Wednesday, June 25, 2008
Sunday, June 15, 2008
GPCode.ak solution in another way ...
Currently, it's not possible to decrypt files encrypted by Gpcode.ak without the private key. However, there is a way in which encrypted files can be restored to their original condition. When encrypting files, Gpcode.ak creates a new file next to the file that it intends to encrypt. Gpcode writes the encrypted data from the original file data to this new file, and then deletes the original file. It's known that it is possible to restore a deleted file as long as the data on disk has not been significantly modified. This is why, right from the beginning, we recommended users not to reboot their computers, but to contact us instead. We told users who contacted us to use a range of utilities to restore deleted files from disk. Unfortunately, nearly all the available utilties are shareware – we wanted to offer an effective, accessible utility that could help restore files that had been deleted by Gpcode. Please have a look at the blog's posting from my colleague Vitaly at Kaspersky's Viruslist Blog from 13 June 2008.
Kaspersky got a lot of comments and critics even from respected and known security people like Bruce Schneier, Vesselin Bontchev and others but what none of them were looking at was the easy solution: just try to recover the files before they were encrypted. I fully agree with them that searching for the decryption key using brute-force computing power would be very unrealistic but still, I like at least the idea of an international cooperation between a lot of security companies ... maybe it's 'insecure' thinking from myself if you know what I mean. ;-)
Kaspersky got a lot of comments and critics even from respected and known security people like Bruce Schneier, Vesselin Bontchev and others but what none of them were looking at was the easy solution: just try to recover the files before they were encrypted. I fully agree with them that searching for the decryption key using brute-force computing power would be very unrealistic but still, I like at least the idea of an international cooperation between a lot of security companies ... maybe it's 'insecure' thinking from myself if you know what I mean. ;-)
Typosquatting in Belgium on the rise.
Typosquatting, also called URL hijacking, is a form of cybersquatting which relies on mistakes such as typographical errors made by Internet users when inputting a website address into a web browser. Should a user accidentally enter an incorrect website address, they may be led to an alternative website owned by a cybersquatter.
It seems that we got more or less a rise in typosquatting the last years over here in Belgium. I was interviewed yesterday and made it in the news at 13 and 19 o'clock at VTM, a known Belgian TV station. You can have a look at the recorded broadcast at my press page or via my direct link.
It seems that we got more or less a rise in typosquatting the last years over here in Belgium. I was interviewed yesterday and made it in the news at 13 and 19 o'clock at VTM, a known Belgian TV station. You can have a look at the recorded broadcast at my press page or via my direct link.
Thursday, June 12, 2008
China hacking into US computers more realistic than China attacking Belgium!
You could read the following on the net just a few hours ago: Multiple congressional computers have been hacked by people working from inside China, lawmakers said Wednesday, suggesting the Chinese were seeking lists of dissidents. You can find more at
http://news.yahoo.com/s/ap/20080611/ap_on_go_co/china_hacking
This attack is much more realistic as a targeted attack and has much more evidence if you compare this to what our government a month ago was saying. I blogged about it the 2nd of May at:
http://www.anti-malware.info/weblog/archive/2008_05_01_wavci_archive.html
I'm nearly 100% sure that the Belgian version was not orchestrated and that everything was just a coincidence of a lot of spammed malware to some of the governmental computers. I'm still not happy what some of the members from our government told the public at that moment.
http://news.yahoo.com/s/ap/20080611/ap_on_go_co/china_hacking
This attack is much more realistic as a targeted attack and has much more evidence if you compare this to what our government a month ago was saying. I blogged about it the 2nd of May at:
http://www.anti-malware.info/weblog/archive/2008_05_01_wavci_archive.html
I'm nearly 100% sure that the Belgian version was not orchestrated and that everything was just a coincidence of a lot of spammed malware to some of the governmental computers. I'm still not happy what some of the members from our government told the public at that moment.
Tuesday, June 10, 2008
Assistance needed for cracking GPCode.ak ...
Our office just launched the following press release following the recent problems with a new GPCode variant. See more at www.viruslist.com .
"Kaspersky Lab, announces the Stop Gpcode, an international initiative against the blackmailing virus Gpcode which emerged last week.
The objective of the initiative is to factor (‘crack’) the RSA-1024 key used in Virus.Win32.Gpcode.ak – the latest version of the dangerous Gpcode blackmailer virus. The signature for Virus.Win32.Gpcode.ak was added to Kaspersky Lab antivirus databases on June 4, 2008.
