BreachExchange mailing list archives
PHP ransomware attacks blogs, websites, content managers and more…
From: inga () riskbasedsecurity com (Inga Goddijn)
Date: Wed, 2 Mar 2016 19:07:01 -0600
https://nakedsecurity.sophos.com/2016/03/02/php-ransomware-attacks-blogs-websites-content-managers-and-more/ Most file-scrambling ransomware <https://nakedsecurity.sophos.com/?s=ransomware> is written for Windows computers <https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/>, although it can encrypt files anywhere theyâre writable, including Macs, file servers and cloud storage sites. Weâve seen a few attempts at both Android <https://nakedsecurity.sophos.com/2014/07/25/android-fbi-lock-malware-how-to-avoid-paying-the-ransom/> and Linux <https://nakedsecurity.sophos.com/2015/11/11/ransomware-meets-linux-on-the-command-line/> ransomware. And, if you cast your mind back, you may remember that the very first ransomware, more than 25 years ago, was the AIDS Information Trojan <https://nakedsecurity.sophos.com/2012/09/25/ransomware-would-you-pay-up/>, that ran on good old MS-DOS. Now, sadly, weâve got a whole new sort of ransomware, written in PHP. What is PHP? PHP is a programming language intended to help you produce dynamically-generated content on your web server, typically by embedding PHP commands inside your HTML pages. Before the page is sent out by the server, the PHP script parts are executed, and replaced in the final page with the output from the script. In the input file below, for example, the part between <?php and ?> is run by the PHP processor⦠â¦and converted into output that looks something like this: Many, if not most, web servers make use of PHP, automatically processing files with a .php extension before they are served up. PHP is sort-of like JavaScript, except that the script processing is done on the server before the page goes out. JavaScript, in contrast, is sent to your browser and the script processing is done inside the browser after the page is received but before it is displayed. PHP malware Notably, most content and management systems, such as WordPress, Joomla and Drupal use PHP. In other words, if a crook has your blog password and can upload files to your server, or if you have an unpatched server plugin that allows him to modify files that are supposed to be write-protected, and he can alter one or more of your PHP files⦠â¦then he can install a payload on your website that will trigger whenever anyone happens to visit the booby-trapped page. Indeed, he can activate the payload himself at will by accessing the page himself in what appears to be an entirely innocent web request. Thatâs how the malware known as *Troj/PHPRansm-B* works. It infects your server by means of a file called index.php that contains: - File encrypting and decrypting code using PHP. - Style-sheet information using CSS, plus inline images. - A âpay pageâ using HTML and JavaScript. The file encryption doesnât happen every time the page is viewed, only when the crook himself submits a specially-formatted upload request in which he specifies two passwords, a âtestâ password and a âfullâ password. Once the encryption is kicked off, two randomly-chosen files are encrypted with the test pasword, and the rest with the full password. (The encryption uses the AES cipher in CBC mode.) Anyone else visiting the page â embarrassingly, this may very well include your prospects and customers â will see a warning page like this: *Troj/PHPRansm-B âpay pageâ from 2016* Simply put, you need to fork over BTC 0.4 (0.4 bitcoins, currently about $170) to get the full password back from the crooks. You may recognise the name âCTB-Lockerâ from the pay page: that name was also used by the crooks behind a widespread Windows ransomware campaign <https://blogs.sophos.com/2015/12/31/the-current-state-of-ransomware-ctb-locker/> back in 2014. (You can read about the Windows version of CTB-Locker and other ransomware variants in the SophosLabs paper *The Current State of Ransomware* <https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en>, published in December 2015.) If you need convincing that paying up is likely to work, you can click on the [Free decrypt] button to upload the âtestâ files that were encrypted with the test paswords. Even if you use a web debugger to intercept the free decryption function, and successfully extract the test password from memory, it wonât help you to unscramble any of your other files. And thereâ even a [Chat] window where you can communicate with the crooks: Chat room If you have any questions or suggestions, please leave a english message below. To prove that you are an administrator, you must specify the name of the secret file that is in same directory with index.php. We will reply to you within 24 hours. What to do? - *Pick a proper password for your web server, content management system or blog.* We shouldnât have to say this, but donât choose the same password that you have used anywhere else. - *Consider using two-factor authentication.* This usually works by sending you an SMS, or requiring you to run a special code-generating app on your phone, with a one-time code to complete your login. This means your password alone is not enough. - *Review all your server access permissions.* Make sure that guest users, for example, canât modify files they arenât supposed to. - *Make sure your server is patched against security holes.* This means updating the operating system, your blogging or web server software, the PHP application, your siteâs themes and plugins, and much more. - *Run a real-time anti-virus on your server.* Yes, even if itâs Linux. Especially if itâs Linux. By the way, Sophos Anti-Virus for Linux <https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx> is 100% free for desktops and servers, at work and at home. ------------------------------ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160302/ca7c428d/attachment.html>
Current thread:
- PHP ransomware attacks blogs, websites, content managers and more… Inga Goddijn (Mar 02)