Most Wanted Linkedin Hacker gets Extradition from Czech Court

By

-

May 31, 2017

Most Wanted Linkedin Hacker gets Extradition from Czech Court, the court didn’t define to which country it is.

AleksandrovichNikulin was captured while on vacation in Prague in October 2016, in view of a global warrant issued by the US. The FBI blamed Nikulin for hacking LinkedIn, Dropbox, and Formspring in the traverse of five months in 2012.

Some of this information wound up on the web, by means of sites like LeakedSource. Nevertheless, he has over and over denied all allegations.

Through his legal advisors and Russian authorities, Nikulin asserted to have no PC skills.They say Nikulin was not a hacker and that his life spun around purchasing and offering luxury cars.

Nikulin’s Russian legal advisor, Vladimir Makeyev, said Nikulin was “useless with computers” and, a long way from being a super-programmer was equipped for checking his email and no more.

Nikulin Claims FBI demanded to admit hacks

FBI Special Agent Jeffrey Miller, proof depends on “witness interviews including secret sources, ISP records, court-approved electronic interceptions, and different sources”.

A portion of the electronic captures were messages from the Gmail record of Alexei Belan who is Top 10 FBI’s most wanted list.

Nikulin wrote in a letter from jail that Miller requested him to concede hacking the DNC servers and guaranteed him good treatment on the off chance that he acknowledged competing.

But he dismisses the offer. His legal counselor showed that Nikulin was not a programmer, but rather only a victim of an FBI plot.

Mark Galeotti, a senior security specialist at the Institute of International
Relations Prague says "An FBI agent traveling from the US to a third country as
part of an extradition request is extremely unusual and highlights that the case
is seen as significant," Galeotti said to Guardian.

As indicated by US authorities, these hacks have channeled cash into Nikulin’s lavish life. Russian media has archived Nikulin’s way of life in articles, exhibiting his cars and friendship with different offspring of the Russian political elite.

Then again, Nikulin contended that he profited as a mechanic, by buying and selling cars, and not from hacking.

Nikulin has stopped an interest against the relocation choice, and his case will go to the Czech High Court for another arrangement of hearings.

Also Read

6 Critical RCE and Buffer Overflow Vulnerabilities in IBM Informix Dynamic Server and Informix Open Admin Tool

By

Balaji

-

May 31, 2017

6 Critical RCE and Buffer Overflow Vulnerabilities in IBM Informix Dynamic Server and Informix Open Admin Tool

IBM Informix Dynamic Server and Informix Open Admin Tool contains 6 Critical Vulnerabilities including RCE and a Buffer overflow in HEAP.

IBM Informix Dynamic Server for high-volume online Data server for transaction processing (OLTP), integrated applications, and now breathtakingly fast data warehouse/analytical workloads.

IDS is well known for its hands-free administration. To make server administration even easier, a new open source, a platform-independent tool called OpenAdmin Tool (OAT) is now available to IDS users.

6 Vulnerabilities are identified as Very Critical which leads to attackers execute the code Remotely and take over the full control of the IBM Informix Tools and Unauthenticated heap buffer overflow.

IBM Informix (OLTP) and (OAT) Vulnerabilities:

Unauthentication static PHP code injection that leads to remote code execution
Heap buffer overflow
Remote DLL Injection that leads to remote code execution (1)
Remote DLL Injection that leads to remote code execution (2)
Remote DLL Injection that leads to remote code execution (3)
Remote DLL Injection that leads to remote code execution (4)

Unauthentication static PHP code injection

Unauthentication static PHP code injection Vulnerability offers a SOAP interface by invoking welcomeService.php.

Static PHP code injection used into the “saveHomePage” method. By this Method, ‘config.php‘ can be accepting the Arbitrary Code Execution Which is leads to access remotely by an attacker. Visit for Full Technical Details.

Vulnerable code – C:\Program Files (x86)\IBM Informix Software Bundle\OAT\Apache_2.2.22\htdocs\openadmin\services\welcome\welcomeService.php

Buffer overflow in Heap

According to Securiteam, IBM Informix Dynamic Server Developer is defenseless against Unauthentication heap buffer overflow.

By submitting association parameters to index.php, through the “server” property, it is conceivable to trigger a heap buffer overflow weakness into the fundamental PHP Informix augmentation (php_pdo_informix.dll).

Remote DLL Injection leads to remote code execution

Vulnerability Discovered in IBM Informix Dynamic Server Developer submitting connection parameters to index.php, setting the ‘act‘ parameter to ‘login‘ and the ‘do‘ one to ‘testconn‘, it is possible to inject arbitrary statements into a connection string for the underlying Informix database.Visit for POC.

Remote code execution (2)

According to Securiteam ,”By submitting a SOAP request to oliteService.php, specifying ex. the ‘canConnectToIDS‘ method, it is possible to inject arbitrary parameters into adatabase connection string for the underlying Informix database.”

“It is possible to inject ex. the ‘TRANSLATIONDLL‘ parameter and, if this parameter points to a dll into an existing remote network share, the dll will be injected into the remote Apache process.If malicious code is contained into the dll entry point, this will be executed instantly.”

Remote code execution (3)

There are 2 Specific methods of flows Discovered in IBM Informix Dynamic Server Developer

MACH11Server.php allows to insert a row into the underlying SQLite Database without prior authentication, by sending a specific SOAP request to MACH11Service.php and specifying the ‘addServerToCache‘ method.
pinger.php construct a connection string for the underlying Informix database, based on the row previously inserted. Given this it is possible to inject the ‘TRANSLATIONDLL‘ property into this connection string and to cause the Apache process to load the pointed dll from a remote network share controlled by the attacker.

Remote code execution (4)

securiteam Explined ,By contact the ‘adminapiService.php‘ SOAP interface and constructing a proper request to this endpoint, with the ‘createSBSpace‘ method specified, it possible to inject parameters into a connection string for the underlying Informix database.

According to tro IBM, all the Vulnerabilities has been Patched.

You can visit here for Full technical analysis and POC

Also Read

Serious Threat: A multi-component Trojan from Linux.LuaBot family infecting Linux devices

By

Priya James

-

May 29, 2017

Serious Threat: A multi-component Trojan from Linux.LuaBot family infecting Linux devices

Security Experts from Doctor Web have analyzed a complex multi-part Trojan that taints Linux devices having different hardware architectures.

The Trojan contaminates devices having the accompanying models: Intel x86 (and Intel x86_64), MIPS, MIPSEL, Power PC, ARM, SPARC, SH4, and M68k—as such, PCs, as well as a wide exhibit of switches, set-beat boxes, organize stockpiles, IP cameras and other Appliances.

Analysts effectively denoted the primary assaults of this Trojan from Linux.LuaBot family in December 2016 these Trojans are written in the scripting language Lua.

From December 2016 it expand constantly and has 31Lua scripts(like async.lua, bencode.lua, bfssh.lua)

Attacking Mechanism

Each script involved into Linux.LuaBot is interconnected, these trojan have a pool of IP address to launch a brute force attack utilizing an exceptional wordlist.

These scripts can determine network architecture and furthermore able to detect honeypots. Moreover, the attacks are performed through Telnet and SSH protocols, a different Lua script is in charge of the operation of these protocols.

If attacked through Telnet it will install a piece of software first, which then downloads the original trojan.
When attacked via SSH the Trojan will be loaded immediately.

You can refer to Detailed Technical Analysis from Dr.Web. Security Experts collected IP address of the device Infected, here you see the graphical representation.

multi-component Trojan Linux.LuaBot — **Geographic Distribution** Source: Dr.Web

C&C Communication process

One of the Linux.LuaBot modules is a completely functional web server that works by means of the HTTP protocol. The server can save an application on the contaminated device and execute it.

