Jump to content

Linux hit by crypto-ransomware - but attackers botch private key


Recommended Posts



"Attackers are demanding one Bitcoin from web admins to unlock files infected by a new ransomware variant for Linux machines.


Admins are facing a variant of Linux malware that encrypts files on infected web servers. But the good news for now is the private key that locks down those files is predictable.


The crypto-ransomware is aimed at Linux system administrators and demands exactly one Bitcoin to restore access to key files. One Bitcoin was worth about $420 last week but is currently $375.


According to Russian antivirus firm Dr Web, which labeled the ransomware Linux.Encode.1, the files it encrypts suggests the main target is website administrators whose machines have web servers deployed on them.


The malware first encrypts directories for home, root, MySQL, ngnix, and Apache and then moves on to encrypt files for web apps, backups, Git projects and numerous other files with specific extensions, such as .exe, .apk and .dll.

The company said previous attacks on web servers have exploited a flaw in the Magento content-management system, so that could be how Linux machines are being infected.


At the end October, Magento warned users to install a bundle of patches, which included a fix for a remotely-exploitable bug that gave access to system files in some server configurations.


The company said it expected automated attacks on Magento installations following the publication of the issue by the security researcher who reported the bug.


Security vendor BitDefender has also analysed the Linux.Encoder.1 malware and said it was extremely similar to more widespread ransomware for Windows machines, such as CryptoLocker and TorLocker, which have reportedly made tens of millions of dollars for their operators.


However, the makers of this sample made a "million-dollar flaw", namely a predictable RSA key, which allowed the company to create an automated decryption tool available here: http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/


The company's researchers reverse-engineered the sample and discovered it was not generating secure random keys and IVs.


"This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan's operator(s)."


Although Linux users are lucky they don't need to pay up to reclaim their files, the ransomware adds to the list of recent attacks on Linux machines, albeit poorly configured ones, whose connectivity is harvested for use in distributed denial of service attacks or spreading malware for Windows."


The whole article is here: http://www.zdnet.com/article/crypto-ransomware-strikes-linux-but-attackers-botch-private-key/?tag=nl.e539&s_cid=e539&ttag=e539&ftag=TRE17cfd61

Link to comment
Share on other sites

Sorry Pieere, Just another Linux scare article from a Windows publication...


Step one in the infection here is to gain root access, step two is to install the software. The problem is gaining the root access which as far as I can see this software package has no method of doing.


Gaining root access on a properly set up Linux box is difficult, if it was easy folks like the NYSE, Google, Amazon and other big players wouldn't use it. Once root access is gained the user has permission to do anything, they could install this or any other piece of software they wanted to. If I had root access to a Linux server with mayhem in mind I'd pick one of the hundreds of better attack programs already out there. But I'm not going to get root access and neither are most other folks unless someone does something really dumb when setting up their server.


Good scary story though, just make sure to hold your flashlight under your chin as you tell it around the campfire so you have a matching scary face. :-)

Link to comment
Share on other sites


Linux still has a lot of security by obscurity. A large part of the Linux crowd are folks running servers and in IT. The rest are folks who are either young kids inheriting or resurrecting older systems for lack of cash, the feeling of accomplishment that they did it themselves, or both.


Linux servers get the most attacks, individual home systems rarely ever get attacked. Windows gets the bulk of the Desktop and laptop attacks. Android gets most of the phone and tablet attacks with iOS right behind, and my Windows phone is getting security by obscurity as it has about the same market share as OSX has in conventional computers. And the vast majority of Windows security vulnerabilities are avoidable just by keeping Windows systems updated and Flash updated with Windows 7 and Vista. It gets updated with the monthly Windows Updates in Win 8/8.1/10.


I too prefer Windows and others don't.

Link to comment
Share on other sites


Your source? Since when is ZDNET a Windows publication?


You miss this above?


"The company said previous attacks on web servers have exploited a flaw in the Magento content-management system, so that could be how Linux machines are being infected.


At the end October, Magento warned users to install a bundle of patches, which included a fix for a remotely-exploitable bug that gave access to system files in some server configurations."


This a Windows pub too? http://magento.com/security/patches/supee-6788---addresses-vulnerability-zend-framework


I may have missed something. Your source?



