virustotal Report of Downloaded Exe:

Virustotal Analysis Report of Dowloaded Exe

MD5: 09e21abb85829788cab67d112d1b7c95

Macro Example:

Wednesday, 24 December 2014

Google discovered critical vulnerability in UnZip

A researcher of the Google Security Team has a critical vulnerability in UnZip discovered, an open source tool to tackle them from files. Due to an error in the cyclic redundancy check (CRC), it is possible to cause a buffer overflow that may allow an attacker to run arbitrary code on the computer. CRC is correct a check for detecting errors.

To carry out the attack, an attacker the victim or a specially prepared zip file via the command unzip -t leave open. Google adheres next to the search for vulnerabilities in their own software too busy checking open source software. The leak was reported on December 3 by researcher Michele Spagnuolo.

On the same day, there appeared the UnZip administrator update, followed by a second update later that day. A week later warned were all affected suppliers using UnZip, after yesterday's advisory appeared online. The leak is present in UnZip 6.0 ​​and older. The last update of the program dates from April 2009.

Tuesday, 23 December 2014

The Tor Network Is Under Attack

Tor users in the coming days may have problems with the use of its services. As representatives warn Tor, detected an attempt to take control of specialized servers, referred to as directory Authorities that support this network. They did not disclose what the hacker group or organization is behind this attack. "We have taken steps to ensure the safety of users of our services. Tor already uses redundancy mechanisms that will keep their anonymity, even if the planned attack will be executed. Tor is safe "provides" arma "on the blog associated with the project . "Arma" is a nickname associated with the project leader Roger Dingledine.

The Tor network packets are exchanged directly between the source and the receiver, and pass through several randomly selected relay servers, which mask the path of the flow of information and thus allow the anonymity of the users of the network. "Even if the attacker take control of the majority of servers, they will not be able to force the Tor client software to resign from the other relays communication and as a result will still be safe and anonymous "provides" arma ".

If you use Tor - you may want to note down and temporarily avoid these affected mirrors in a below pic

Affected Mirrors

Currently, Tor uses 9 servers to manage traffic in the network. They are located in the USA and Europe. At the moment (Monday 22/12/2014) there was no information about the planned attack on Tor. Representatives of the project promise that all information on the current situation will be immediately posted on the blog design . -providing anonymity on the Internet.

Tor network is used by users who want to avoid censorship and track their content published by the secret services, especially in non-democratic countries. Representatives say the Tor project, the network is also used by millions of people who want to ensure the security of the communication itself when connecting to the Internet in public areas. Unfortunately, it is also used by criminals, such as drug trafficking network Silk Road. It was closed down in October 2013 years by the US police, but there is another version - Silk Road 2.0. Despite these controversies, Tor network is one of the symbols of freedom and privacy of Internet communication and any attempt to attack this system probably will lead to big stir among users global network.

Researcher demonstrates firmware attack on Macbook

In late December, a researcher showed how it is possible to install on an Apple Macbook a bootkit that reinstalling the operating system and replace the hard drive can survive. The bootkit can be installed by someone with physical access to the laptop. For this, the externally accessible Thunderbolt port is used. Once the bootkit is running that can spread virally by infecting other Thunderbolt devices.

According to researcher Trammell Hudson is possible to bypass the control that uses Apple EFI (Extensible Firmware Interface) firmware updates. This can add an attacker with physical access of malicious code to the firmware on the ROM of the motherboard, creating a new class of firmware boat kits for Macbooks. The firmware is not cryptographically checked during boot, so the malicious code from the beginning has full control over the system.

Hudson developed a "proof of concept" bootkit Apple's public RSA key in replacing the firmware and prevents attempts to replace the malicious code. Since the boot firmware is independent of the operating system, the bootkit continues after a reinstallation of the operating system to exist. Replacing the hard drive also has no effect. Only through a programming device, the original firmware can be restored.

The researcher notes that can be adjusted by the bootkit and can spread further as the firmware of other Thunderbolt devices. "Although the two year old Thunderbolt firmware leak that this attack used a firmware patch to remedy is the bigger problem of Apple's EFI firmware security and secure booting without solving difficult trusted hardware." Hudson will during his presentation at the CCC conference give more details.

Monday, 22 December 2014

"IP addresses are insufficient evidence against North Korea"

The evidence that the United States against North Korea when it comes to the hack of Sony is weak, says a security expert who analyzed the IP addresses used in the attack. Last week, the FBI said in an official statement that the Asian country was responsible for the intrusion on the network of Sony Pictures Entertainment, the theft of all data and sabotage of thousands of computers.

