EduCrypt ransomware teaches you a lesson about computer security

June 30, 2016 – 5:40 AM

Ransomware has been infamously known to be nasty pieces of malware that takes a computer’s files hostage, and then demands a ransom, which can vary in cost. Countless variants have been discovered, which differ in how they are programmed, but all demand money in the end.

However, a new variant recently discovered called ‘EduCrypt’ encrypts a victim’s files, but instead of demanding a ransom, it actually provides the decryption key for free. Along the way, it teaches the victim a lesson about avoiding downloading sketchy items on the internet.

Discovered by Jakob Kroustek of AVG, the malware is based on the Hidden Tear ransomware. Unlike other ransomware variants, which encrypts a large number of file extensions, EduCrypt targets only a limited amount, and does not connect to a Command and Control (C&C) server. The list of files affected are:

.txt, .exe, .doc, .docx, .xls, .index, .pdf, .zip, .rar, .css, .lnk, .xlsx, .ppt, .pptx, .odt, .jpg, .bmp, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .bk, .bat, .mp3, .mp4, .wav, .wma, .avi, .divx, .mkv, .mpeg, .wmv, .mov, .ogg

It will lock up files found in the desktop, Downloads, Documents, Pictures, Music, and Videos folder. Once the ransomware finishes the encrypting process, it will append an extension of “.isis” on every file it touches.

A file called “README.txt” will be made available to the user. Inside the file, it will inform the user that their system is infected with a virus. Generously enough, it also provides a link to the decryptor, which the victim can download for free without paying any ransom. “Don’t download random **** on the Internet,” the Readme file states, hoping to teach the victim a lesson.

Source:
http://www.neowin.net/news/educrypt-ransomware-teaches-you-a-lesson-about-computer-security

Ransomware that’s 100% pure JavaScript, no download required

June 20, 2016 – 4:22 PM

SophosLabs just alerted us to an intriguing new ransomware sample dubbed RAA.

This one is blocked by Sophos as JS/Ransom-DDL, and even though it’s not widespread, it’s an interesting development in the ransomware scene.

Here’s why.

Ransomware, like any sort of malware, can get into your organisation in many different ways: buried inside email attachments, via poisoned websites, through exploit kits, on infected USB devices and occasionally even as part of a self-spreading network worm.

But email attachments seem to work best for the cybercrooks, with fake invoices and made-up court cases amongst the topics used by the criminals to make you think you’d better open the attachment, just in case.

Source:
https://nakedsecurity.sophos.com/2016/06/20/ransomware-thats-100-pure-javascript-no-download-required/

0patch Open Beta is Launched

June 7, 2016 – 7:28 PM

After a long period of internal development and testing, our mighty little patching machine finally got wings and flew out of the nest.

This is BIG for us. We’ve invested a significant part of our last three years into building a technology and a business model that we believe can make a big difference in how vulnerabilities are getting fixed, and consequently make attacks considerably harder and more expensive. It is our sincere hope that the concept of vulnerability micropatching will some day become a “goes without saying” feature in all computers, from large data-processing machines and employee workstations, to car computers, mobile phones and the tiniest Internet-of-Things gadgets.

0patch does not claim to be a silver bullet, and it only aims to solve a very specific problem of patching vulnerabilities, but we believe it’s the most efficient possible way to bridge the security update gap that makes it so unforgivably easy to break into any network today.

We’re very excited about new users testing our technology, as well as security researchers getting a tool for fixing the vulnerabilities they find. However, as with any new technology, we’re expecting that the wheels will sometimes get stuck, and things might crack or break in unexpected ways – that’s the point of testing. So please remember that our technology is in beta, don’t use it in production yet!

Source:
https://0patch.blogspot.com/2016/06/0patch-open-beta-is-launched.html

Website:
https://0patch.com/

TeamViewer denies hack after PCs hijacked, PayPal accounts drained

June 2, 2016 – 7:33 PM

Updated TeamViewer users say their computers were hijacked and bank accounts emptied all while the software company’s systems mysteriously fell offline. TeamViewer denies it has been hacked.

In the past 24 hours, we’ve seen a spike in complaints from people who say their PCs, Macs and servers were taken over via the widely used remote-control tool on their machines. Even users with strong passwords and two-factor authentication enabled on their TeamViewer accounts say they were hit.

It appears miscreants gained control of victims’ TeamViewer web accounts, and used those to connect into computers, where they seized web browsers to empty PayPal accounts, access webmail, and order stuff from Amazon and eBay.

“Hackers got everything from me,” Doug, an Idaho-based Twitch streamer who was looking forward to celebrating his birthday today with his wife and two kids, told The Register.

“They remote connected in at 5AM MT, went into my Chrome and used my PayPal to buy about $3k worth of gift cards. And yes, I had two-factor authentication.”

Over on Reddit, people were lining up with tales of their systems being compromised via TeamViewer, sparking fears the platform had been hacked. TeamViewer makes remote-control clients for Windows, OS X, Linux, Chrome OS, iOS and Android.

“I never expected this to happen, but it did,” wrote Redditor Eric1084.

“When I sat down on my chair, I saw my mouse is moving across the screen. Of course, I immediately revoked remote control, and asked who [the hacker] is. At that point, he disconnected, and attempted to connect to my Ubuntu server, which has all my backups. Good thing I connected to [the server] right after he remote’d into my workstation. I revoked his permission before he tried to open Firefox. Immediately after, I started panicking, and thought he just stole all my passwords.”

Source:
http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/

MitM Attack against KeePass 2’s Update Check

June 1, 2016 – 5:21 PM

This post is about a Man in the Middle (MitM) vulnerability in KeePass 2’s automatic update check. KeePass – the free and open source password manager – uses, in all versions up to the current 2.33, unencrypted HTTP requests to check for new software versions. An attacker can abuse this automatic update check – if enabled – to “release” a new version and redirect the user to a malicious download page. Update: At the first start the users is asked if he wishes to enable the recommended update checks.

During a recent traffic analysis I stumbled upon an interesting request to http://keepass.info/update/version2x.txt.gz. As I had a few hours spare over the last weekend I took a closer look.

It turned out that KeePass 2’s automatic update check uses HTTP to request the current version information. For that purpose it downloads the following text file from http://keepass.info/update/version2x.txt.gz

Source:
https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/