Friday, 19 May 2017

WannaCry Decryption Tool Released - Unlock Data Without Paying Ransom









Although, some file format issue happened with the exported key that didn’t make it compatible with other tools such as wanadecrypt from Benjamin Delpy (@gentilkiwi) on Windows XP, as the Windows Crypt APIs on Windows XP are expecting a very strict input to work unlike Windows 10.

This method relies on finding prime numbers in memory if the memory hasn’t be reused — this means that after a certain period of time memory may get reused and those prime numbers may be erased. Also, this means the infected machine should not have been rebooted.

After reading all the above paragraphs, you might still be wondering - What is this..! So, let me make you understand this using how this tool works. It would be easier for to understand.

How the WannaCry Decryptor works?

First of all, to understand how to decrypt a file, one should know how the file was encrypted... The same was done by security expert "Guinet".
The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

Click to view full size image
The above image contains the source code of the file which starts the encryption process inside a system.

But here's the kick: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.
Hence, the basic idea of this tool is to fetch the prime numbers -which were used to form the private key- from the memory space. Hence, this would only be possible if the numbers in memory are not lost.


  • The affected computer has not been rebooted after being infected.
  • The associated memory has not been allocated and erased by some other process.








  1. Download wanakiwi here
  2. wanakiwi.exe needs to be in the same folder as your .pky file when you launch it
  3. Have luck so that your prime numbers haven’t been overwritten from the process address space.

Wednesday, 17 May 2017

WannaCry 2.0 - It's not over yet..!






hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.

Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details.)





  • If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
  • If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
  • If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
  • If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.
MalwareTech also confirmed that "Mirai botnet skids tried to DDoS the [sinkhole] server for lulz," in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But "it failed hardcore," at least for now.

In short, we just need to know that if the sinkhole server becomes inaccessible, then none can stop the power of WannaCry. Though one can be safe using the prevention measures mentioned in this article.

WannaCry 2.0 - The Ransomware with no kill-switch




"The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host," Microsoft says.

WannaCry's Success Rate..!


Sunday, 14 May 2017

Protect against WannaCry Ransomware: Microsoft issues Patch for Unsupported Windows (XP, Vista, 8,...)








Fortunately, Windows 10 customers were not targeted in Friday’s attack. In March, Microsoft patched the vulnerability that the ransomware exploits—but only for newer Windows systems. That’s left older Windows machines, or those users who failed to patch newer machines, vulnerable to Friday’s attack. Hence if your are running on newer Windows version like Windows 10, then you are safe..!


Now to see how to prevent from getting your PC affected with WannaCry, first we should know how it works. So let us see it first.

How WannaCry works?

Such ransomware infection typically leverages social engineering or spam emails as a primary attack vector, tricking users into downloading and executing a malicious attachment.

WannaCry is also leveraging one such social engineering trick, as FoxIT researchers uncovered one variant of the ransomware that is initially distributed via an email containing a link or a PDF file with payload, which if clicked, installs WannaCry on the targeted system.

Once executed, the self-spreading WannaCry ransomware does not infect the targeted computers immediately, as malware reverse engineers found that the dropper first tries to connect the following domain, which was initially unregistered:
hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

If the connection to the above-mentioned unregistered domain fails (which is obvious), the dropper proceeds to infect the system with the ransomware that would start encrypting files.

But if the connection is successful, the dropper does not infect the system with the WannaCry ransomware module.

How to prevent getting affected by WannaCry Ransomware?

"In other words, blocking the domain with firewall either at ISP or enterprise network level will cause the ransomware to continue spreading and encrypting files," Microsoft warned.
If infected, the malware scans the entire internal network and spread like a worm into all unpatched Windows computers with the help of SMB vulnerability.

The SMB vulnerability has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself "The Shadow Brokers" over a month ago.