However, the FBI is careful in the words chosen, says security expert and blogger " krypt3ia ". He sees in the choice of words that the investigative unsure. Initially the attack was linked not to North Korea by the FBI, and is now said that the country is the culprit. "Something that makes people like me crazy," he notes. The expert therefore decided to look at the IP addresses used by the malware and introduced himself, the question of whether the resources are to be used or used only by North Korea.

IP Addresses

The IP addresses that the attackers used are from Thailand, Poland, Italy, Bolivia, Singapore, Cyprus and the United States.These include for which proxies and servers can be used by anyone. For one of the servers Krypt3ia found the credentials on a Chinese forum. The IP addresses appeared more frequently used for other cybercrime activities such as sending spam and controlling compromised computers.

"If all IP addresses are used by the US as evidence that North Korea has carried out this attack, I think the evidence is weak," said the expert. Most of these systems are in fact well-known compromised machines that are used for all kinds of cyber crime purposes. Also, many of these types of compromised servers are shared by attackers with each other.

North Korea has used such tactics in the past, according to the expert circumstantial evidence that is inadmissible in court.However, Obama announced that the US will take appropriate action against North Korea. The expert then also questions whether the US base their theoretical response on circumstantial evidence, which he makes reference to the so-called weapons of mass destruction in Iraq. Further, according to the expert whether there because of a break-in at a single entertainment company in Hollywood should be acted upon at the state level. "When I go to Twitter and the news I see is marketing hype and unjustified award ... and it will lead to our mutual destruction," concluded the blogger.

Sunday, 21 December 2014

Critical vulnerabilities Found in Network Time Protocol (NTP)

Researchers at Google have critical vulnerabilities in the Network Time Protocol (NTP) allowing attackers discovered on systems that use NTP can execute code. NTP is a protocol that allows systems to synchronize the time for different services and applications.

It is used among other things on a large scale industrial systems. Neel Mehta and Stephen Roettger of the Google Security Team discovered several vulnerabilities in the protocol. In the worst case, an attacker by sending a single packet to cause a buffer overflow, and it is now possible to carry out on the attacked system code with the rights of the NAP-process. This vulnerability is present in all versions of NTP NTP-4.2.8.

Before warn the the Industrial Control Systems Cyber ​​Emergency Response Team (ICS-CERT) of the US Government, the US Computer Emergency Readiness Team ( US-CERT ) and the CERT Coordination Center ( CERT-CC ) at Carnegie Mellon University. Administrators also are advised to upgrade to NTP 4.2.8. Furthermore, this version fixes vulnerabilities in the random number generator allow an attacker to retrieve certain information. Exploits that make the leak abuse have been found on the Internet, according to the ICS-CERT

Saturday, 20 December 2014

US warns of SMB worm that was used against Sony

The Computer Emergency Readiness Team (US-CERT) of the US government has issued a warning for an SMB (Server Message Block) -worm that started against Sony. The worm uses brute force authentication to spread through shared Windows SMB shares.

Every five minutes makes the malware connects to the server command of the attackers to send data successfully to another Windows computer via SMB port 445 has infected. The tool also listens for connections on TCP port 195 and TCP port 444. Furthermore, the worm has a backdoor that allows to download files and execute commands. The worm can so via Universal Plug and Play (UPNP) ports in your firewall to discover routers, gateways and port mappings.

Thus it is possible to attacked computers that are behind a NAT (Network Address Translated) network are to allow incoming connections. The part of the worm that is most striking is the "clear", which overwrites the Master Boot Record of the hard drive and thus makes the system unusable. The delete function is also used against systems that are accessible via shared network folders. The malware attempts to log on to these computers via a number of usernames and passwords that are previously specified by the attackers.

The US-CERT warns that organizations that deal with this malware get must take account of the theft of intellectual property and the disruption of critical systems. As a solution to get the system advised to use virus scanners and keep up-to-date, operating systems and software to keep up-to-date, "defense in depth" to apply strategies and a plan to establish order with destructive malware to go.

Friday, 19 December 2014

Attackers Sony used password system

The attackers knew the network from Sony to break used the stolen password of an administrator, so claim US researchers on the basis of evidence found via the password the attackers had access to the entire Sony network.

The discovery is one of the reasons why the researchers think that the attack on Sony's done with the help of an employee, so let officers across CNN know. The US authorities have now declared the attack a matter of national security. According to CNN, Washington will be today North Korea blame designate behind the attack.

Security expert Jeffrey Carr argues that the US should provide evidence first before it can be assumed that North Korea is actually behind the attack. He himself has serious doubts about this. "My advice to journalists, managers, policy makers and the public to doubt everything you hear on the granting of cyber attacks. There is no concrete evidence and possible indicators that can not be verified."