Link to comment
Share on other sites

Linux and other *nix operating systems are far from perfect. The recently discovered bash security exploit (aka ShellShock) was an example of a massive hole that has been in place for years. Large companies with massive *nix implementations spend plenty of money watching for attacks, maintaining patches and dealing with compromises. Since I started working with computers before Microsoft or Unix existed I got to watch security flaws exploited on machines with magnetic core memory. I have also watched APT attacks in progress.


Security is managing risk against reward. Most hackers today are monetizing their successes. I have been doing this long enough to not want to make blanket statements. If you ask me my first choice on an OS that needs to be secure it would not be Linux or Windows (in most cases).

Link to comment
Share on other sites

Hi Al, welcome to the forums!


I'm primarily Windows environment for personal use. I try to pass along current threats and reminders that practices and keeping the systems used patched and updated whether writing those patches yourself as an engineer/open source contributor, or just a user like me. User online behavior, and having a fully up to date system are security one and two. Antimalware programs are third tier of security IMO, and still fail when the user overrides a warning thinking it was a false positive.


As an Industrial Engineer I am also familiar with needs analysis. Cost/benefit models always depend on who worked up the math, the IT guys or the executive officers at their golden parachute dart board. ^_^;)


I look forward to your posts here.

Link to comment
Share on other sites

BREAK .........BREAK.........FOLKS


You think Crypto-Spyware Hacke-Geeks are BAD........Take heed of the problems that many folks face.........


Wife 1.0 Software

Dear Tech Support:
Last year I upgraded from Girlfriend 7.0 to Wife 1.0. I soon noticed that the new program began unexpected child processing that took up a lot of space and valuable resources.
In addition, Wife 1.0 installed itself into all other programs and now monitors all other system activity.
Applications such as Poker Night 10.3, Football 5.0, Hunting and Fishing 7.5, and Racing 3.6 no longer run, crashing the system whenever selected. I can't seem to keep Wife 1.0 in the background while attempting to run my favourite applications. I'm thinking about going back to Girlfriend 7.0, but the uninstall doesn't work on Wife 1.0.
Please help!


A Troubled User.

Dear Troubled User:
This is a very common problem that men complain about.
Many people upgrade from Girlfriend 7.0 to Wife 1.0, thinking that it is just a Utilities and Entertainment program.
Wife 1.0 is an OPERATING SYSTEM and is designed by its Creator to run EVERYTHING!!! It is also impossible to delete Wife 1.0 and to return to Girlfriend 7.0. It is impossible to uninstall, or purge the program files from the system once installed.
You cannot go back to Girlfriend 7.0 because Wife 1.0 is designed to not allow this.
Look in your Wife 1.0 manual under Warnings-Alimony/Child Support." I recommend that you keep Wife1.0 and work on improving the situation. I suggest installing the background application "Yes Dear" to alleviate software augmentation.
The best course of action is to enter the command C: .. APOLOGIZE. Because ultimately you will have to give the APOLOGIZE command before the system will return to normal anyway.
Wife 1.0 is a great program, but it tends to be very high maintenance. Wife 1.0 comes with several support programs, such as Clean and Sweep 3.0, Cook It 1.5 and Do Bills 4.2.
However, be very careful how you use these programs. Improper use will cause the system to launch the program Nag Nag 9.5. Once this happens, the only way to improve the performance of Wife 1.0 is to purchase additional software. I recommend Flowers 2.1 and Diamonds 5.0 !
DO NOT, under any circumstances, install Secretary With Short Skirt 3.3. This application is not supported by Wife 1.0 and will cause irreversible damage to the operating system.
Best of luck,

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

This topic is now closed to further replies.
RVers Online University


Our program provides accurate individual wheel weights for your RV, toad, and tow vehicle, and will help you trim the pounds if you need to.

Dish For My RV.

RV Cable Grip

RV Cable Grip

All the water you need...No matter where you go

Rv Share

RV Air.

Find out more or sign up for Escapees RV'ers Bootcamp.

Advertise your product or service here.

The Rvers- Now Streaming

RVTravel.com Logo

  • Create New...