¯uªº³á? ½Ð®³ÂIÃÒ¾Ú¥X¨Ó§a.

¼Ó¤W¨º­Ó´N§ó¦n¯º¤F, Ô£°­ exe ? ¦b§Úªº¥­¥xÁÙ­n¥ý±¾ wine ¤~¯à¶]¼O, Ô£¬Owine §A¥i¯à­n°Ý¶dª¯¤@¤U.





²{¦b§Ú¥uª¾¹D .dmg »P .deb



¹j¾ÀÆF²§ ¦³­Ó¶ÌBÁÙ¦b´À¯f¬r§@ªÌ¥´****, »¡¥i¥H±þ»ù³á, ¦³¿³½ì±þ»ùªº¥i¤ñ·Ó¿ì²z,
¥N¶K¼s§i¤å¥i¥H±þ»ù³á, ·NªÌ±q³t.

https://vms.drweb.com/virus/?i=7704004&lng=en
https://labs.bitdefender.com/2015/1...encryption-key/
http://www.ithome.com.tw/news/99948


Linux°Ç¯Á³nÅ馳º|¬}¡I¸ê¦w·~ªÌBitdefenderÄÀ¥X¸Ñ±K¤u¨ã
Bitdefenderµo²{¡ALinux.Encoder.1°Ç¯Á³nÅ餤§t¦³¤@º|¬}¡AÅý¥L­Ì±o¥Hª½±µ¦^ÂÐAESª÷Æ_¦Ó¤£¥²§Q¥ÎRSA¨Ó¸ÑÂê¡C¤£¹L¡ABitdefenderªº¸Ñ±K¤u¨ã¨Ã«D¦Ê¤À¤§¦Ê¥i¦æ¡A¤]¨ÇÁÙ¬OµLªk¸Ñ¶}ªº¡C

«öÆg¥[¤JiThome¯»µ·¹Î
¤å/³¯¾å²ú | 2015-11-13µoªí

¹Ï¤ù¨Ó·½:
ºû°ò¦@¨É¸ê·½¡F§@ªÌ¡GMbz1
¤é«e¸ê¦w·~ªÌDoctor Webµo²{­º´Ú°w¹ïLinux¥­¥xªºLinux.Encoder.1°Ç¯Á³nÅé¡AÀb«È¥H¸Ó³nÅé±NLinux¨t²Î¤WªºÀÉ®×¥[±K¡A¨Ã­n¨D¨ü®`ªÌ¤ä¥I1­Ó¤ñ¯S¹ôªºÅ«ª÷¡C¤£¹L¡A¥t¤@¸ê¦w·~ªÌBitdefenderÄÀ¥X¸Ñ±K¤u¨ã¡A±o¥H¸Ñ±Ï¦h¼Æ¾D¨ìLinux.Encoder.1¥[±KªºÀɮסC

Bitdefender»¡©ú¡ALinux.Encoder.1§Q¥Î¶}©ñ·½½XªºMagento¤º®eºÞ²z¨t²Îº|¬}¤J«ILinux¥­¥x¡A°õ¦æ«á¥¦·|¥HAES¥[±K¨t²Î¤WªºÀɮסA¦A¥HRSA¥[±K¹ïºÙª÷Æ_¡A¦ý·|©ñ¹L­«­nªº¨t²ÎÀɮסA¥HÅý¨t²Î¤´¯à­«·s¹B§@¡A¤§«á§@ªÌ§Y·|­n¨Ï¥ÎªÌ¤ä¥IÅ«ª÷¥H¨ú±oRSA¨pÆ_¨Ó¸ÑÂêAES¹ïºÙª÷Æ_¡CµM¦Ó¡ABitdefenderµo²{¡A¸Ó°Ç¯Á³nÅ餤§t¦³¤@º|¬}¡AÅý¥L­Ì±o¥Hª½±µ¦^ÂÐAESª÷Æ_¦Ó¤£¥²§Q¥ÎRSA¨Ó¸ÑÂê¡C

¦]¦¹¡ABitdefender¥´³y¤@­Ó¸Ñ±K¤u¨ã¡A¥i¦Û°Ê¦^ÂЩҦ³¨ü¼vÅTªºÀɮסA­Y¨ü®`ªÌ¯à°÷­«·s±Ò°Ê¨t²Î¡A¥u­n¤U¸ü¸Ó¤u¨ã¡A¦A¥H³Ì°ªÅv­­°õ¦æ§Y¥i¡C