Top 7 Steps that can protect you from WannaCry Ransomware

Currently, there is no WannaCry decryption tool or any other solution available, so users are strongly advised to follow prevention measures in order to protect themselves.
  • Keep your system Up-to-date: First of all, if you are using supported, but older versions of Windows operating system, keep your system up to date, or simply upgrade your system to Windows 10.
  • Using Unsupported Windows OS? If you are using unsupported versions of Windows, including Windows XP, Vista, Server 2003 or 2008, apply the emergency patch released by Microsoft today.
  • Enable Firewall: Enable firewall, and if it is already there, modify your firewall configurations to block access to SMB ports over the network or the Internet. The protocol operates on TCP ports 137, 139, and 445, and over UDP ports 137 and 138.
  • Disable SMB: Follow steps described by Microsoft to disable Server Message Block (SMB). (Click here to get easy steps..)
  • Keep your Antivirus software up-to-date: Virus definitions have already been updated to protect against this latest threat.
  • Backup Regularly: To always have a tight grip on all your important files and documents, keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
  • Beware of Phishing: Always be suspicious of uninvited documents sent an email and never click on links inside those documents unless verifying the source.

Important Update:

WannaCry Ransomware spreads all over the world..! - Everything you need to know


Organizations in dozens of countries have all been hit with the same ransomware program, a variant of "WannaCrypt," spouting the same ransom note and demanding $300 for the encryption key, with the demand escalating as time passes.

What has happened?

On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

England's healthcare system came under a withering cyberattack Friday morning, with "at least 25" hospitals across the country falling prey to ransomware that locked doctors and employees out of critical systems and networks. It's now clear that this is not a (relatively) isolated attack but rather a single front in a massive digital assault.

A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.

So now as we have seen what has really happened in past few days, let us see the complete details of this ransomware and steps we should perform to protect ourselves from this attack.

What is WannaCry?

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Click to view full size image
 It also drops a file named !Please Read Me!.txt which contains the ransom note.

Click to view full size image
The tool was designed to address users of multiple countries, with translated messages in different languages.

Click to view full size image

Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.

To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.

Click to view full size image
For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network. Hence, the IP address is hard to trace. Also, the malware is not spread through a single PC. Instead, they attackers used botnets to spread it and that makes it hard to be traced back.

The file extensions that the malware is targeting contain certain clusters of formats including:
  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).
WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name.

Countries infected with WannaCry

Currently, more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world are recorded. Most of them happened in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.

Click to view full size image

How does it work?

The infection vector appears to work through a known vulnerability, originally exploited as "ETERNALBLUE" and developed by the National Security Agency. That information was subsequently leaked by the hacking group known as The Shadow Brokers which has been dumping its cache of purloined NSA hacking tools onto the internet since last year.

The virus appears to have originally spread via email as compressed file attachment so, like last week's Google Docs issue, make sure you confirm that you email's attachments are legit before clicking on them. Once it's on one system, it can easily spread across private networks using a flaw in the Windows SMB Server. (To know more about Windows SMB Zero-day Attack, click here.)

Once a vulnerable PC becomes infected, the computer will attempt to spread to other machines over the local network as well as over the internet. The ransomware will specifically scan for unpatched machines that have the Server Message Block vulnerability exposed.

Windows SMB Server flaw allows unauthorized remote access to PCs in the network, using the infected PCs as Botnets. Hence, this vulnerability is exploited and ransomware is spread.

Also, make sure your computers are using software that's still receiving security updates, and that you've installed the latest updates available. Microsoft released a fix for the exploit used as a part of its March "Patch Tuesday" release, but unpatched Windows systems remain vulnerable.

As this article is too long, I will post the steps to prevent yourself from this attack in my next article. So stay tunned..!

If you have any extra information that you would like to share, or if you want to make discussion on a topic, just post comments in the comment box provided below and I will surely help you out.!

Update: Wrote an article on how to prevent yourself from being encrypted via WannaCry Ransomware. To read the article, click here...!

Monday, 8 May 2017

Wiklileaks Claimed CIA's MitM Tool Used To Attack Computers On LAN..!


Wikileaks has published a new batch of the Vault 7 leak, detailing a man-in-the-middle (MitM) attack tool allegedly created by the United States Central Intelligence Agency (CIA) to target local networks.

Wikileaks has done this before too..! A month ago, they leaked the Vault 7 of CIA's Hacking Tools. And here they are again with a new tool of Vault 7. Since March, WikiLeaks has published thousands of documents and other secret tools that the whistleblower group claims came from the CIA. (Click here.. to read more about the tools in vault 7.)

This latest batch is the 7th release in the whistleblowing organization's 'Vault 7' series.

Dubbed Archimedes, the newly released CIA tool, dumped on Friday, purportedly used to attack computers inside a Local Area Network (LAN).

According to the leaked documents, this MitM tool was previously named 'Fulcrum' but later was renamed to 'Archimedes' with several improvements on the previous version, like providing a way to "gracefully shutting down the tool on demand," and adding "support for a new HTTP injection method based on using a hidden iFrame."

The leaked documents describe Archimedes as a tool that lets users redirect LAN traffic from a targeted computer through a malware-infected computer controlled by the CIA before the traffic is passed on to the gateway, which is known as man-in-the-middle (MitM) attack.
 
The manual itself explains how Archimedes works: "Archimedes is used to redirect LAN traffic from a target’s computer through an attacker controlled computer before it is passed to the gateway. This enables the tool to inject a forged web server response that will redirect the target’s web browser to an arbitrary location. This technique is typically used to redirect the target to an exploitation server while providing the appearance of a normal browsing session."
 
The tool in itself is very simple without any extraordinary capabilities, as there are many MitM tools available on the Internet that anyone can be download and use it to target users on the local network.

Rendition Infosec founder Jake Williams also pointed out that the tool is not even originally developed by the CIA, rather appears to be a repackaged version of Ettercap – an open source toolkit for MitM attacks.

Williams also noted that the potential CIA targets could even use the leaked information to see whether their computers had been targeted by the agency.
 
Announcing the latest batch of documents -- a series of guides to using Archimedes -- WikiLeaks says:
Today, May 5th 2017, WikiLeaks publishes "Archimedes", a tool used by the CIA to attack a computer inside a Local Area Network (LAN), usually used in offices. It allows the re-directing of traffic from the target computer inside the LAN through a computer infected with this malware and controlled by the CIA. This technique is used by the CIA to redirect the target's computers web browser to an exploitation server while appearing as a normal browsing session.
The document illustrates a type of attack within a "protected environment" as the tool is deployed into an existing local network abusing existing machines to bring targeted computers under control and allowing further exploitation and abuse.
 
Last week, WikiLeaks dumped source code for a more interesting CIA tool known as "Scribbles," a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.

Since March the Whistleblowing website has published 7 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
  • "Year Zero" – dumped CIA hacking exploits for popular hardware and software.
  • "Weeping Angel" – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
  • "Dark Matter" – focused on hacking exploits the agency designed to target iPhones and Macs.
  • "Marble" – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
  • "Grasshopper" – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.

You can check out the documentation for yourself over on the WikiLeaks website.

Saturday, 6 May 2017

Top 10 Reasons to Root your Android Phone - Unleash the Real Power of Android..!



In my previous article, we learned about rooting in brief - What rooting is? and Where the concept of rooting came from in Android? But as I mentioned, rooting without complete knowledge is harmful and so, many of you might be afraid of rooting your Android. But don't worry as I will post articles which will give you the complete knowledge on rooting. And as a starter, here I have mentioned the most interesting and the most powerful advantages of rooting, so that you can feel motivated. So let's start...

Android is one of the most open, versatile, and customizable mobile operating systems out there. You may think you don't need to root your phone, but you'd be surprised at how much more you can accomplish with a little work. Here are 10 reasons for rooting your phone.

10. Unlock Hidden Features and Install "Incompatible" Apps

 


Sometimes, even Android isn't open enough to give you some of the features you want. Either an app is blocked by carriers, hacks into Android's system files, or otherwise isn't available. Luckily, rooting can help with that: you can install carrier-blocked apps, get features from the latest version of Android, make incompatible apps compatible, power up your hardware, get features like Beats Audio from other phones, or emulate exclusive features like those on the Moto X. Whatever you want, rooting gives you the power to do a lot more.

