Linux Action News 251

“Malware experts from German security firm G DATA have found a new type of lock-ransomware that uses a DOS-level lock screen to prevent users from accessing their files”
Unlike some other malware, the researchers did not come up with the name, the malware has its own website and logo, where you pay the ransom
I am not sure “DOS-level” makes sense as a term, but ok
“Lock-ransomware, also known as lockers, is the first type of ransomware that existed before the rise of crypto-ransomware. This type of ransomware doesn’t encrypt files, but merely blocks the user’s access to his data”
“The latest lock-ransomware discovered by security researchers is the Petya ransomware, which was seen spread via spear-phishing campaigns aimed at human resource departments. HR employees are sent an email with a link to a file stored on Dropbox, where an applicant’s CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death.”
“As soon as the user restarts the PC after the blue screen, the computer will enter a fake check disk (CHKDSK) process that, after it finishes, will load Petya’s lock screen. Restarting the computer over and over will always enter this screen”
“This screen provides a link to the ransomware’s payment site, hosted on Tor. After the user purchases a decryption key, he can enter it at the bottom of the DOS lock screen. Petya claims to encrypt the user’s files, but G DATA says they can’t verify its claims, and that this is presumably a lie.”
“UPDATE: Trend Micro’s researchers also took a look at Petya and they confirm that the ransomware does encrypt files, while also revealing it alters the MBR , preventing users from entering in Safe Mode, and it ask for a 0.99 Bitcoin (~$400) ransom”
The encryption of the boot sector is very simple, the data is just XOR’d with the value 0x37 (the ascii code for the number 7): Animated GIF
Additional Coverage: Threat Post

New USB Thief trojan found in the wild

Researchers at ESET have identified a new trojan being spread on USB sticks, called “USB Thief”
What makes this malware so unique is how it protects itself from analysis by researchers
“Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.”
“It depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives. The malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.”
“The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements. The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.”
So when researchers copied the malware to a VM to try to dissect it, it stopped working, as it could no longer decrypt its payload
“It was quite challenging to analyze this malware because we had no access to any malicious USB device. Moreover, we had no dropper, so we could not create a suitably afflicted USB drive under controlled conditions for further analysis.”
“Only the submitted files can be analyzed, so the unique device ID had to be brute-forced and combined with common USB disk properties. Moreover, after successful decryption of the malware files, we had to find out the right order of the executables and configuration files, because the file copying process to get the samples to us had changed the file creation timestamp on the samples.”
“Finally, the payload implements the actual data-stealing functionality. The executable is injected into a newly created “%windir%\system32\svchost.exe -k netsvcs” process. Configuration data includes information on what data should be gathered, how they should be encrypted, and where they should be stored. The output destination must always be on the same removable device. In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called “WinAudit”. It encrypts the stolen data using elliptic curve cryptography.”
“In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload.”

Six people charged in hacked lottery terminal scam

“Connecticut prosecutors say the group conspired to manipulate automated ticket dispensers to run off “5 Card Cash” tickets that granted on-the-spot payouts in the US state.”
“According to the Hartford Courant, a group of shop owners and employees setup the machines to process a flood of tickets at once, which caused a temporary display freeze. This allowed operators to see which of the tickets about to be dispensed would be winning ones, cancel the duff ones, and print the good ones.”
“While those reports were being processed, the operator could enter sales for 5 Card Cash tickets,” the newspaper reports. “Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners.”
“The Courant says that the lottery commission wised up to the scheme back in November when it heard that people were winning the 5 Card Cash game at a higher-than-expected rate. The game was temporarily halted. The paper notes that more arrests are expected in the case.”
In Ontario, there are special provisions for when an employee of the store wants to buy a lottery ticket, specifically to deal with crimes of this nature
The other common lottery crime was replacing a customer large payout winning ticket with a smaller one. The employee would buy a number of tickets, keep the small winners ($10), and swap them for the larger winning tickets of unsuspecting customers when they came in to cash them
It is now common place for there to be an automated lottery checking machine that is used directly by the customer.
The ticket machines in Ontario also play an audible tune when a winning ticket is scanner, much to the annoyance of people who have to work there all day, but it ensures that customers are not ripped off

Feedback:

Mail Backup
DB2 on copy-on-write filesystem.
Server Rebooting After Updates
Is Krebs on holiday? No new posts since last week. How am I supposed to do this show without Krebs?

Round Up:

The post Pay to Boot | TechSNAP 260 first appeared on Jupiter Broadcasting.

copy on write – Jupiter Broadcasting

Linux Action News 251

Linux Action News 242

Linux Action News 228

Planet Incinerating Technology | LINUX Unplugged 441

Double Server Jeopardy | LINUX Unplugged 439

Your New Tools | LINUX Unplugged 373

Our Fragmented Favorite | LINUX Unplugged 358

All Good Things | TechSNAP 430

apt install arch-linux | LINUX Unplugged 331

Rooting for ZFS | TechSNAP 414

Snapshot Sanity | TechSNAP 402

Everyday ZFS | TechSNAP 401

Pay to Boot | TechSNAP 260

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

Show Notes:

Feedback:

Round Up: