decode@india.com ransomware

If you get something alike:

Attention! Your computer was attacked by virus-encoder.

All your files are encrypted cryptographically strong, without the original key recovery is impossible!

To get the decoder and the original key, you need to to write us at the email decode@india.com with the subject "encryption" stating your id.

Write in the case, do not waste your and our time on empty threats. 

Responses to letters only appropriate people are not adequate ignore.

You probably already know that you are infected with decode@india.com ransomware and you will most probably search all the blogs, install all the tools they are advertising which do not remove anything, because anyway this ransomware as it seems to me self-deletes itself after encryption.

Some antivirus vendors already  detect the ransomware and you can have a look here (5fab6fbdff1a72cd5eafdd27b5ee11a9):

https://www.virustotal.com/en/file/e7f3335dee2769cf1c920f8977e7bcba6b1cab68a5b66b530ca704c3d32f47d1/analysis/

What else can we say about this ransomware, well first about the infection and how it happens. A registry entry that exploits a vulnerability:  

HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP\TILEWALLPAPER = 48

HKEY_CURRENT_USER\CONTROL PANEL\DESKTOP\WALLPAPER = %APPDATA%\bytor.bmp

Here I noticed some different location for the files:

C:\Documents and Settings\<User>\Start Menu\Programs\Startup\Autostart\bytor.bmp

but also:

C:\Users\<User>\AppData\Roaming\bytor.bmp

C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe 

or something like this

C:\Users\<User>\appdata\local\temp\vup.exe

C:\Windows\system32\isobwdev.exe

C:\Windows\SysWOW64\cleen.bat

C:\Users\rado\AppData\Local\Temp\oQ3jKRk.exe

The following files were temporarily written to disk then later removed:

C:\cleen.bat

Anything else we can say is that it pretty much resembles the functions of Cryptolocker, so if you like to restore the files from shadow copies (Shadow Explorer) it is pointless. Read the following I found about Cryptolocker:

In addition to encrypting the files, the malware also executes several commands to make recovery of files even more difficult. The following command is executed to delete the volume's shadow copies, which removes Windows automatic volume backups:

• vssadmin.exe Delete Shadows /All /Quiet

The following commands are also executed to disable the Windows Error Recovery screen at startup:
• bcdedit /set {default} recoveryenabled No
• bcdedit /set {default} bootstatuspolicy ignoreallfailures

The malware also attempts to disable the following services to reduce security, disable Windows updates, and disable error reporting in order to avoid detection:
• wscsvc
• WinDefend
• wuauserv
• BITS
• ERSvc
• WerSvc

What happens if you write to decode@india.com:
Hello. The cost of obtaining a decoder and a unique key is 1 Bitcoin.

_________________________________________________________________________________

Send us an example of an encrypted file, upload the file to sendspace.com and send us the link, we decrypt it and send it,

After payment we will send  decoder and unique password for your id. 

_______________________________________________________________________________

Payment can be made by exchanging e-currency you comfortable in your country on Bitcoin,

In exchange, you must specify our Bitcoin wallet, our Bitcoin Wallet is _____________________  repeat our Bitcoin Wallet is ________________________

After payment email us quoting the number Bitcoin wallet on which the payment was made and your id.

What can be done?

- Make regular backups.

- Patch your windows:

https://technet.microsoft.com/en-us/library/security/ms14-nov.aspx

- If you think an e-mail has a strange attach file - don't open it. If it is from someone you know, first verify that indeed this is the case.

Disinfecting (based on the information we have) and if we suppose anything is left at all:

You will need AVZ4 ( Get it from here http://www.z-oleg.com/secur/avz/download.php) and load a custom script (File>Customscripts). Before loading add the user profile (Replace <User> with what you use). This script might or might not work - use at your own risk!

begin

ExecuteAVUpdate;

ShowMessage('AVZ automatically will close all network connections.'+#13#10+'After restarting networks will be up.');

ExecuteFile('net.exe', 'stop tcpip /y', 0, 15000, true);

if not IsWOW64

  then

   begin

    SearchRootkit(true, true);

    SetAVZGuardStatus(true);

   end;

ClearQuarantine;

TerminateProcessByName('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');