9. Automate Everything (Make your Android AI)



Ever wondered if your phone contained Artificial Intelligence..! What if the mobile data automatically turns OFF after 1:00 A.M. Also you can set triggers in your phone like - Whenever we turn WiFi to ON, the mobile data automatically goes OFF. We can completely automate our Android.

You might have probably heard of Tasker, the awesome app that automates just about anything on your phone. You don't need to root your phone to use it, but if you're rooted, it can do a whole lot more. Certain tasks, like toggling 3G, GPS, changing CPU speed, turning the screen on, and others require root access. So, if you want to get the full benefit of an app like Tasker, you'll definitely want to root your phone.

8. Block Ads in Any App



Look, we of all people understand the need for occasional ads—it's how we make money. But ads can also get in the way and use up data. If you want to block ads in certain apps or on certain devices, rooting is by far the best way to do so. AdFree, AdBlock Plus, and Ad Away are all great options. Of course, if you aren't rooted, going into airplane mode works in a fine.

7. Speed Up you Phone and Boost the Battery Life



You can do a lot of things to speed up your phone and boost its battery life without rooting, but with root, you have even more power. For example, with an app like SetCPU you can overclock your phone for better performance, or underclock it for better battery life. You can also use an app like Greenify to automatically hibernate apps you aren't using - perfect for those apps that always want to run in the background when you're not looking.

6. Back Up Your Phone for Zero Data Loss



When you move to a new Android device—or restore your device to stock for any reason—you can make your life a lot easier by backing up your apps and settings first. That way, you can get your entire setup back in just a few taps. If you aren't rooted, you can back up a few things like apps and data, but you won't necessarily be able to backup system apps and their data, or automate the entire process as good as Titanium Backup can.

5. Remove Preinstalled Apps


 
Many a times we face problems like phone hangs and eats a lot of memory and storage. So we start removing applications that we have installed - which might be useful for us. But we can't remove the in-built system apps - some on which are of no use. Here, rooting your phones comes to help.

Titanium Backup is good for more than just backups, too. It can also uninstall that annoying, battery-draining, space-wasting crapware that comes preinstalled on so many phones these days—and, sadly, this feature is root-only. Freeze them first to make sure your phone operates normally without them, then delete them completely to free up that space.

4. Tweak the Dark Corners of Android



If you're the kind of person that likes to fiddle with every little feature—both on the surface and under the hood—rooting is for you. Whether you want to customize your keyboard layout with something like Keyboard Manager or give yourself faster scrolling, improved multitasking, and extra themes with Pimp My ROM, rooting gives you the power to tweak just about any corner you can think of. If you want to do it, chances are someone over on a forum like XDA has created a mini-app or tweak that will help.

3. Flash a Custom Kernel



Some of Android's most deep tweaks require a custom kernel, which you can only flash with a rooted device. The kernel is responsible for helping your apps communicate with the hardware of your phone, which means a custom kernel can give you better performance, battery life, and even extra features like Wi-Fi tethering (on unsupported phones), faster battery charging, OTG connectivity (if supported by hardware but ROMs does not support) and lots more. You can flash kernels manually or simplify the process with something like Kernel Manager

2. Flash a Custom ROM



You probably already know about this one—but it's one of the best benefits of rooting. A custom ROM is basically a custom version of Android, and it truly changes how you use your phone. Some merely bring a stock version of Android to non-stock phones, or later versions of Android to phones that don't have it yet. Note: As some of you have noted, you don't actually need root access to flash a custom ROM—though you will need to unlock your bootloader (a process that sometimes comes bundled with root access). Still, it requires freeing your device from manufacturer lockdowns, so we've kept it in the list.

1. Truly Own Your Device

In the end, all of this gets combined to one thing: you own your device, and you should be able to do all the things with it of your wish. Certain manufacturers and carriers try to keep that from happening, But with root access, you truly own your device and open yourself up to all the possibilities other parties try to block.

Popular Posts