Easter Egg locations remain safe, says Bunny spokesperson

Polish pisanki photo courtesy of Jarosław Pocztarski's Flickr photostreamReports surfaced late today that the Easter Bunny had a minor incident while hiding the last of his eggs during his traditional Easter mission.

Every year the Easter Bunny travels the world hiding brightly colored eggs and baskets with goodies for children to discover on Easter morning.

“It would be a tragedy if the locations of all the eggs and baskets were disclosed,” said an anonymous parent representing a children’s rights group.

Unfortunately it appears that the Easter Bunny had stored all of his data and maps of where his eggs were placed in one basket.

Easter Bunny and eggsFortunately Naked Security was able to reach a spokesperson for the Easter Bunny, who assured us that the locations of the treats were fully encrypted on Mr. Bunny’s netbook.

“The Easter Bunny takes the joy of children seriously, and despite the loss of his maps, Easter will proceed normally,” said the spokesperson.

Creative Commons image of Polish pisanki (eggs) courtesy of Jarosław Pocztarski’s Flickr photostream.

Amazon.com Security Flaw Accepts Passwords That Are Close, But Not Exact

An Amazon.com security flaw allows some customers to log in with variations of their actual password that are close to, but not exactly, their real password.

The flaw lets Amazon accept as valid some passwords that have extra characters added on after the 8th character, and also makes the password case-insensitive.

For example, if your password is “Password,” Amazon.com will also let you log in with “PASSWORD,” “password,” “passwordpassword,” and “password12345.”

Wired has been able to confirm the flaw, which was first reported on Reddit. It appears to affect only older Amazon.com accounts, which have not had their passwords changed in the past several years.

Amazon did not respond to a request for comment.

Observers on Reddit speculate that Amazon was using the unix crypt() function to encrypt older passwords, in addition to converting them to uppercase, before storing them in its servers. While encrypting stored passwords is a wise idea, crypt() truncates longer passwords, discarding anything after the 8th character. (It’s also relatively easy to crack, as Gawker Media recently found out when its crypt()-encrypted database of user passwords was published by hackers.)1

Since newer passwords are not affected by the flaw, Amazon appears to have corrected the problem for new passwords — but without updating the older, stored passwords.

The fix is straightforward for those with older passwords: Simply log on to Amazon.com, and change your password. You can even then change your new password back to your old password, and you’ll magically be safer than you were before.

1This story originally misstated Gawker’s password security scheme. In fact, its passwords were stored using the same crypt() function mentioned in this story, and were only published after being decrypted by hackers.

Photo: An Amazon.com employee grabs boxes off the conveyor belt to load in a truck at their Fernley, NV warehouse. Scott Sady/AP.

Rampant Ransomware

Contemporary viruses are written to make money. They achieve this through extortion, information theft, and fraud. Threats that use extortion can be some of the most aggressive and, in some cases, offensive viruses encountered. These viruses are generally referred to as ransomware. This blog discusses some of the nastiest variants that have been encountered so far.

In your face!
Whilst by its nature ransomware is not subtle, certain variants are very obvious in their approach. They use a combination of shock and embarrassment in order to extort money from people. The most recent example of this is Trojan.Ransomlock.F. The Trojan.Ransomlock family is a particular type of ransomware, which locks a user’s desktop. Once the desktop has been locked, it is then no longer possible to use the computer as normal. To restore access to the desktop, one typically has to send a text message to a premium rate number. A message containing the unlock code is then – hopefully – sent back to the user. (Trusting someone who has just compromised your computer and is holding you to ransom is generally not very reliable.)

In the case of the Trojan.Ransomlock.F variant, not only does it lock the desktop, but it also changes the desktop background to an explicit pornographic image as in Figure 1 (censored!). This additional trick has been included by the authors of the threat in order to play on the user’s insecurities. Having a graphic pornographic image emblazoned across a monitor is guaranteed to give anyone a red face. They are less likely to seek technical help from another person to solve the problem in an effort to avoid embarrassment.

Figure 1 Censored Trojan.Ransomlock.F image (see translation of the message in Figure 2)


You surfed gay porn videos for three hours.
The free viewing time has expired.