TerminateProcessByName('C:\Users\<User>\appdata\local\temp\vup.exe');

TerminateProcessByName('C:\Windows\system32\isobwdev.exe');

TerminateProcessByName('C:\Windows\SysWOW64\cleen.bat');

TerminateProcessByName('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe');

QuarantineFile('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');

QuarantineFile('C:\Users\<User>\appdata\local\temp\vup.exe', '');

QuarantineFile('C:\Windows\system32\isobwdev.exe' , '' );

QuarantineFile('C:\Windows\SysWOW64\cleen.bat', '');

QuarantineFile('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe' , '');

QuarantineFile('C:\Users\<User>\AppData\Roaming\bytor.bmp', '');

DeleteFile('C:\Documents and Settings\<User>\Start Menu\Programs\Startup\msiexec.exe');

DeleteFile('C:\Users\<User>\appdata\local\temp\vup.exe');

DeleteFile('C:\Windows\system32\isobwdev.exe');

DeleteFile('C:\Windows\SysWOW64\cleen.bat');

DeleteFile('C:\Users\<User>\AppData\Local\Temp\oQ3jKRk.exe');

DeleteFile('C:\Users\<User>\AppData\Roaming\bytor.bmp');

RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','vup'); 

RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','isobwdev'); 

RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','cleen'); 

RegKeyParamDel('HKEY_CURRENT_USER','Software\Microsoft\Windows\CurrentVersion\Run','oQ3jKRk');

RegKeyParamDel('HKEY_CURRENT_USER','Control Panel\Desktop\','bytor');   

BC_ImportAll;

ExecuteSysClean;

BC_Activate;

RebootWindows(false);

end.

After the restart you can collect a sample that you can send:

begin

CreateQurantineArchive(GetAVZDirectory+'sample.zip'); 

end.

References:

http://blog.fortinet.com/post/a-closer-look-at-cryptolocker-s-dga

https://blog.fortinet.com/post/cryptowall-another-ransomware-menace

http://www.shadowexplorer.com/downloads.html

http://forum.kaspersky.com/index.php?s=87a1723c6a1cefdb580234d531d77899&showtopic=306147&pid=2297244&st=0&#entry2297244

https://www.f-secure.com/dbtracker/Aquarius/2014-11-15_02.html

https://www.virustotal.com/en/file/e7f3335dee2769cf1c920f8977e7bcba6b1cab68a5b66b530ca704c3d32f47d1/analysis/

http://home.mcafee.com/virusinfo/virusprofile.aspx?key=9198774#none

http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AKCM/detailed-analysis.aspx

Dell Inspiron 1545 Goes into Sleep mode randomly

I had a case recently where a Dell Inspiron 1545 that went in sleep mode randomly for no apparent reason so I had to isolate the problem:

- I checked the Power settings

- Tested the memmory

- Tested the hard drive

In the end it turned out to be the wristband on our colleagues hand that had a magnet. We also found a spot where if you hold enough the magnet it will put the laptop into sleep. It also seems that this is not an exception for any 1545 dell inspiron. 

References:
http://en.community.dell.com/support-forums/laptop/f/3518/t/19506101

PHP Project - system information on linux

This is a project I wrote a while ago in 2012. The system is written in PHP and C++ and has a login and several sections summary (overall summary), graphs (network graphs), logs search, routes and traffic information, disk usage etc. The C++ part contains a wrapper that collects all logs. The project is intended to be used as  a console for Linux server monitoring. If you find this product interesting or would like to purchase it. Please contact me here and we will discuss it further.

Login

Summary

Graphs

Search

Network Status

Process Tree

Disk Usage

Processes

Routes

.htaccess on UbuntuServer 14.04

I had to set-up pretty quickly a web server. Unfortunately I lose time by typing those command, rather than just copy pasting in the ssh.

sudo apt-get update
sudo  apt-get install apache2 mysql-server php5 php-pear php5-mysql

With this we are done with apache. Now let us configure htacess:

In /etc/apache2
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>

Now lets generate a htpasswd file
sudo htpasswd -c /var/.htpasswd-all <username>

Create the .htaccess file. Here we filter out which files can have access, but also you can use part of the file name.

<FilesMatch "^(file1|file2|something3|something5|some7).*$">
AuthName "<username>"
AuthUserFile /var/.htpasswd-all
AuthType basic
Require valid-user
</FilesMatch>

Reload apache:
sudo /etc/init.d/apache2 reload

References:
http://www.askapache.com/htaccess/htaccess.html#Password_Protect_wp-login-php
https://help.ubuntu.com/community/EnablingUseOfApacheHtaccessFiles
http://httpd.apache.org/docs/2.2/programs/htpasswd.html

iPad mini and iOS 8.0.2

Yesterday I tried upgrading the iOS version to 8.0.2 trough iTunes. After this my device was bricked. However the good thing is that recovering the device was quite simple. You can read the full instructions in the references. Or read my short version here: 

1. Get the firmware for the specific device. If in doubt and if you still keep the box - have a look I retrieved the exact model from there otherwise there is a Device ID you can probably look up.

2. Press the "home" and "power" buttons together for 10 seconds at which point you must release "power" but continue to hold "home". After about 15 seconds, the device will enter recovery mode.

If anything else is showing on the screen, such as the "connect to iTunes" logo, you got it wrong.

If  I have to compare it is much easier than flashing any Android device.

3. Stop all other services running that you won't need - virtualization software etc.

4. Hold down the shift key (on Windows) or the option key (on OSX) on your keyboard whilst clicking the "Restore" button in iTunes with your mouse. If you do this correctly, an Explorer or Finder window will pop up and allow you to navigate to the firmware 

References:
http://www.ipadforums.net/threads/official-apple-ios-firmware-download-links-for-ipad.24939/
http://www.ipadforums.net/threads/tutorial-failsafe-method-to-restore-the-current-version-of-ios.52863/
http://www.ipadforums.net/threads/ipad-4-update-error-4005.121699/

Backing up to FreeNAS with SSH, CIFS share

I wanted to have a backup of some files in our infrastructure on a CIFS share that can be both accessible on Windows and Linux. 

However I had some issues: “cannot chmod target file”. because I used mc on my mounted share. So I used SSH for my first copy, where I had another issue on FreeNAS - the service did not start from the webgui and I started investigating:

[root@itsoft ~]# /usr/sbin/sshd                                                 
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key                              
Could not load host key: /etc/ssh/ssh_host_ecdsa_key                            
Disabling protocol version 2. Could not load host key                           
sshd: no hostkeys available -- exiting.

Well that's not that bad lets generate the keys and then turn on the service:

ssh-keygen -t rsa
ssh-keygen -t dsa
ssh-keygen -t ecdsa

On the host you want to copy from you can execute something similar:

scp -r /some/local/path user1@destination:/some/remote/path

And that's it about the SSH.

Now back to the share on FreeNAS. I had my share configured as this:

On the host you want to copy from (in my case ubuntu server) you will need this:
sudo apt-get install cifs-utils

In fstab add:
//<ip>/directory /mount/point cifs defaults,user=,password= 0 0

Notice here the user and password - I have left it blank so it can write as nobody. So where did the problem with mc come from? Well it is quite simple actually when you press F5, untick the option “Preserve attributes“.

References:
http://technology.mattrude.com/2010/01/enable-ssh-no-password-authorization-with-freenas/
http://knowledgelayer.softlayer.com/procedure/mount-nas-storage-linux
http://stackoverflow.com/questions/13451974/how-to-execute-a-scp-command-with-the-user-name-and-password-in-one-line
http://askubuntu.com/questions/313093/how-do-i-mount-a-cifs-share-via-fstab-and-give-full-rw-to-guest

http://www.thinkplexx.com/learn/howto/linux/system/mount-nfs-shares-with-samba-or-cifs-without-password
https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nfs-mount-on-ubuntu-12-04
http://ubuntuincident.wordpress.com/2012/03/25/mc-problem-cannot-chmod-target-file/

Vili's Blog

I just want to take my time to congratulate a friend of mine - Velislav Krastev on his new blog: http://vkrastev1blog.com/

He is working on a bitcoin program you can find his project here:

https://code.google.com/p/diamantminer/ 

And as far as I see he has started to cover some pretty interesting subjects about Java in general :). Let us wish him luck with his new beginning.