Kaspersky Lab invites all cryptography experts, as well as governmental and research institutions, other antivirus vendors and independent researchers to join the efforts to solve this problem. The company is prepared to provide any additional information at its disposal and is open to dialog with all experts wishing to participate in the Stop Gpcode initiative.
To coordinate the activity of all participants of the initiative, a special Stop Gpcode forum has been created. "This is the first time in the security history that such an initiative is appearing. Let us hope that this could become a good example of perfect international cooperation. However we must not overestimate this possible solution: a backup in combination with optimal security and good malware protection is still the best solution for a lot of problems, also in the future." says Eddy Willems, Security Evangelist at Kaspersky Lab Benelux.
Virus.Win32.Gpcode.ak
Gpcode.ak encrypts files with different extensions by using a RSA encryption algorithm with a 1024 bits key. After encrypting, the virus changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.
The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660. The task of ‘cracking’ the RSA-1024 key is an extremely complicated cryptographic problem. Eddy Willems confirms this: “To crack the key at least 15 million computers have to be running for one year.”."
Of course it's clear that this is just an interesting initiative and I really hope it could be realistic in the near future but of course it's not so easy as it seems.
Nevertheless such initiatives haven't been seen in the past and I think it's time that vendors could work together in a better way then before but is that not another harder question. Could this be even more unrealistic? What do you think?
"Kaspersky Lab, announces the Stop Gpcode, an international initiative against the blackmailing virus Gpcode which emerged last week.
The objective of the initiative is to factor (‘crack’) the RSA-1024 key used in Virus.Win32.Gpcode.ak – the latest version of the dangerous Gpcode blackmailer virus. The signature for Virus.Win32.Gpcode.ak was added to Kaspersky Lab antivirus databases on June 4, 2008.
Kaspersky Lab invites all cryptography experts, as well as governmental and research institutions, other antivirus vendors and independent researchers to join the efforts to solve this problem. The company is prepared to provide any additional information at its disposal and is open to dialog with all experts wishing to participate in the Stop Gpcode initiative.
To coordinate the activity of all participants of the initiative, a special Stop Gpcode forum has been created. "This is the first time in the security history that such an initiative is appearing. Let us hope that this could become a good example of perfect international cooperation. However we must not overestimate this possible solution: a backup in combination with optimal security and good malware protection is still the best solution for a lot of problems, also in the future." says Eddy Willems, Security Evangelist at Kaspersky Lab Benelux.
Virus.Win32.Gpcode.ak
Gpcode.ak encrypts files with different extensions by using a RSA encryption algorithm with a 1024 bits key. After encrypting, the virus changes the extension of these files to ._CRYPT and places a text file named !_READ_ME_!.txt in the same folder. In the text file the criminal tells the victims that the file has been encrypted and offers to sell them a decryptor.
The author of Gpcode has taken two years to improve the virus: the previous errors have been fixed and the key has been lengthened to 1024 bits instead of 660. The task of ‘cracking’ the RSA-1024 key is an extremely complicated cryptographic problem. Eddy Willems confirms this: “To crack the key at least 15 million computers have to be running for one year.”."
Of course it's clear that this is just an interesting initiative and I really hope it could be realistic in the near future but of course it's not so easy as it seems.
Nevertheless such initiatives haven't been seen in the past and I think it's time that vendors could work together in a better way then before but is that not another harder question. Could this be even more unrealistic? What do you think?
Sunday, June 01, 2008
May 2008: Web site compromises record month!
Here are the highlights of the notable Web site compromises I have seen in the past month:
May 2 - One Year Later, Italian Job Still Working Overtime
It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.
May 7 - A Very Convoluted Chinese Gaming-Info-Stealing Campaign
Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.
A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.
May 10 - More of The Same: Another Half Million Web Sites Compromised
Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.
May 19 - Chinese Weekend Compromise
Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.
May 19 - More Weekend Compromises Reach Other Shores
Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.
May 21 - It’s Not Over: Asian Sites Injected with Nasty Code
Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.
May 22 - Malicious Domains Found in Compromised Japanese Sites
The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.
These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.
And I'm not even talking about thousand other websites which were defaced in nearly every country of the world even in Belgium (eg. VTM Broadcast site) ... it's definitely not a good sign and trend.
A lot of XSS methods seems to be used as will in those or a lot of other compromises.
XSS has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.
XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.
XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.
The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of us don’t have).
