https://vms.drweb.com/virus/?i=7704004&lng=en
https://labs.bitdefender.com/2015/1...encryption-key/
http://www.ithome.com.tw/news/99948


Linux勒索軟體有漏洞！資安業者Bitdefender釋出解密工具
Bitdefender發現，Linux.Encoder.1勒索軟體中含有一漏洞，讓他們得以直接回覆AES金鑰而不必利用RSA來解鎖。不過，Bitdefender的解密工具並非百分之百可行，也些還是無法解開的。

按讚加入iThome粉絲團
文/陳曉莉 | 2015-11-13發表

圖片來源:
維基共享資源；作者：Mbz1
日前資安業者Doctor Web發現首款針對Linux平台的Linux.Encoder.1勒索軟體，駭客以該軟體將Linux系統上的檔案加密，並要求受害者支付1個比特幣的贖金。不過，另一資安業者Bitdefender釋出解密工具，得以解救多數遭到Linux.Encoder.1加密的檔案。

Bitdefender說明，Linux.Encoder.1利用開放源碼的Magento內容管理系統漏洞入侵Linux平台，執行後它會以AES加密系統上的檔案，再以RSA加密對稱金鑰，但會放過重要的系統檔案，以讓系統仍能重新運作，之後作者即會要使用者支付贖金以取得RSA私鑰來解鎖AES對稱金鑰。然而，Bitdefender發現，該勒索軟體中含有一漏洞，讓他們得以直接回覆AES金鑰而不必利用RSA來解鎖。

因此，Bitdefender打造一個解密工具，可自動回覆所有受影響的檔案，若受害者能夠重新啟動系統，只要下載該工具，再以最高權限執行即可。

Bitdefender說，這堪稱是個死裡逃生的機會，加密勒索軟體引起高度重視的原因之一是它們會確保受害者在支付贖金之前無法解密檔案。Encoder勒索軟體所出現的錯誤是極幸運也極罕見的，他們依舊建議網管人員不要以最高權限執行不完全信任的程式，安裝安全解決方案並經常備份。

不過，Bitdefender的解密工具並非百分之百可行，主要是因為部份受害者重覆感染了Encoder，導致不同的檔案被不同的金鑰加密，甚至造成某些檔案無法修復，還有一些案例是連勒索訊息都被加密了。（編譯/陳曉莉）
----------------------------------------
Linux.Encoder.1

Added to Dr.Web virus database: 2015-11-05
Virus description was added: 2015-11-06
SHA1:

a5054babc853ec280f70a06cb090e05259ca1aa7 (x64, UPX)
98e057a4755e89fbfda043eaca1ab072674a3154 (x64, unpacked)
810806c3967e03f2fa2b9223d24ee0e3d42209d3 (x64, FreeBSD)
12df5d886d43236582b57d036f84f078c15a14b0 (x86, UPX)
5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (x86, unpacked)
Encryption ransomware for Linux written in C using the PolarSSL library.

Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:

./readme.crypto—file with demands,
./index.crypto—HTML file with demands.
As an argument, the Trojan receives the path to the file containing a public RSA key.

Once the files are read, the malicious program starts as a daemon and deletes its original files.

First, the Trojan encrypts files in the following directories:

/home
/root
/var/lib/mysql
/var/www
/etc/nginx
/etc/apache2
/var/log
After that, Linux.Encoder.1 encrypts all files in home directories. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (「/」). At that, the Trojan encrypts only files from directories whose names start with one of the following strings:

public_html
www
webapp
backup
.git
.svn
At that, the Trojan encrypts only files with the following extensions:

".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv"

The Trojan does not encrypt files in the following directories:

/
/root/.ssh
/usr/bin
/bin
/etc/ssh
To encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand.

If decryption is initiated, Linux.Encoder.1 will use a private RSA key to retrieve AES keys from encrypted files, traverse directories in the same order as when they were encrypted, and delete README_FOR_DECRYPT.txt files trying to decrypt all files with the .ecnrypted extension.

Doctor Web security researchers have developed a decryption technique that may help restore files encrypted by this malicious program.

Curing recommendations
--------------------------------
ANTI-MALWARE RESEARCH
Linux Ransomware Debut Fails on Predictable Encryption Key
November 9, 20156 Min Read


Bogdan BOTEZATU
bbotezatu
182 Comments
Share This!
No need to crack RSA when you can guess the key

—————————–

Update: There have been some developments regarding this ransomware. It was brought to our attention that the decryption tool was not working on particular cases. Upon investigation we were surprised to find out that some victims were infected more than one time (the ransomware was accidentally started more than once).


This means that some files were encrypted using a key, and others using another set of keys. However, in so doing, the race condition generated leads to some files getting irreparably damaged (their content is truncated to zero). And in some cases even the ransom notes became encrypted!

We updated the decryption utility and the README. Please read it for the new instructions.

/update

File-encrypting ransomware Trojans are almost ubiquitous on Windows, and it was only a matter of time until the advent of the first piece targeting Linux. Dubbed Linux.Encoder.1, this first piece of Linux ransomware is extremely similar in behavior to CryptoWall, TorLocker and other notorious ransomware families for Windows.


How does it work?

Linux.Encoder.1 is executed on the victim's Linux box after remote attackers leverage a flaw in the popular Magento content management system app. Once executed, the Trojan looks for the /home, /root and /var/lib/mysql folders and starts encrypting their contents. Just like Windows-based ransomware, it encrypts the contents of these files using AES (a symmetric key encryption algorithm), which provides enough strength and speed while keeping system resources usage to a minimum. The symmetric key is then encrypted with an asymmetric encryption algorithm (RSA) and is prepended to the file, along with the initialization vector used by AES.

Once the files have been encrypted, the Trojan attempts to also encrypt the contents of the root (/), skipping only critical system files, so the operating system will be able to boot up again.

At this point, it would be safe to assume that users can't get their data back unless they pay the operators a fee in exchange for the RSA private key to decrypt the AES symmetric one. However, a major flaw in the way the Encoder Trojan is designed allowed Bitdefender researchers to recover the AES key without having to decrypt it with the RSA private key.

A primer on encryption

Throughout 2015, most crypto-ransomware Trojans have used mixed encryption algorithms to hold valuable information hostage. To rapidly and effectively encrypt large amounts of data, crypto-ransomware Trojans rely on the Advanced Encryption Standard (AES for short) – an encryption algorithm that uses a symmetric key (the same key for both encryption and decryption). To avoid interception of the encryption key as it is sent from the command and control server, crypto-ransomware operators usually complement AES with RSA (an asymmetric key encryption algorithm). RSA generates a pair of complementary public-private keys – the public key is used for encryption and the private one for decryption. These keys are usually generated on the hackers' server and only the public key gets sent to the victim PC. Since RSA is less resource-effective on big chunks of data, the public key is only used to encrypt a small, yet critical, piece of information: the encryption key used by the AES algorithm that is generated locally. The RSA-encrypted AES key is then prepended to the beginning of every encrypted file, along with the original file permissions and an initialization vector (IV) used by the AES algorithm.

The million-dollar flaw

We mentioned that the AES key is generated locally on the victim's computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file's timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA private key sold by the Trojan's operator(s).

Automated decryption tool now available

Bitdefender is the first security vendor to release a decryption tool that automatically restores affected files to their original state. The tool determines the IV and the encryption key simply by analyzing the file, then performs the decryption, followed by permission fixing. If you can boot your compromised operating system, download the script and run it under the root user.

Here is a step-by-step walkthrough to get your data back:

– Download the script from the Bitdefender Labs repository [link updated to include the fix for the recent