From owner-freebsd-questions@freebsd.org Thu Nov 19 07:04:18 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 33615A32937 for ; Thu, 19 Nov 2015 07:04:18 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id EBFC31342 for ; Thu, 19 Nov 2015 07:04:17 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from r56.edvax.de (port-92-195-76-245.dynamic.qsc.de [92.195.76.245]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx01.qsc.de (Postfix) with ESMTPS id CEF6A3CF07; Thu, 19 Nov 2015 08:04:08 +0100 (CET) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id tAJ747Ox002238; Thu, 19 Nov 2015 08:04:07 +0100 (CET) (envelope-from freebsd@edvax.de) Date: Thu, 19 Nov 2015 08:04:07 +0100 From: Polytropon To: Matthias Apitz Cc: freebsd-questions@freebsd.org Subject: Re: ransomware virus on Linux Message-Id: <20151119080407.dd7c00af.freebsd@edvax.de> In-Reply-To: <20151119064434.GB1925@c720-r276659.oa.oclc.org> References: <20151119064434.GB1925@c720-r276659.oa.oclc.org> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 07:04:18 -0000 On Thu, 19 Nov 2015 07:44:34 +0100, Matthias Apitz wrote: > > Hello, > > I've read in the German computer magazine "iX 12/2015" about a threat > against Linux: Some ransomware malware encrypts your disk and the bad guys aking > for your money to get it decrypted again. The FBI recommends you simply pay: https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom/ Things can be so easy if you listen to the authorities and then hand the costs over to your loyal customers who believe in your expertness and professionalism. ;-) > All details about this story > and how to get it decrypted again w/o spending money is here: > > http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/ In addition: http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/ https://github.com/eugenekolo/linux-ransomware-decrypter > Two questions remain: > > The structure of the attack makes me think that it would work the same way on > FreeBSD too. As far as I understand: Yes, that would be possible (given that the FreeBSD installation is much like the Linux installations affected in terms of software versions in use). > Do we have already known attacks like this? Maybe those running a significant attack surface (i. e., old and unpatched version of Magento, as the article you pointed to states), could provide more information: Linux.Encoder.1 is executed on the victim's Linux box after remote attackers leverage a flaw in the popular Magento content management system app. Proper settings of (write) privilege, account separation, the use of jails will probably make this harder to spread across a whole system. The article mentions a few things to pay attention to. > If we would have a known attack and test data from this (i.e. an > encrypted file system tree), I think it would be worth to check if the > software described by Bitdefender could be ported to FreeBSD too. It would be interesting to see if the Linux version would work on FreeBSD (via Linux ABI), because the file system access at this point is still "abstracted" to the running program. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...