To pay for the service, you need to make an online payment through the Beeline system to XXXXXXX for the amount of $400 USD.

Upon receipt of the payment you will be given an activation code.
Enter it in the box below and press Enter.

Figure 2 Translated Trojan.Ransomlock.F

A similar tactic is used by Infostealer.Kenzero. This threat masquerades as an adult game. When the Trojan is first executed, the user is asked to enter some personal information. It then monitors any pornographic Internet pages visited by the user and uploads the list of pages to a certain website. The user is then threatened with exposure of this list, in association with their personal information, if a sum of money is not paid. Again, the threat plays on a person’s embarrassment in order to extort money.

Another approach that ransomware threats typically employ is holding a user to ransom for files on their computer. This is a relatively common tactic, but has evolved over the years, utilizing encryption in smarter ways. The general approach is to search for files on the compromised computer. When user-specific files such as .doc, .xls, .jpg, etc. are found, they are then encrypted by the threat. The encryption renders the files inaccessible. Only by obtaining the correct key can the files be decrypted and accessed. Of course, to get the key, the owner of the compromised computer has to pay out.

A classic implementation of this can be seen in Trojan.GPCoder.E. This Trojan generates an encryption key specific to the compromised computer. It then checks to see if the system date is after July 10th, 2007. If so, a comprehensive list of files is searched for and encrypted using the generated key. Furthermore, a message (Figure 3) is left in each folder where a file has been encrypted.

Hello,    your   files   are   encrypted   with   RSA-4096   algorithm  (http://en.wikipedia.org/wiki/RSA).
  You  will  need  at least few years to decrypt these files without our software.  
  All  your  private  information  for  last  3  months  were collected and sent to us.
  To decrypt your files you need to buy our software. The price is $300.
  To  buy  our software please contact us at: [MAIL_ADDRESS] and provide us your  personal code [PERSONAL_CODE].
  After successful purchase we will send your  decrypting  tool, and your private information
  will be deleted from our system.
  If  you  will not contact us until 07/15/2007 your private information will be shared and you will lost all your data.
                Glamorous team

Figure 3 Ransom message

Luckily, this threat did not use RSA, as it claimed (or a grammar-checker for that matter), and stored the generated encryption key in the registry. Therefore, it was possible for the user to retrieve the key from the registry and the files could then be successfully decrypted.
Unfortunately, a more recent implementation has proven to be much smarter and uses a more advanced encryption technique. Trojan.GPCoder.G uses the public key algorithm, RSA. The local files are initially encrypted using a symmetric encryption algorithm with a random key. This random key is then in turn encrypted by the public key of an RSA key pair. Without the private key from this key pair, it is not possible to obtain the symmetric key in order to decrypt the files. The owner of the compromised computer must send the encrypted symmetric key, along with the ransom to the malware authors. They decrypt the symmetric key and return it. This process is illustrated in Figure 4. The user can then decrypt their files. There is no way to bypass this technique. Unfortunately, unless the ransom money is sent to the malware authors (which has no guarantee of success), the only way to retrieve the encrypted files is from backup. Always backup!

Figure 4 Trojan.GPCoder.G process

Boot blocking
The most basic computer resource that an attacker can attempt to obtain a ransom for is access to the operating system itself. No operating system means no antivirus and no assistance from the Internet. Trojan.Bootlock achieves this by overwriting the master boot record (MBR) with custom code. The MBR is responsible for starting a computer’s operating system. By overwriting it with custom code, the malware authors deny a user access to the operating system. Instead the user is greeted with the message in Figure 5.

Figure 5 Trojan.Bootlock

The web page that is referenced in the message demands payment of $100 to obtain the password. Contrary to what the attackers claim, however, the hard drive is not encrypted and can still be accessed offline. The MBR can be repaired and the threat removed using the Norton Bootable Recovery Tool.

As always, the best way to defend against such threats is up-to-date antivirus and a regular backup routine. Thanks to the various engineers whose analysis made up this article, including Paul Mangan, Yousef Hazimee, Karthik Selvaraj, Fergal Ladley, and Elia Florio.