Show Notes: error.show/71

The post Duvets Are Not Tech | User Error 71 first appeared on Jupiter Broadcasting.

New Ransomware locks your bootloader & makes you pay to boot. Malware with built in DRM? We’ll share the story of this clever hack.

Plus some great questions, our answers, a packed round up & more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

New Petya malware encrypts the Master Boot Record then BSoDs your machine

• “Malware experts from German security firm G DATA have found a new type of lock-ransomware that uses a DOS-level lock screen to prevent users from accessing their files”
• Unlike some other malware, the researchers did not come up with the name, the malware has its own website and logo, where you pay the ransom
• I am not sure “DOS-level” makes sense as a term, but ok
• “Lock-ransomware, also known as lockers, is the first type of ransomware that existed before the rise of crypto-ransomware. This type of ransomware doesn’t encrypt files, but merely blocks the user’s access to his data”
• “The latest lock-ransomware discovered by security researchers is the Petya ransomware, which was seen spread via spear-phishing campaigns aimed at human resource departments. HR employees are sent an email with a link to a file stored on Dropbox, where an applicant’s CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death.”
• “As soon as the user restarts the PC after the blue screen, the computer will enter a fake check disk (CHKDSK) process that, after it finishes, will load Petya’s lock screen. Restarting the computer over and over will always enter this screen”
• “This screen provides a link to the ransomware’s payment site, hosted on Tor. After the user purchases a decryption key, he can enter it at the bottom of the DOS lock screen. Petya claims to encrypt the user’s files, but G DATA says they can’t verify its claims, and that this is presumably a lie.”
• “UPDATE: Trend Micro’s researchers also took a look at Petya and they confirm that the ransomware does encrypt files, while also revealing it alters the MBR , preventing users from entering in Safe Mode, and it ask for a 0.99 Bitcoin (~$400) ransom”
• The encryption of the boot sector is very simple, the data is just XOR’d with the value 0x37 (the ascii code for the number 7): Animated GIF
• Additional Coverage: Threat Post

New USB Thief trojan found in the wild

• Researchers at ESET have identified a new trojan being spread on USB sticks, called “USB Thief”
• What makes this malware so unique is how it protects itself from analysis by researchers
• “Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.”
• “It depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives. The malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.”
• “The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements. The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.”
• So when researchers copied the malware to a VM to try to dissect it, it stopped working, as it could no longer decrypt its payload
• “It was quite challenging to analyze this malware because we had no access to any malicious USB device. Moreover, we had no dropper, so we could not create a suitably afflicted USB drive under controlled conditions for further analysis.”
• “Only the submitted files can be analyzed, so the unique device ID had to be brute-forced and combined with common USB disk properties. Moreover, after successful decryption of the malware files, we had to find out the right order of the executables and configuration files, because the file copying process to get the samples to us had changed the file creation timestamp on the samples.”
• “Finally, the payload implements the actual data-stealing functionality. The executable is injected into a newly created “%windir%\system32\svchost.exe -k netsvcs” process. Configuration data includes information on what data should be gathered, how they should be encrypted, and where they should be stored. The output destination must always be on the same removable device. In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called “WinAudit”. It encrypts the stolen data using elliptic curve cryptography.”
• “In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload.”

Six people charged in hacked lottery terminal scam

• “Connecticut prosecutors say the group conspired to manipulate automated ticket dispensers to run off “5 Card Cash” tickets that granted on-the-spot payouts in the US state.”
• “According to the Hartford Courant, a group of shop owners and employees setup the machines to process a flood of tickets at once, which caused a temporary display freeze. This allowed operators to see which of the tickets about to be dispensed would be winning ones, cancel the duff ones, and print the good ones.”
• “While those reports were being processed, the operator could enter sales for 5 Card Cash tickets,” the newspaper reports. “Before the tickets would print, however, the operator could see on a screen if the tickets were instant winners.”
• “The Courant says that the lottery commission wised up to the scheme back in November when it heard that people were winning the 5 Card Cash game at a higher-than-expected rate. The game was temporarily halted. The paper notes that more arrests are expected in the case.”
• In Ontario, there are special provisions for when an employee of the store wants to buy a lottery ticket, specifically to deal with crimes of this nature
• The other common lottery crime was replacing a customer large payout winning ticket with a smaller one. The employee would buy a number of tickets, keep the small winners ($10), and swap them for the larger winning tickets of unsuspecting customers when they came in to cash them
• It is now common place for there to be an automated lottery checking machine that is used directly by the customer.
• The ticket machines in Ontario also play an audible tune when a winning ticket is scanner, much to the annoyance of people who have to work there all day, but it ensures that customers are not ripped off

Feedback:

• Mail Backup
• DB2 on copy-on-write filesystem.
• Server Rebooting After Updates
• Is Krebs on holiday? No new posts since last week. How am I supposed to do this show without Krebs?

Round Up:

• vncroulette.com
• Node.js package manger vulnerable to malicious packages
• ​Microsoft and Canonical partner to bring Ubuntu to Windows 10
• Intel will move away from the Tick/Tock development cycle, the three stage process will be the standard now
• Congress attempts to pass law requiring ID to buy a “burner” phone. Likely fails to understand the entire issue — I predict this does nothing to solve the problem, but causes more people to be unable to get a phone at all
• Researcher exploits flaw in Valve’s Steam game review process, bypassing it to upload “Watch Paint Dry: The Game”
• Security flaw in “TrueCaller” Android app exposes data of millions of users
• The iPhone may be easier to hack than expected, as the unlock count it not stored as securely as previously thought
• Amazon releases guide to developing for its Echo platform using a Raspberry Pi
• CloudFlare is asking tor to implement a “prove you are human” plugin or face being blocked
• The Mastermind — Atavist

The post Pay to Boot | TechSNAP 260 first appeared on Jupiter Broadcasting.

Find out what consumer storage device is shipping with an encryption backdoor, and we share details about Google’s super secret million servers strong infrastructure.

AND – How Chris lost $1k in bitcoins!

Direct Download Links:

HD Video | Large Video | Mobile Video | WebM Video | MP3 Audio | OGG Audio | YouTube

Subscribe via RSS and iTunes:
Subscribe... --RSS-- TechSNAP HD TechSNAP Large TechSNAP Mobile TechSNAP MP3 TechSNAP OGG --iTunes-- TechSNAP iTunes HD TechSNAP iTunes Mobile TechSNAP iTunes Large TechSNAP iTunes MP3

[ad#shownotes]

Show Notes: