Viry a Červi

Virus (cough, cough, Petya) goes postal at FedEx, shares halted

The Register - Anti-Virus - 42 min 22 sek zpět
TNT Express systems blown up by, er, yeah, you get the idea

FedEx has suspended trading of its shares on the New York stock exchange after admitting that its subsidiary TNT Express has been hit by "an information system virus."…

Kategorie: Viry a Červi

‘Little Hope’ to Recover Data Lost to Petya Ransomware

VirusList.com - 1 hodina 35 min zpět
Researchers at Kaspersky Lab have discovered an error in the ExPetr ransomware code that prevents recovery of lost data.
Kategorie: Viry a Červi

Microsoft Issues ‘Important’ Security Fix for Azure AD Connect

VirusList.com - 1 hodina 48 min zpět
Microsoft is warning customers of an “important” update to its Azure AD Connect service that could allow for an elevation of privilege attack against affected systems.
Kategorie: Viry a Červi

New Petya ransomware: everything you wanted to know (but were afraid to ask)

Sophos Naked Security - 3 hodiny 54 min zpět
Your questions about the new Petya ransomware answered - and your chance to ask us more.

From floppy disks to deep freeze: what’s the best way to store data?

Sophos Naked Security - 3 hodiny 54 min zpět
Still got a Zip drive? What about a CD? Are you sure you'll be able to access the data stored on those? We take a look at what's being done to keep information safe for future generations

New Petya Distribution Vectors Bubbling to Surface

VirusList.com - 4 hodiny 15 min zpět
Microsoft has made a definitive link between MEDoc and initial distribution of the Petya ransomware. Kaspersky Lab, meanwhile, has identified a Ukrainian government website used in a watering hole attack.
Kategorie: Viry a Červi

Beer + bitter former field engineer = hacked smart water meters

Sophos Naked Security - 4 hodiny 23 min zpět
The story of Adam Flanagan, who's been jailed for hacking, is a reminder to companies to revoke access to networks when they sack a disgruntled employee

Average Bug Bounty Payments Growing

VirusList.com - 4 hodiny 26 min zpět
HackerOne released its first report on its bug bounty program, and reveals an industry shift toward enlisting hackers for better cybersecurity.
Kategorie: Viry a Červi

123-reg resolves secure database access snafu

The Register - Anti-Virus - 7 hodin 34 min zpět
Catches up with https everywhere memo

UK-based hosting and domains provider firm 123-reg has fixed an issue that meant access to some customers' databases ran over an unsecured link, creating a privacy risk in the process.…

Kategorie: Viry a Červi

Deconstructing Petya: how it spreads and how to fight back

Sophos Naked Security - 7 hodin 1 min zpět
It's been 24 hours since the outbreak first hit: here's what we know now about how Petya behaves

Anthem to pay record $115m to settle lawsuits over massive breach

Sophos Naked Security - 9 hodin 22 min zpět
Attackers grabbed data including names, birthdates, taxpayer IDs and more from Anthem patients - a toolkit for identity theft

VB2017 Early Bird discount to expire this week

Virus Bulletin News - 9 hodin 36 min zpět
This week, the Early Bird discount for VB2017 comes to an end - so, for a 10% saving on the cost of full price registration, make sure you register now!

Read more
Kategorie: Viry a Červi

Ride-snare: Lyft ruse helps cops cuff suspect in tech CEO murder case

The Register - Anti-Virus - 15 hodin 14 min zpět
'How would you rate your ride?'

A police officer in Fayette County, Georgia, has nabbed a murder suspect by appropriating the Lyft vehicle he figured the perp hoped to use as a getaway car.…

Kategorie: Viry a Červi

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

The Register - Anti-Virus - 17 hodin 22 min zpět
This isn't ransomware – it's merry chaos

Analysis  It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.…

Kategorie: Viry a Červi

Další velká ofenzíva ransomware!