Even Kim Zetter of Wired published an article why the evidence against North Korea is thin. The film would also "The Interview" have been no reason for the attack. The film was the first announcement is not mentioned by the attackers. The fact that the malware on a computer with a Korean language is compiled does not say anything. Setter outlines two scenarios then who is behind the attack. Possibly it is a group of people who, like Anonymous operate, or there were several groups with different motives that had access to the Sony network.

Wednesday, 17 December 2014

Symantec creates jeans and blazers that block RFID signals

IT security officer, Symantec has partnered with an American clothing company developed a blazer and jeans that block RFID signals. This should discourage fraud and hacking of RFID cards and passports.These passes are increasingly equipped with radio frequency identification (RFID).

2015 would support more than 70% of the RFID credit cards and therefore at risk of being attacked by this way. Clothing Concern Beta Fire therefore decided to collaborate with Symantec and develop the first jeans and blazer that block RFID signals. The " READY Active Jeans "and" Work-It Blazer "have two pockets with a special fabric that RFID stops and so protects cards and documents. The jeans ($ 151) and blower (198 dollars) are for sale from February.

Tuesday, 16 December 2014

FBI used Metasploit to identify Tor users

The FBI has used a component of the popular Metasploit hacking tool to identify Tor users. Metasploit is a tool that penetration testers and security experts test the safety of systems and networks. It is now being developed and managed by security company Rapid7.

Wired reports that the FBI in 2012 set in part of Metasploit to successfully identify different Tor users through Adobe Flash Player. The US investigation department made ​​use of an abandoned Metasploit project called " Decloaking Engine ". It was one in 2006 developed experimental concept where multiple tricks were used to identify users of a service such as Tor anonymity via a specially crafted Web site. In case the Tor user had his installation secure he could not be identified through the website. However, if users made ​​a mistake their real IP address is visible.

Flash Player

One of the tricks was the use of a Flash application. Adobe Flash Player can set up a direct connection to the Internet and thus leak the IP address of the user. A known problem and the Tor Project advises users therefore not to install Flash Player. Finally appeared in 2011, a version of the Tor Browser, the software to access the Tor network, allowing users were better protected and the test site that was set up for the Decloacking Engine almost no users identified more.

However, the FBI used Decloaking Engine as a basis for an operation against child pornography sites on the Tor network. The investigation department had access to several of these sites and then let them run Flash programs in visitors' browsers in order to determine their true IP address. A total of 25 users in the United States were identified and an unknown number elsewhere. According to Wired is to use the first time the FBI spyware-like software to all visitors of a website started in place against certain individuals.


However, it is unknown whether the FBI standard Decloaking Engine has used or a customized version. HD Moore, the original developer of Metasploit and Decloaking Engine, argues that his release could barely identify Tor users. Only suspects with very old Tor version or who had gone to great lengths to install Flash Player would have been at risk.

In this way, the FBI would only have to suspects with the worst operational security-oriented instead of the worst offenders. A few months later, the FBI provided the weather on Tor users. Then there was an exploit for a known Firefox vulnerability used to determine the IP address and MAC address of Tor users. Again it came to users with poor operational security, as it attacked Firefox leak was already in the latest version of Tor Browser solved .

Monday, 15 December 2014

'SoakSoak' Malware Infected 100,000+ Wordpress Websites

At over 100,000+ WordPress sites researchers have found malicious code that attempts to infect visitors with malware. The code is loaded from the Russian domain SoakSoak. Google would now more than 11,000 infected websites have put on a blacklist.

Visitors who use Firefox or Chrome receive when visiting these WordPress sites a warning that the site contains malware. According to security firm Sucuri is the number of affected sites much larger and would amount to more than 100,000 WordPress installations. Also on the forum WordPress complain many users SoakSoak on their website.

How the attackers managed to get the malicious code on the WordPress sites is still unknown, but it is suspected that the sites a vulnerable version of the WordPress Slider Revolution use premium plugin. By September WordPress sites with a vulnerable version of the plug-in even though the target of attacks.

Sunday, 14 December 2014

Trojan Horse Hidden Communication Via Invisible Internet Project (I2P)

The makers of a Trojan horse that is specifically designed to steal money from bank accounts have released a new variant that uses I2P to communicate with infected computers. I2P stands for Invisible Internet Project (I2P) and is a network layer allowing application messages safely and pseudo -Anonymous can exchange.

According PhishMe security company that the new variant discovered I2P can be seen as a "secure version of Tor". Thus true DNS destination is standard shielded and it features peer-to-peer features, IP2 each node can act as an exit node. At the Tor network servers must be specifically set as an exit node.

In the case of the Dyre banking Trojan , also known as Dyreza, I2P provides the attackers a separate communication channel which is difficult to analyze and detect. Yet managers are not powerless says analyst Ronnie Tokazowski. Indeed, it is possible to capture I2P on the top-level domain (.i2p) off and thus stop the spread and possibly make IP2 traffic network harmless.

Saturday, 13 December 2014

Linux espionage virus first made possible for Solaris

This week researchers announced that they had a spy virus for Linux discovered , but the Finnish anti-virus firm F-Secure says that the malware is possible first developed for Solaris. The Turla backdoor, also known as Snake or Urburos, was known only deployed against Windows.

Now Kaspersky Lab reported that it had discovered a Linux variant. The malware, according to researchers, a number of interesting features, with the ability to sniff the network interface is most striking. The malware can namely the Command & Control server, which controls the infected machine, adjust according to the network traffic. The attackers only need to send a special packet to the machine to activate the malware.

Furthermore, the malware acts as a normal "remote access trojan" (RAT) and allows attackers to download and upload files and execute commands. Researchers at F-Secure discovered in the code some remarkable system paths. It went to directories that are normally used in a Solaris environment.

Researchers have therefore questioned whether the backdoor is not first developed to attack Solaris servers. The code rates can be easily adjusted for other platforms. "It is no surprise if we malware the coming days also find on Solaris servers," says Jarkko Palviainen F-Secure.

Friday, 12 December 2014

Microsoft - Beware of Payment Report Malware

Microsoft has warned Windows users to a malicious spam attack that attempts to infect recipients with malware. In the mail, with the subject "Payment Report - importan", it is stated that the recipient of the email received an amount of $ 35,000.

More details would be in the included zip find attached. The zip appendix contains a .scr file with a PDF icon. Because Windows default file extension does not display, users would have thought that it is a PDF document. Depending on the set display of folders, Windows will still show that it is a screensaver.

If the attachment is opened the computer becomes the Upatre downloader infected. This downloader can then again download other malicious software. According to Microsoft, the malware would be seen especially in consumer and business computers in North America.

MD5: 5a0e6a8f6d3afd811a109df2e1ee727b

 Virustotal Report

OphionLocker Ransomware Forget To Remove Files Thoroughly

Researchers have discovered a new ransomware variant that uses strong encryption to encrypt files, but because the original file could not be thoroughly erased victims recover their data without having to pay the ransom.

OphionLocker Message

OphionLocker, such as the ransomware by Trojan7Malware is called, spreads via hacked websites and makes use of known vulnerabilities that are not by Internet users are patched to infect their computer. Once active makes ransomware a unique hardware identifier to, based on the serial number of the first hard disk, the serial number of the motherboard and other information.

Asking For Hardware ID - Tor Link

Then it will create a Tor website link to check the specific hardware ID is already encrypted. Hereafter OphionLocker looking for all kinds of files. However it is only for files with file extensions sought in lowercase. A file as photo.jpg will encrypt the ransomware while foto.jpg is about beaten.


To encrypt used OphionLocker elliptic-curve encryption (ECC). As far as known, it is only the second ransomware that uses this encryption method. Most ransomware uses a combination of AES and RSA encryption to encrypt the files of victims. Here, the server generates a key pair, RSA public and private, for RSA. The private key remains on the server, while the public key is sent to the ransomware. In OphionLocker is the public key already in the malware. As a result, can also on computers which are not encrypted are files connected to the Internet.

The malware after encryption displays a message indicating the amount of 1 bitcoin is asked, what with the current exchange rate is 290 euros. Victims, however, do not have to pay to get their files, reports the forum Bleeping Computer . The ransomware shows the original of the files not erase the encrypted safe and also allows the volume shadow copies alone. As a result, it is possible to access the files through a program as ShadowExplorer to recover.

Thursday, 11 December 2014

Destover malware signed with Sony certificate

It has been discovered a new variant of the dangerous malware attackers against Sony Pictures Entertainment have deployed and those with a digital certificate of the company is signed, so let researchers know. It is the "Destover" malware, which also last year against South Korean banks and television companies was used. On infected computers malware steals data and then removes all files, making the machines currently unusable.

During the attack on Sony, the attackers have the private keys captured and published that the company used to provide files of a digital certificate. However, they can also be used to sign malware, and then be used in further attacks, let anti-virus firm Kaspersky Lab know. They discovered Destover variant was signed on 5 December. Because Sony certificates are trusted by security makes this attack effectively. The digital certificate has been revoked, let certificate authority DigiCert via Twitter know.

Security Researcher Colin Keigher leave via Twitter that this is a "joke" among security researchers. A researcher who requested anonymity had found the certificate and discovered that it was the password file. Then this investigator signed the Destover malware with the Sony certificate and uploaded it to VirusTotal, which eventually landed at Kaspersky Lab.