At that point Linux.LuaBot will communicate with C&C server through HTTP protocol. All the data it transmits are encrypted, a P2P network through BitTorrent DHT protocol is utilized to scan for configuration files and modules, this function handled by a different script.

More than that, a digital signature is utilized to confirm the authenticity of sent and received the message.

In the event that if the P2P system is inaccessible a different script utilizes other infected hubs to update Linux.LuaBot by downloading its files to infected devices.

Once the Trojan Linux.LuaBot activated, it will execute the commands issued by attackers.

Also read

Beware: Malicious Payload “Hworm” Dropped Through Embedded Youtube Video’s

By

Balaji

-

May 27, 2017

Beware: Malicious Payload “Hworm” Dropped Through Embedded Youtube Video’s

A Malware called Hworm Performing multiple Attacks including steal passwords from Firefox, Opera, and Chrome browsers, ability to log keystrokes, kill running process, capture a Screen by making use of the backdoor.

This Malware initially identified June 2016 and keep observed by researchers and finally find it as it Emerged day by day.

According to Research by Paloalto, The group of samples has common delivery mechanisms, lures and decoy file themes, payloads (Hworm), as well as control infrastructure.

This Hworn identified Payload file as SFX file format and original filenames of these delivery files are related to political figures and groups in the Middle East and the Mediterranean.

File samples:

Mohamed Dahlan Abu Dhabi Meeting.exe
فضيحة من العيار الثقيل اردوغان يشرب الخمر.exe
صراعات داخلية في صفوف الاخوان المسلمين.exe
عملية اغتيال الدكتور محمد كمال.scr
الملك عبد الله يهدد دول الخليج ويتوعد دحلان.exe
بالفيديو امير سعودي يهين مواطنين على الهواء.scr

Payload Embedded with Youtube Videos

Once SFX file Executed it opens a decoy document, video, or URL, and eventually executes an Hworm payload in the background.

According to the finding, its very similar as Above Mentioned URL’s.

One of the that Samples Displays a youtube video which is having embedded payload.

According to Paloalto, When the .url file is opened, the above YouTube video is displayed as a decoy. It is unclear at this time if the uploader of this video has any relation to this particular attack.

A particular Version of Hworm states that ,Some previous versions would embed AutoIT scripts in resource sections of PE files while others would execute obfuscated VBS scripts. Some previous versions of the Hworm implant would embed data in the headers of HTTP requests or POST bodies as a method of command and control. Beacons of that HTTP protocol example are easily recognized by the use of ‘<|>’ as a delimiter and the URI of the request. This new version of Hworm uses a mixed binary and ASCII protocol over TCP

Payload Indicate VBS file “The VBS file is used to load and inject the implant. It appears that the operators behind the above attack either chose to not use the VBS loader or the newer versions of the builder no longer produce a VBS script.“

Detailed Technical Analysis from Paloalto Explained about VBS Here.

The following modules provide features of this malware

These are the important Futures that Hworm

•Screenshot: Provides the ability to capture screenshots in JPEG/BMP formats

•Keylogger: Provides the ability to log key strokes

•Internet IO: Provides the ability to download and execute files from the Internet. It also provides the ability to load the executables via the RunPE technique

•File Manager: Provides the ability to list files and directories, delete, rename, and execute files, and upload or download files via TCP or HTTP

•Password: Provides the ability to steal passwords from Firefox, Opera, and Chrome browsers

•Misc: Provides the ability to list processes or modules and kill running processes

•USB Notifier: Provides the ability to notify the controller when a USB device is attached

•Houdini Client: Provides the main client, which contains the server’s configuration.

Also Read:

WordPress AffiliateWP Plugin Vulnerable for Cross-Site Scripting

By

Gurubaran

-

May 27, 2017

WordPress AffiliateWP Plugin Vulnerable for Cross-Site Scripting

Amid the security review of AffiliateWP plugin for WordPress CMS, Security Vulnerabilities was found utilizing DefenseCode ThunderScan by Neven Biruski in application source code security testing phase.