Bitdefender»¡¡A³o³ôºÙ¬O­Ó¦º¸Ì°k¥Íªº¾÷·|¡A¥[±K°Ç¯Á³nÅé¤Þ°_°ª«×­«µøªº­ì¦]¤§¤@¬O¥¦­Ì·|½T«O¨ü®`ªÌ¦b¤ä¥IÅ«ª÷¤§«eµLªk¸Ñ±KÀɮסCEncoder°Ç¯Á³nÅé©Ò¥X²{ªº¿ù»~¬O·¥©¯¹B¤]·¥¨u¨£ªº¡A¥L­Ì¨Ì«ØijºôºÞ¤H­û¤£­n¥H³Ì°ªÅv­­°õ¦æ¤£§¹¥þ«H¥ôªºµ{¦¡¡A¦w¸Ë¦w¥þ¸Ñ¨M¤è®×¨Ã¸g±`³Æ¥÷¡C

¤£¹L¡ABitdefenderªº¸Ñ±K¤u¨ã¨Ã«D¦Ê¤À¤§¦Ê¥i¦æ¡A¥D­n¬O¦]¬°³¡¥÷¨ü®`ªÌ­«ÂзP¬V¤FEncoder¡A¾É­P¤£¦PªºÀɮ׳Q¤£¦Pªºª÷Æ_¥[±K¡A¬Æ¦Ü³y¦¨¬Y¨ÇÀÉ®×µLªk­×´_¡AÁÙ¦³¤@¨Ç®×¨Ò¬O³s°Ç¯Á°T®§³£³Q¥[±K¤F¡C¡]½sĶ/³¯¾å²ú¡^
----------------------------------------
Linux.Encoder.1

Added to Dr.Web virus database: 2015-11-05
Virus description was added: 2015-11-06
SHA1:

a5054babc853ec280f70a06cb090e05259ca1aa7 (x64, UPX)
98e057a4755e89fbfda043eaca1ab072674a3154 (x64, unpacked)
810806c3967e03f2fa2b9223d24ee0e3d42209d3 (x64, FreeBSD)
12df5d886d43236582b57d036f84f078c15a14b0 (x86, UPX)
5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (x86, unpacked)
Encryption ransomware for Linux written in C using the PolarSSL library.

Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:

./readme.crypto¡Xfile with demands,
./index.crypto¡XHTML file with demands.
As an argument, the Trojan receives the path to the file containing a public RSA key.

Once the files are read, the malicious program starts as a daemon and deletes its original files.

First, the Trojan encrypts files in the following directories:

/home
/root
/var/lib/mysql
/var/www
/etc/nginx
/etc/apache2
/var/log
After that, Linux.Encoder.1 encrypts all files in home directories. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (¡u/¡v). At that, the Trojan encrypts only files from directories whose names start with one of the following strings:

public_html
www
webapp
backup
.git
.svn
At that, the Trojan encrypts only files with the following extensions:

".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv"

The Trojan does not encrypt files in the following directories:

/
/root/.ssh
/usr/bin
/bin
/etc/ssh
To encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand.

If decryption is initiated, Linux.Encoder.1 will use a private RSA key to retrieve AES keys from encrypted files, traverse directories in the same order as when they were encrypted, and delete README_FOR_DECRYPT.txt files trying to decrypt all files with the .ecnrypted extension.

Doctor Web security researchers have developed a decryption technique that may help restore files encrypted by this malicious program.

Curing recommendations
--------------------------------
ANTI-MALWARE RESEARCH
Linux Ransomware Debut Fails on Predictable Encryption Key
November 9, 20156 Min Read


Bogdan BOTEZATU
bbotezatu
182 Comments
Share This!
No need to crack RSA when you can guess the key

¡X¡X¡X¡X¡X¡X¡X¡X¡X¡V

Update: There have been some developments regarding this ransomware. It was brought to our attention that the decryption tool was not working on particular cases. Upon investigation we were surprised to find out that some victims were infected more than one time (the ransomware was accidentally started more than once).


This means that some files were encrypted using a key, and others using another set of keys. However, in so doing, the race condition generated leads to some files getting irreparably damaged (their content is truncated to zero). And in some cases even the ransom notes became encrypted!

We updated the decryption utility and the README. Please read it for the new instructions.

/update

File-encrypting ransomware Trojans are almost ubiquitous on Windows, and it was only a matter of time until the advent of the first piece targeting Linux. Dubbed Linux.Encoder.1, this first piece of Linux ransomware is extremely similar in behavior to CryptoWall, TorLocker and other notorious ransomware families for Windows.


How does it work?

Linux.Encoder.1 is executed on the victim's Linux box after remote attackers leverage a flaw in the popular Magento content management system app. Once executed, the Trojan looks for the /home, /root and /var/lib/mysql folders and starts encrypting their contents. Just like Windows-based ransomware, it encrypts the contents of these files using AES (a symmetric key encryption algorithm), which provides enough strength and speed while keeping system resources usage to a minimum. The symmetric key is then encrypted with an asymmetric encryption algorithm (RSA) and is prepended to the file, along with the initialization vector used by AES.