May 2 - One Year Later, Italian Job Still Working Overtime
It’s been a year since the infamous Italian Job attack of 2007. And in an apparent observance of its anniversary, a similar attack was seen compromising about 90 varied Italian Web sites, all hosted in Italy by a single hosting provider—the same one that hosted the thousands in last year’s large-scale.
May 7 - A Very Convoluted Chinese Gaming-Info-Stealing Campaign
Web sites numbering approximately 9,000 were compromised via SQL injection with embedded malicious JavaScript redirecting users to two major malicious URLs. Among these Web sites were legitimate medical, educational, government, and entertainment sites from around the world.
A survey of the site locations includes India, UK, Canada, France, and China. This observation suggests the attack as the work of an automated Chinese hacktool programmed to search through Web sites for vulnerabilities, creating the same .HTML file that has been used to launch various exploits.
May 10 - More of The Same: Another Half Million Web Sites Compromised
Meanwhile, a malicious script was injected into half a million Web sites believed to be either using poorly implemented or older exploitable versions of phpBB. This event was involved a ZLOB Trojan among others that changes an affected system’s local DNS and Internet browser settings.
May 19 - Chinese Weekend Compromise
Chinese-language Web sites were targeted in an attack that was meant specifically against China, Taiwan, Singapore, and Hong Kong. Google search results at the time of the attack showed 327,000 pages containing the malicious script tag.
May 19 - More Weekend Compromises Reach Other Shores
Another string of Web site compromises was discovered the following week, involving at least four (4) Web sites of various affiliations and different countries. These were injected with a malicious JavaScript that redirects to two sites. Both eventually lead to their own series of redirections, and finally the download and execution of malware: a backdoor and Trojan, respectively.
May 21 - It’s Not Over: Asian Sites Injected with Nasty Code
Two days later, hundreds of thousands of Web sites were again found compromised and inserted with malicious JavaScript code, some of which are sites from the APAC region. Hackers have apparently conducted another massive SQL injection attack. A Google search for the malicious URL turned up 197,000 results.
May 22 - Malicious Domains Found in Compromised Japanese Sites
The next day, several Web sites in Japan — including a popular music download site and a music company site — have been found injected with malicious code.
These are the hard facts, and these developments tell us that there could indeed be a trend that cyber criminals seem to favor this type of attack over other methods. For what it’s worth, our engineers also think that mass compromises are common (or at least not as uncommon as we think), it’s just that they are either found soon enough, or they remain unnoticed and consequently unreported.
And I'm not even talking about thousand other websites which were defaced in nearly every country of the world even in Belgium (eg. VTM Broadcast site) ... it's definitely not a good sign and trend.
A lot of XSS methods seems to be used as will in those or a lot of other compromises.
XSS has been around for a long time, it has neither become less of an attractive attack method, nor has a fool-proof solution against it has been properly formulated.
XSS vulnerabilities can cause a variety of problems for the casual web surfer. These problems range in severity from mere annoyance to complete credential compromise. Some XSS attacks incorporate disclosure of the user’s session cookies, allowing an attack perpetrator to have complete control over the victim’s session and to (in effect) take over the account & hijack the HTTP session.
XSS attacks may also include redirecting the user to some other page or website, and modifying the content of a HTTP session. Other damaging risks include the exposure of the victim’s files, and subsequently the installation of Trojans and other damaging malware — and to what purpose? One can only guess because once the compromise is successful, the criminal’s next actions are open to unlimited possibility.
An XSS attacker utilizes varying methods to encode the malicious script in order to be less conspicuous to users and administrators alike. There are an unaccounted number of variations for these types of attacks, and XSS attacks can come in the form of embedded JavaScript — one of the more common implementations. But be forewarned — any embedded active content is also a potential source of danger, including: ActiveX (OLE), VBscript, Flash, and more.
XSS issues can and do exist as well in the underlying Web and application servers too. Most Web and application servers use error mechanisms to display content access error pages, such as “404 page not found “and “500 internal server error”. If these pages reflect back any information from the user’s request, such as the URL they were trying to access, there are even greater chances that they are vulnerable to an XSS attack.
The possibility that a website contains XSS vulnerabilities is extremely high. There are countless ways to mislead Web applications into relaying maliciously injected scripts. Developers and website administrators seem to have a knack for missing these vulnerable application areas in their web implementations, but finding these configuration errors seems to be a walk in the park for attackers, since all they need is a browser and time (time which most of us don’t have).