VIRY.CZ - 22 hodiny 10 min zpět

Řada bezpečnostních společností a médií začíná informovat o dalším masivním útoku havěti, která spadá do kategorie ransomware…Největší problémy hlásí Ukrajina. Tam byly zasaženy bankovní instituce, energetické společnosti atd. Jak uvádí společnost ESET, vše to začalo na Ukrajině, kde se útočníkům podařilo úspěšně kompromitovat tamnější rozšířený učetní software. Z aktuálních zpráv plyne, že do některých společností byla stažena/spuštěna infikovaná aktualizace tohoto SW. Právě to zaneslo ransomware do vnitřních sítí společností a tam došlo k zahájení paseky a k dalšímu šíření do okolí.

Stejně jako ransomware WannaCry i tento se primárně nešíří elektronickou poštou, ale skrze bezpečností chyby v operačním systému (SMB exploit – EternalBlue), případně skrze PsExec a WMIC. Firemní síť tak může být zvenčí sebelépe chráněna, nicméně pokud někdo zaútočí zevnitř, může nastat velký problém. Stačí, aby havěť narazila na jediný nezáplatovaný počítač, který se pak stává odrazovým můstkem k infekci dalších (skrze PsExec / WMIC) i záplatovaných strojů!

A jelikož jde o ransomware, tím problémem jsou zašifrováná data na pevném disku. Tento se navíc primárně snaží zašifrovat zavaděč pevného disku (MBR), tudíž Windows už vůbec nenaběhnou a instrukce na zaplacení výkupného jsou tak uváděny v textovém režimu ihned po zapnutí PC. Výkupné v hodnotě 300 dolarů nemá určitě smysl platit, jelikož patřičný poskytovatel zařízl poštovní schránku, skrze kterou útočník s oběťmi komunikoval. V bitcoinové peněžence útočníka jsou přesto více než 3 bitcoiny (~150 tisíc Kč).

Jednotlivé antivirové programy detekují havěť takto.

Článek budu průběžně doplňovat. Tuto větu dopisuji v čase 0:30, přeji tak dobrou noc

Kategorie: Viry a Červi

See you in 2023 – Bitcoin exchange Coin.mx bigwig gets 66 months in the slammer

The Register - Anti-Virus - 27 Červen, 2017 - 22:54
Murgio gets off easy in money laundering case

A kingpin of the ill-fated Coin.mx Bitcoin exchange was today handed a 66-month prison sentence for conspiracy, fraud, and money laundering.…

Kategorie: Viry a Červi

Complex Petya-Like Ransomware Outbreak Worse than WannaCry

VirusList.com - 27 Červen, 2017 - 22:06
Today's global ransomware attack is spreading via EternalBlue and through local networks using PSEXEC and WMIC.
Kategorie: Viry a Červi

Google Hit With $2.7 Billion Antitrust Fine

VirusList.com - 27 Červen, 2017 - 21:50
Claiming the company abused its dominance as a search engine to push its shopping service, search giant Google was hit with a hefty $2.7 billion fine this week.
Kategorie: Viry a Červi

Schroedinger’s Pet(ya)

Kaspersky Securelist - 27 Červen, 2017 - 20:57

Earlier today (June 27th), we received reports about a new wave of ransomware attacks (referred in the media by several names, including Petya, Petrwrap, NotPetya and exPetr) spreading around the world, primarily targeting businesses in Ukraine, Russia and Western Europe. If you were one of the unfortunate victims, this screen might look familiar:

Kaspersky Lab solutions successfully stop the attack through the System Watcher component. This technology protects against ransomware attacks by monitoring system changes and rolling back any potentially destructive actions.

At this time, our telemetry indicates more than 2,000 attacks:

Our investigation is ongoing and our findings are far from final at this time. Despite rampant public speculation, the following is what we can confirm from our independent analysis:

How does the ransomware spread?

To capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.
  • The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

IMPORTANT: A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC.

What does the ransomware do?

The malware waits for 10-60 minutes after the infection to reboot the system. Reboot is scheduled using system facilities with “at” or “schtasks” and “shutdown.exe” tools.

Once it reboots, it starts to encrypt the MFT table in NTFS partitions, overwriting the MBR with a customized loader with a ransom note. More details on the ransom note below.

Network survey

The malware enumerates all network adapters, all known server names via NetBIOS and also retrieves the list of current DHCP leases, if available. Each and every IP on the local network and each server found is checked for open TCP ports 445 and 139. Those machines that have these ports open are then attacked with one of the methods described above.

Password extraction

Resources 1 and 2 of malware binary contain two versions of a standalone tool (32-bit and 64-bit) that tries to extract logins and passwords of logged on users. The tool is run by the main binary. All extracted data is transferred back to the main module via a named pipe with a random GUID-like name.

File Decryption

Are there any hopes of decrypting files for victims already infected? Unfortunately, the ransomware uses a standard, solid encryption scheme so this appears unlikely unless a subtle implementation mistake has been made. The following specifics apply to the encryption mechanism:

  • For all files, one AES-128 key is generated.
  • This AES key is encrypted with threat actors’ public RSA-2048 key.
  • Encrypted AES keys are saved to a README file.
  • Keys are securely generated.

The criminals behind this attack are asking for $300 in Bitcoins to deliver the key that decrypts the ransomed data, payable to a unified Bitcoin account. Unlike Wannacry, this technique would work because the attackers are asking the victims to send their wallet numbers by e-mail to “wowsmith123456@posteo.net”, thus confirming the transactions. We have seen reports this email account has already been shut down, effectively making the full chain decryption for existing victims impossible at this time.

At the time of writing, the Bitcoin wallet has accrued 24 transactions totalling 2.54 BTC or just under $6,000 USD.

Here’s our shortlist of recommendations on how to survive ransomware attacks:

  • Run a robust anti-malware suite with embedded anti-ransomware protection such as System Watcher from Kaspersky Internet Security.
  • Make sure you update Microsoft Windows and all third party software. It’s crucial to apply the MS17-010 bulletin immediately.
  • Do not run open attachments from untrusted sources.
  • Backup sensitive data to external storage and keep it offline.

Kaspersky Lab corporate customers are also advised to:

  • Check that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
  • As an additional measure for corporate customers is to use Application Privilege Control to deny any access (and thus possibility of interaction or execution) for all the groups of applications to the file with the name “perfc.dat” and PSexec utility (part of the Sysinternals Suite)
  • You can alternatively use Application Startup Control component of Kaspersky Endpoint Security to block the execution of the PSExec utility (part of the Sysinternals Suite), but please use Application Privilege Control in order to block the “perfc.dat”.
  • Configure and enable the Default Deny mode of the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce the proactive defense against this, and other attacks.

For sysadmins, our products detect the samples used in the attack by these verdicts:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.ExPetr.a
  • HEUR:Trojan-Ransom.Win32.ExPetr.gen

Our behavior detection engine SystemWatcher detects the threat as:

  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic
IOCs 0df7179693755b810403a972f4466afb 42b2ff216d14c2c8387c8eabfb1ab7d0 71b6a493388e7d0b40c83ce903bc6b04 e285b6ce047015943e685e6638bd837e e595c02185d8e12be347915865270cca Yara rules

Download Yara rule expetr.yara as a ZIP archive.

rule ransomware_exPetr {
meta:

copyright = “Kaspersky Lab”
description = “Rule to detect PetrWrap ransomware samples”
last_modified = “2017-06-27”
author = “Kaspersky Lab”
hash = “71B6A493388E7D0B40C83CE903BC6B04”
version = “1.0”

strings:

$a1 = “MIIBCgKCAQEAxP/VqKc0yLe9JhVqFMQGwUITO6WpXWnKSNQAYT0O65Cr8PjIQInTeHkXEjfO2n2JmURWV/uHB0ZrlQ/wcYJBwLhQ9EqJ3iDqmN19Oo7NtyEUmbYmopcq+YLIBZzQ2ZTK0A2DtX4GRKxEEFLCy7vP12EYOPXknVy/+mf0JFWixz29QiTf5oLu15wVLONCuEibGaNNpgq+CXsPwfITDbDDmdrRIiUEUw6o3pt5pNOskfOJbMan2TZu” fullword wide
$a2 = “.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls” fullword wide
$a3 = “DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED” fullword ascii
$a4 = “1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX” fullword ascii
$a5 = “wowsmith123456@posteo.net.” fullword wide

condition:

(uint16(0) == 0x5A4D) and
(filesize<1000000) and
(any of them)
}

Syndikovat obsah