Vulnerability Description

XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.

An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site.
Read More about XSS.

In the event that the administrator of the site makes a request to such a URL, the attacker’s code will be executed, with unlimited access to the WordPress site being referred to. The attacker can attract the administrator to visit the URL in different ways, including sending the URL by email, posting it as a piece of the comment on the vulnerable site or another way.

For More information Refer DefenseCode Advisories.

Application Overview

As per the plugin creators, AffiliateWP is a simple to-utilize, solid WordPress module that gives you the affiliate marketing tools that used to develop your business and profit. In 2016 it outperformed $500,000 in yearly income.

Solution

The bug has been reported to Vendor by Defense code and they released a fix on 2017/05/17. So the solution is simple, you need to update to the latest available version of AffiliateWP plugin.

Beware: New Google Play Store Android Malware called “Judy” Infected Around 8.5 to 36.5 Million Users

By

Balaji

-

May 26, 2017

Beware: New Google Play Store Android Malware called “Judy” Infected Around 8.5 to 36.5 Million Users

A New Android Malware Called “Judy” found in google play store infected 41 Apps which all are created by a Korean company. This “Judy” Malware is an auto-clicking adware which leads to forcing the users to Click the ads.

This Malware performing plenty of fraudulent clicks on advertisements Generated by infected applications for increasing the revenue for Malware Authors.

As per the Estimation is done by Checkpoint, “Judy” Malware Reached Around 8.5 and 36.5 million users around the world.its makes a big issue for users who all are affected by this infection since it has done a huge amount of reach.

This Malware was found on 41 apps developed by a Korean company. Playstore Malware like HummingBad, FalseGude, Dridex is threatening in a similar way of infection and especially Android users.

“Judy” Malware Downloads Estimated between 4.5 million and 18.5 million Android Users and Few apps are surviving in play store in many years.

Judy Malware in Playstore (Source: checkpoint)

How does Judy work?

A bridgehead app use for establishing a connection into victims Device which has been Bypassed the Play store Protection and inserted into app store.

The C&C server connection will Establish once user a user Downloads a Malicious App.

According to Checkpoint ,The server replies with the actual malicious payload, which includes JavaScript code, a user-agent string and URLs controlled by the malware author. The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website.

JavaScript code is used to locate and click on banners from the Google ads infrastructure.so once click the ads then malware authors will receive a payment from the Website Developers.

