From owner-freebsd-questions@freebsd.org Thu Nov 19 08:03:24 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EAD4FA335AA for ; Thu, 19 Nov 2015 08:03:23 +0000 (UTC) (envelope-from olivier2553@gmail.com) Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com [IPv6:2a00:1450:4010:c04::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 6827F1C1E for ; Thu, 19 Nov 2015 08:03:23 +0000 (UTC) (envelope-from olivier2553@gmail.com) Received: by lbbkw15 with SMTP id kw15so38847462lbb.0 for ; Thu, 19 Nov 2015 00:03:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:cc:content-type; bh=8zaE+goqEZecHFIex/o/vhoTc0wIm6AUZvL7pexMt5g=; b=t8nMnfzAVlGm1POKZS3UG2He5nD6U2JZb+af+Qdud+AtpVOANScdl/4ir4C5uv5Bbr DRLPBdCUngTt7yZ/MDA1aqBu39eeUOUqJNyrVL8hI89fKqSQPF0BKxhslTQq2hDZgRyY m1fSHWEz4yw0UOcy70zXp6gdPFNHllq2zULqSuX44UyM835upEsoa+DOWKZklu0PWPgd WPCcv85+bbEgGF+FH2EFDdg6qsGZ0YSyR5VNB+d3G/QFvK124TXins85rQwXG40v4MLo 9DXaLqOqrNCokvRaJ6xOk4YN7cl7dnO2/i+mrrVAD4N+yE3uSqSrmO/GdSvQQkc+8AJ6 W8qA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs-ait-ac-th.20150623.gappssmtp.com; s=20150623; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:cc:content-type; bh=8zaE+goqEZecHFIex/o/vhoTc0wIm6AUZvL7pexMt5g=; b=XxzppOLFkgVGG65cvZ3rxch8sPEMPMd9t7GGLvwdxopmdrcHxkLVexSFjr8PDKg8VL 5DnauOjir8hdJvpTPgtm0GeaG1bau6eF/hTf2zx6YLlkWCl6OsAupuIBktIUjZLe4wt2 vTavwO2C5sZUnIHSPtPtFRW5LQFAVmmuL/K2BmCzBm9Rgek8+EM1BWPcUu129xXMn/Ch Ke9GoVlR/0+wyLV+tm+6IUlffML6Y69+/9wnAWv3mlMHhMtZEKbkoDwhdzAdx9rZze2F YOB4AumJubIc1Qx0pFgDM+YS42q85l9Eq0KRPuDr+2H/t5Mdj55sBT6c9xdorcQsCzkV WAyg== MIME-Version: 1.0 X-Received: by 10.112.200.138 with SMTP id js10mr559918lbc.48.1447920200416; Thu, 19 Nov 2015 00:03:20 -0800 (PST) Sender: olivier2553@gmail.com Received: by 10.25.162.12 with HTTP; Thu, 19 Nov 2015 00:03:20 -0800 (PST) In-Reply-To: <20151119080407.dd7c00af.freebsd@edvax.de> References: <20151119064434.GB1925@c720-r276659.oa.oclc.org> <20151119080407.dd7c00af.freebsd@edvax.de> Date: Thu, 19 Nov 2015 15:03:20 +0700 X-Google-Sender-Auth: 8gAAzFBYqZI4bYpOwd3-U60b-Gk Message-ID: Subject: Re: ransomware virus on Linux From: Olivier Nicole Cc: "freebsd-questions@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 08:03:24 -0000 Hi, >> The structure of the attack makes me think that it would work the same way on >> FreeBSD too. > > As far as I understand: Yes, that would be possible (given that > the FreeBSD installation is much like the Linux installations > affected in terms of software versions in use). I tend to think that by the time it comes on FreeBSD, the flaw on generating the key will have been corrected (I am pretty sure it has already been corrected for Linux). So the decryption script will not work anymore. Regards, Olivier >> Do we have already known attacks like this? > > Maybe those running a significant attack surface (i. e., old and > unpatched version of Magento, as the article you pointed to states), > could provide more information: > > Linux.Encoder.1 is executed on the victim's Linux box > after remote attackers leverage a flaw in the popular > Magento content management system app. > > Proper settings of (write) privilege, account separation, the use > of jails will probably make this harder to spread across a whole > system. The article mentions a few things to pay attention to. > > > >> If we would have a known attack and test data from this (i.e. an >> encrypted file system tree), I think it would be worth to check if the >> software described by Bitdefender could be ported to FreeBSD too. > > It would be interesting to see if the Linux version would work > on FreeBSD (via Linux ABI), because the file system access at > this point is still "abstracted" to the running program. > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"