Once the files have been encrypted, the Trojan attempts to also encrypt the contents of the root (/), skipping only critical system files, so the operating system will be able to boot up again.

At this point, it would be safe to assume that users can't get their data back unless they pay the operators a fee in exchange for the RSA private key to decrypt the AES symmetric one. However, a major flaw in the way the Encoder Trojan is designed allowed Bitdefender researchers to recover the AES key without having to decrypt it with the RSA private key.

A primer on encryption

Throughout 2015, most crypto-ransomware Trojans have used mixed encryption algorithms to hold valuable information hostage. To rapidly and effectively encrypt large amounts of data, crypto-ransomware Trojans rely on the Advanced Encryption Standard (AES for short) ¡V an encryption algorithm that uses a symmetric key (the same key for both encryption and decryption). To avoid interception of the encryption key as it is sent from the command and control server, crypto-ransomware operators usually complement AES with RSA (an asymmetric key encryption algorithm). RSA generates a pair of complementary public-private keys ¡V the public key is used for encryption and the private one for decryption. These keys are usually generated on the hackers' server and only the public key gets sent to the victim PC. Since RSA is less resource-effective on big chunks of data, the public key is only used to encrypt a small, yet critical, piece of information: the encryption key used by the AES algorithm that is generated locally. The RSA-encrypted AES key is then prepended to the beginning of every encrypted file, along with the original file permissions and an initialization vector (IV) used by the AES algorithm.

The million-dollar flaw

We mentioned that the AES key is generated locally on the victim's computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file's timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA private key sold by the Trojan's operator(s).

Automated decryption tool now available

Bitdefender is the first security vendor to release a decryption tool that automatically restores affected files to their original state. The tool determines the IV and the encryption key simply by analyzing the file, then performs the decryption, followed by permission fixing. If you can boot your compromised operating system, download the script and run it under the root user.

Here is a step-by-step walkthrough to get your data back:

¡V Download the script from the Bitdefender Labs repository [link updated to include the fix for the recent

¥i¥H¤£­n¦A¾x¯º¸Ü¤F¦n¶Ü?
§Ú³£ÃhºÃ³o°¦¯f¬r®Ú¥»¬O¸ê¦w·~ªÌ¼gªº.
ÁÙ¦Û¤v¼g¤F·~°t¤å...

Bitdefender À³¸Ó¨S¨º¼Ë¦h¶¢¤u¤Ò¡A¨S¨º¼Ë¦h¤H¤O
«e°}¤l¤~³Q°Ç¯Á±q¯«¾Â½ð¤U¨Ó
¥L­Ì¥»¨Ó¤]¬O¤J®w¤£§Ö¨ººØ¡A·Q»¡¾a¥D¨¾¯à¾×¤j³¡¤À
¤ñ¸û¦³¥R¸Î®É¶¡¥i¥HºCºC¤ÀªR
µ²ªG¬Y¨t¦C°Ç¯ÁÅý¥¦­Ì±µ³s¯}¥\....

³o¦¸¤@²É¨º­Ó¯f¬r¡A¬Y®a¶RBD¤ÞÀºªº¨¾¬r
ÁÙ¦Û¤v¥ý¤J®wxd

Áö»¡§Ú¤]¬O¥Îcomodo
¤£¹LÁ¿¯uªº³o­Ó¹ï¤£À´ªº¤H¨Ó»¡¤£¬O«Ü¦n¤W¤â
´¶¹MÁÙ¬O§Æ±æ´¼¯à©Î¬O¶Ì¥Ê«¬¨¾Å@¤ñ¸û»´ÃP


¦Ó¥B§A¬Ý¼Ó¥D³o½g¡AÁÙ¬O«Ü¦h¤H»{¬°­n¾a¨¾¬r¬d±þ¤~¯à¾×°Ç¯Á¡A­n§áÂà³oºØÆ[©À¨Ã¤£®e©ö......

¥H§Apoªº¼v¤ù¨º¦ìyoutuber¡A¦o¬Y¨Ç³]©w
¥Î·N¤£¬O¨ÓÀɰǯÁ
¹³¨¾¤õÀð¬O§ï¦¨¹w³]©Úµ´³s½u¡A¤£¸õµ¡³qª¾
¦o¦³»¡¦]¬°¦o¬O°ª¯Å¨Ï¥ÎªÌ......

ªì¾Ç©Î¬O¤£À´±o¥i¯à¥Îªºµ{¦¡µLªk³s½u³Q¾×
¤]¤£·|¸õµ¡¤£ª¾¹D°ÝÃD¦b­þÃä
µM«á¤S¤£ª¾¹D­n¥h­þÃä¤â°Ê¥[¤J«H¥ô.....
­Y³£·Ó¦oªº³]©w¡A¥i¯à·|¤Ï¹L¨Ó©Çcomodo ¤£¦n¥Î........

¥t¥~¦o¤]Á¿¦]¬°¬O¥Ü½d¾×°Ç¯Á¡A©Ò¥HÃö±¼HIPS .....
¦]¬°¶û¸õµ¡¤Ó·Ð

¦³¨S¦³¶¢¥\¤Ò, ¤]¤£¬O½Ö»¡¤Fºâ.

¤£¹L, ¨ì©³¦³½Ö¦b¨Ï¥Î«D win ¨t²Î, ¤S¤£¬O¦]¨Ï¥ÎªÌ¤U¸ü¤ì°¨¨Ó°õ¦æ ¦Ó¤¤¼úªº?



§Úªº¬Ýªk´N¬O¨ì¥Ø«e¬°¤î¨Ã¨S¦³¬Ý¨ì.
¦pªG¦³,½Ð´£¥X.
¨ä¥Lªº©_©_©Ç©Ç¼s¦N §Ú¨S¿³½ì.

(§Ú¦³ª¦¨ì¤@½g¦³¤H¢Ý¢á¢æ ¤U¸üphotoshop ¯}¸Ñ¤u¨ã°õ¦æ¤¤¬r, ³oºØ¨Æ ·íµM¤£ºâ, ³o¼Ë·d¨S¦³¨t²Î¨¾±o¦í .)

¬O§A¤£­n¾x¯º¸Ü¤F§a
¤@ÂI°ò¥»sense³£¨S¦³
ÁÙ¦b¨ºÃä¸ê¦w·~ªÌ¦Û¤v¼g¯f¬r¡H
·|³o¼Ë»¡ªº®Ú¥»¤j¥~¦æ

³Ìªñ³o´X¦~pcdvd¤W¯u©_©Ç
³£¬O¤£À´¸ê¦wªº¤HÁ¿¸Ü³Ì¤jÁn

³o±i¹Ï¸Ü±o«Ü¦n.


¦P·Nªº½Ðª½±µ¥[¤J¶Â¦W³æ, ¯uªº¨S¥²­n®ö¶O©¼¦¹Ä_¶Qªº®É¶¡.

HIPS¥X²{¤w¸g¶W¹L20¦~¡A¬Æ¦Ü§Y±NÁÚ¤J30¦~
¦pªG¬O¯U¹i¤@ÂIªº¨ººØunixÀÉ®×Åv­­¤]ºâªº¸Ü
¨º¤w¸g¥X²{¶W¹L40¦~

¨Æ¹ê¤W¼t°Ó¦b³o³¡¤Àªº±Ð¨|¨ä¹ê¤£¤Ó¥R¨¬
¤×¨ä¥xÆW¤H¡A¤¤¬r¤F¡A©Î»{¬°¤¤¬r
´N¬O±½´y¦A±½´y¡A¤@°ï®Ú¥»³£¬O¤¤rootkit
¬O­n±½­Ó¬Æ»ò°­¡H
HIPS­n¥Î±o¦n¡A¨S·§©À¬O¤£¥i¯àªº
¦A¶Ì¥Êªº³]­p¡A¤]¨¾¤£¤Fapt§ðÀ»
´N³s±M®a¤]¬O·|¤¤©Û
§ó¹N½×¯Ê¥F¬ÛÃöª¾ÃѪº¤@¯ë¤H¤F

©T©w¦n¥ÎªºHIPS³o´X¦~¨Ó´N¬O¨º´XºØ
COMODOÁöµM»¡¤Íµ½µ{«×ÁÙ¯à¦A´£¤É
¦ý¬O¬YºØ¼h­±¨Ó»¡¥¦¤w¸g¬Û·í¤Íµ½¤F
¤£¹L¤Íµ½©Ê´£°ª¡A¬Û¹ï·|­°§C¨Ç¦w¥þ©Ê
ÁöµM¦p¦¹¦ýÁ`¤ñ¬Æ»ò³£¨S¥Î¨Óªº­n±j

¨ä¹ê»¡¤]»¡¹L¤£ª¾¹D»¡¹L¦h¤Ö¹M¤F
ÁÙ¬O­n±j½Õ¡A°ÝÃD¦b³Æ¥÷
®Ú¥»¤£¦b¨¾¤£¨¾±o¦í