“Judy” Infected Apps and counts

According to Checkpiont Estimated Downloads of Judy Malware,

Package name	App name	Date	Min	Max
air.com.eni.FashionJudy061	Fashion Judy: Snow Queen style	24.3.17	100,000	500,000
air.com.eni.AnimalJudy013	Animal Judy: Persian cat care	14.4.17	100,000	500,000
air.com.eni.FashionJudy056	Fashion Judy: Pretty rapper	24.3.17	50,000	100,000
air.com.eni.FashionJudy057	Fashion Judy: Teacher style	24.3.17	50,000	100,000
air.com.eni.AnimalJudy009	Animal Judy: Dragon care	14.4.17	100,000	500,000
air.com.eni.ChefJudy058	Chef Judy: Halloween Cookies	10.4.17	100,000	500,000
air.com.eni.FashionJudy074	Fashion Judy: Wedding Party	7.4.17	50,000	100,000
air.com.eni.AnimalJudy036	Animal Judy: Teddy Bear care	16.4.17	5,000	10,000
air.com.eni.FashionJudy062	Fashion Judy: Bunny Girl Style	24.3.17	50,000	100,000
air.com.eni.FashionJudy009	Fashion Judy: Frozen Princess	7.4.17	50,000	100,000
air.com.eni.ChefJudy055	Chef Judy: Triangular Kimbap	10.4.17	50,000	100,000
air.com.eni.ChefJudy062	Chef Judy: Udong Maker – Cook	10.4.17	10,000	50,000
air.com.eni.FashionJudy067	Fashion Judy: Uniform style	24.3.17	10,000	50,000
air.com.eni.AnimalJudy006	Animal Judy: Rabbit care	14.4.17	100,000	500,000
air.com.eni.FashionJudy052	Fashion Judy: Vampire style	24.3.17	100,000	500,000
air.com.eni.AnimalJudy033	Animal Judy: Nine-Tailed Fox	18.4.17	100,000	500,000
air.com.eni.ChefJudy059	Chef Judy: Jelly Maker – Cook	10.4.17	50,000	100,000
air.com.eni.ChefJudy056	Chef Judy: Chicken Maker	10.4.17	50,000	100,000
air.com.eni.AnimalJudy018	Animal Judy: Sea otter care	14.4.17	100,000	500,000
air.com.eni.AnimalJudy035	Animal Judy: Elephant care	16.4.17	5,000	10,000
air.com.eni.JudyHappyHouse	Judy’s Happy House	10.4.17	100,000	500,000
air.com.eni.ChefJudy036	Chef Judy: Hotdog Maker – Cook	29.3.17	50,000	100,000
air.com.eni.ChefJudy063	Chef Judy: Birthday Food Maker	10.4.17	50,000	100,000
air.com.eni.FashionJudy051	Fashion Judy: Wedding day	20.4.17	100,000	500,000
air.com.eni.FashionJudy058	Fashion Judy: Waitress style	24.3.17	10,000	50,000
air.com.eni.ChefJudy057	Chef Judy: Character Lunch	10.4.17	100,000	500,000
air.com.eni.ChefJudy030	Chef Judy: Picnic Lunch Maker	10.4.17	500000	1000000
air.com.eni.AnimalJudy005	Animal Judy: Rudolph care	14.4.17	100,000	500,000
air.com.eni.JudyHospitalBaby	Judy’s Hospital:pediatrics	10.4.17	100,000	500,000
air.com.eni.FashionJudy068	Fashion Judy: Country style	24.3.17	10,000	50,000
air.com.eni.AnimalJudy034	Animal Judy: Feral Cat care	16.4.17	10,000	50,000
air.com.eni.FashionJudy076	Fashion Judy: Twice Style	20.4.17	100,000	500,000
air.com.eni.FashionJudy072	Fashion Judy: Myth Style	20.4.17	50,000	100,000
air.com.eni.AnimalJudy022	Animal Judy: Fennec Fox care	14.4.17	100,000	500,000
air.com.eni.AnimalJudy002	Animal Judy: Dog care	14.4.17	100,000	500,000
air.com.eni.FashionJudy049	Fashion Judy: Couple Style	24.3.17	100,000	500,000
air.com.eni.AnimalJudy001	Animal Judy: Cat care	14.4.17	100,000	500,000
air.com.eni.FashionJudy053	Fashion Judy: Halloween style	7.4.17	100,000	500,000
air.com.eni.FashionJudy075	Fashion Judy: EXO Style	7.4.17	50,000	100,000
air.com.eni.ChefJudy038	Chef Judy: Dalgona Maker	28.3.17	100,000	500,000
air.com.eni.ChefJudy064	Chef Judy: ServiceStation Food	10.4.17	10000	50000
air.eni.JudySpaSalon	Judy’s Spa Salon	10.4.17	1,000,000	5,000,000
Total			4,620,000	18,420,000

Also Read:

Millions of Android Phones including latest Versions Vulnerable to Cloak & Dagger attack

By

Gurubaran

-

May 26, 2017

Millions of Android Phones including latest Versions Vulnerable to Cloak & Dagger attack

Cloak & Dagger attack discovered by security experts from Georgia Institute of Technology, which allows attackers to get complete control over your device.

These attack just require two permission that, in the event that the application is installed from the Play Store, the client does not require to grant permission and even the users are not notified.

Users don’t get notified about this malicious activity, and it will affect all the versions of Android including (including the latest version, Android 7.1.2).

Permissions for Takeaway

Permission abused by Cloak and Dagger attacks

SYSTEM_ALERT_WINDOW (“draw on top”).
BIND_ACCESSIBILITY_SERVICE (“a11y”).

If the user installed the malicious app from Google play store, the user’s not required to give any permission to get succeed with this attack, and it doesn’t show any indication to the user.

In this situation “draw on top” is simply possible, and this authorization is sufficient to bait the client into unconsciously enabling a11y (through clickjacking).

The conceivable attacks incorporate progressed clickjacking, unconstrained keystroke recording, stealthy phishing, the quiet establishment of a God-mode application (with all authorizations permissions), and silent phone crack + arbitrary activities (while keeping the screen off).

Possible attacks due to Permission Issue

Security experts from Cloak & Dagger highlighted various possible attacks due to this permission issues:

“draw on top” permission

Context-aware clickjacking & Context hiding (Enabling accessibility).
Invisible Grid Attack (keyboard Sniffer).

“accessibility service” permission

Keystroke recording.
Web exploration.
Ad hijacking.
Device unlocks through PIN Injection.
Hijacking two-factor Auth Tokens.

With Both permissions

Silent installation.
Stealthy phishing.

Video PoC of the attacks by security experts at Cloak and Dagger.

Infected version

Android 5.1.1 (32.0%*)
Android 6.0.1 (31.2%)
Android 7.1.2 (7.1%)

Recommended for users

Security specialists from Cloak and Dagger recommend users to check which applications approach the “draw on top” and the a11y authorizations.

To moderate the issue and cripple the Cloak and Dagger assaults in Android 7.1.2 it is conceivable to disable the “draw on top” permission:

Android 7.1.2   Settings → Apps → "Gear symbol" → Draw over Other Apps.

Also Read

A Malvertiser called “RoughTed” Bypass Ad-blocker and Get Half a Billion visits in 3 Months

By

Balaji

-

May 25, 2017

A Malvertiser called “RoughTed” Bypass Ad-blocker and Get Half a Billion visits in 3 Months

A Malvertiser called “RoughTed” Successfully Bypass the Ad-Blockers and Delivery Malicious Payloads into the visitors Operating Systems and Browsers which is used to visit the “RoughTed” Malvertiser Contain websites.

RoughTed used to Generate a huge amount of traffic by Bypass the Ad-Blockers and it contains many malicious Payloads to inject into visitors host.

RoughTed related domains used to generate half a billion hits and many successful Compromises has been identified within 3 months and Traffic comes from thousands of publishers, some ranked in Alexa’s top 500 websites by Malwarebytes Research Team.

Malvertiser Using Content Delivery Network (CDN)(Distributed network of proxy servers) to Bypass the tracking and multiple ad redirections from several ad exchanges which makes more difficult to identify the source of their malvertising activity.

This malvertising campaign traffic generated by displaying ads in more than 1000 of Websites and it redirect into a Malicious site that contains Malicious Payloads to distribute across the visitors Operating Systems and Browsers.

Redirection Chain Process

According to Malwarebytes Researchers, a Domain Called roughted[.]com performing a redirection chain by using “Magnitude exploit kit via its pre-filtering gate”.

               roughted.com/?&tid=645131&red=1&abt=0&v=1.10.59.18

The majority of the Malicious Domain which is used by Malvertiser has been created via the EvoPlus registrar.

These domains are used by Malvertiser as a gateway used to bypass ad-blockers.

Afer few Days research was done by malwarebytes team, they find few more same URL structure which is same as roughted[.]com structure which I Mentioned above.

Image source: Malwarebytes

RoughTed Spreading to Publishers

Publisher providers of content (news, media files, etc.) which drive people to visit them regularly and paid to the Registered user who all are willing to advertise the ads in their Website.

There are top some top Ranking Publishers are being used for the RoughTed battle originates from gushing video or record sharing locales intently entwined with URL shorteners.

Visitors to these sites are targeted with ads and in some cases, some that belong to the RoughTed campaign. Malwarebytes said

These Domains are ranking in below 1000 in Alexa Record.

Important Highlights by Malwarebytes

Traffic comes from thousands of publishers, some ranked in Alexa’s top 500 websites.
RoughTed domains accumulated over half a billion visits in the past 3 months alone.
Threat actors are leveraging fingerprinting and ad-blocker bypassing techniques upstream.
RoughTed can deliver a variety of payloads for each platform: scams, exploit kits, and malware.

you can Visit Malwarebytes for full Technical Writeup.

Also Read

Trend Micro ServerProtect Contains Multiple Critical Arbitrary Code Execution Vulnerabilities including XSS and CSRF

Android Application Penetration Testing Part – 4

200 Million Downloaded video players including VLC Player are vulnerable to Malicious subtitles Attack -A Complete Takeover Attack

Decryptor tool for BTC ransomware released – Avast

By

Gurubaran

-

May 25, 2017

Decryptor tool for BTC ransomware released – Avast

BTC ransomware was distributed using traditional methods embedding the malicious file in the body of the email or sending them directly as an attachment.

It doesn’t use any well-known vulnerabilities to replicate as like we saw with WannaCry and EternalRocks.

This ransomware was distributed through well know file extensions like (.doc,.jpg,.jpeg,.mp4,.PSD,.pfx,.pdf) and so on. Once it infected it will rename the file in following format FileName.Extension.[Email].Ext2.

Once entered into the system it will generate a random password(unique per machine) and with the password, an encryption key will be generated.

It will then encrypted with a public key(hardcoded in the binary) and dispense a user ID in ransom files.

The encrypted symmetric key is kept as a base64-encoded string %USERPROFILE%\Desktop\key.dat.The ransomware uses MS CryptoAPI for encrypting files.

Once the encryption process completed it will set a wallpaper on your desktop like this.

BTC Decryptor tool from Avast

Security Expert Ladislav Zezula from Avast comes up with the decryptor tool for BTC ransomware. Click here to Download BTC Decrypter.

You can use it to decrypt files from Local drives, Network drives, and Folders, we also need to upload original along with the decrypted file, both of them should match.

On could sixteenth, 2017, the master private key was revealed by BleepingComputer. But the master key was not used in the Decrypter tool.

Instead, they used brute force Methods to retrieve the passwords that used by ransomware to Encrypt the files.

Also Read

Trend Micro ServerProtect Contains Multiple Critical Arbitrary Code Execution Vunerabilities including XSS and CSRF

By

Balaji

-

May 24, 2017

Trend Micro ServerProtect Contains Multiple Critical Arbitrary Code Execution Vunerabilities including XSS and CSRF

A Trend Micro product ServerProtect for Linux 3.0 Contain 6 Major and very critical vulnerabilities Discovered. ServerProtect Protecting against viruses, rootkits, and data-stealing malware while simplifying and automating security operations on servers and storage systems.

This 6 vulnerabilities allowing remote code execution as root in the Victims Machine by via Man-in-the-Middle Attack and exploiting vulnerabilities in the Web-based Management Console.

Trend Micro’s ServerProtect uses insecure update mechanism which leads to override the Sensitive information including binaries, and achieve remote code execution as root.

According to Coresecurity Release,

Core issues of this vulnerabilities Discovered in ServerProtect sections 7.1 and 7.2 which has allow an attacker in a man-in-the-middle position to gain root access.
Exploiting vulnerabilities 7.3, 7.4, or 7.5, an attacker would be able to set an arbitrary download source and trigger the vulnerable update mechanism.
privilege escalation vulnerability is presented in section 7.6 that allows a local user to run commands as root.

Insecure Update via HTTP (CVE-2017-9035)

Update servers of ServerProtect communicate by unencrypted HTTP Channel By Default which leads to Bypass and temper the updating data’s while on HTTP Communication with the ServerProtect .

GET /activeupdate/ini_xml.zip HTTP/1.1
Host: splx3-p.activeupdate.trendmicro.com:80
User-Agent: Mozilla/4.0 (compatible;MSIE 5.0; Windows 98)
Accept: */*
Pragma: No-Cache
Cache-Control: no-store, no-cache
Connection: close
X-Trend-ActiveUpdate: 2.85.0.1097

This Vunerability Placed on this Product by lack of certificate validation.

Unvalidated Software Updates (CVE-2017-9034)

Except the size described in the server.ini file none of Update package are signed in any other form.

This Vulnerability leads to Attackers overwrite sensitive files in the ServerProtect’s directory.

Proof of Concepts done by the coresecurity Researchers ,malicious shared object file would result in command execution as root .

Lack of CSRF Prtection (CVE-2017-9033)

This would allow an attacker to submit authenticated requests when an authenticated user browses an attack-controlled domain.

Lacking of Anti-CSRF tokens in any forms on the web interface which leads to Exicute the CSRF in authenticated user browser.

XSS in notification.cgi(CVE-2017-9037)

According to coresecurity Proof of Concept, A script notification.cgi existing in the ServerProtect are vulnerable to XSS.

https://<server IP>:14943/SProtectLinux/notification.cgi?Scan_config3=ON&textfield5=100&D1=60&
T114=[SPLX]+Security+risk+outbreak+subject&textarea=A+security+risk+outbreak+was+detected&
Scan_config=ON&T115=[SPLX]+Security+risk+infection+subject&S2=Security+risk+infection(s)+detected&
Scan_config4=ON&T116=[SPLX]+Real-time+scan+configuration+modified&S3=The+real-time+scan+configuration+
was+modified&Scan_config5=ON&T117=[SPLX]+ServerProtect+was+started&S4=ServerProtect+was+started&
Scan_config55=ON&T117117=[SPLX]+ServerProtect+was+stopped&S44=ServerProtect+was+stopped&
Scan_config2=ON&T113=7&T118=[SPLX]+Pattern+file+is+outdated&S5=Pattern+file+is+outdated&
CHK_ptn_update=ON&T_ptn_update=[SPLX]+Pattern+update+unsuccessful&S_ptn_update=Pattern+update+
unsuccessful&CHK_action_fail=ON&T_action_fail=[SPLX]+Action+performed+on+malware+unsuccessful&
S_action_fail=Action%20performed%20on%20malware%20unsuccessful%3C%2fscript%3E%3Cimg%20src%3da%20onerror%3d
alert(1)%3E&B22=Save&page=Alerts.htm&action=save&tmLastConfigFileModifiedDate=123

XSS in log_management.cgi (CVE-2017-9032)

A parameters of the log_management.cgi script are vulnerable to cross-site scripting.

https://<server IP>:14943/SProtectLinux/log_management.cgi?T1=%2fvar%2flog%2fTrendMicro%2fSProtectLinux%3c%2f
script%3e%3cimg%20src%3da%20onerror%3dalert(1)%3et&B2=Save&Type=9&sCreateDirectoryIfNotExist=&
goBackDoNotAsk=0&tmLastConfigFileModifiedDate=123

Privilege escalation in Unrestricted quarantine directory (CVE-2017-9036)

By exploiting the earlier mentioned vulnerabilities of both XSS and CSRF leads to change Quarantine directory unauthenticated user .

Quarantine directory set in file system location by Web-based Management Console.

According to coresecurity Quarantine files are owned by root and its permissions are changed to 0600. This effectively allows a local user to write the file that is put in quarantine to an arbitrary location with root permissions, which could lead to privilege escalation.

This 6 Major vulnerabilities discover by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services.

According to Trend Micro all the vulnerabilities are Patched and updates has been released .