Thursday, 29 June 2017

The Newer Version of Petya is Not a Ransomware, It's a Destructive Data Wiper


Short Summary:

Till now, we were thinking of Petya being a Ransomware. But this new version is beyond the limits. A ransomware is generally a malware that encrypts your files and provides you a decryption key after you pay the ransom to attacker(s). But Petya works somewhat different. It encrypts the MBR and MFT in windows and replaces it with a malicious code. Also, it doesn't take a backup of encrypted data. Hence, even if you pay the ransom, you will not get you data back.

Now let us see the working of this malware in detail and the research work carried out on it. Also, many security researchers found that this malware was spread as a Ransomware because the attackers wanted to divert society from WannaCry to this malware. Let us see all these in detail.

Petya is not a Ransomware

Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.
Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems. 

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzingthe virus, known as Petya, his team found that it was a "Wiper malware" not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a  malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state  attacker," Suiche writes

What's new in Petya! Is is Powerful?

Petya is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one. Instead, Petya reboots victims computers and encrypts the hard drive's Master File Table (MFT) and renders the Master Boot Record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot. However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

Does Paying Ransom Get Your Files Back?

So far, nearly 45 victims have already paid total $10,500 in Bitcoins in hope to get their locked files back, but unfortunately, they would not. It's because the email address, which was being set-up by the attackers to communicate with victims and send decryption keys, was suspended by the German provider shortly after the outbreak. As the email address is suspended, there is no way of contact or communication. Meaning, even if victims do pay the ransom, they will never recover their files. Kaspersky researchers also said same.

"Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks," the security firm said.
"To decrypt a victim’s disk threat actors need the installation ID. In previous versions of 'similar' ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery."
If claims made by the researcher is correct that the new variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

List of Countries affected by Petya till now..!

The virus primarily and massively targeted multiple entities in Ukraine, including the country's local metro, Kiev's Boryspil airport, electricity supplier, the central bank, and the state telecom.

Other countries infected by the Petya virus included:
  • Russia
  • France
  • Spain
  • India
  • China
  • The United States
  • Brazil
  • Chile
  • Argentina
  • Turkey
  • And South Korea.
Finally, Petya proves to be very harmful Data Wiper malware and we should take measures to prevent this malware affecting our computers. Till now, the exact preventive measures are not know but one can try the steps taken when WannaCry was affected. Its because both malware uses SMB Windows exploit to spread across world. Hence, we can slow it down. Click here to read the preventive measures.

Support us with your views on this malware and any update if necessary. Comment you views and Stay Connected..!
Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.
Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.
Yes, the Petya ransomware attacks that began infecting computers in several countries, including Russia, Ukraine, France, India and the United States on Tuesday and demands $300 ransom was not designed with the intention of restoring the computers at all.

According to a new analysis, the virus was designed to look like ransomware but was wiper malware that wipes computers outright, destroying all records from the targeted systems.

Comae Technologies Founder Matt Suiche, who closely looked the operation of the malware, said after analyzing the virus, known as Petya, his team found that it was a "Wiper malware," not ransomware.

Security experts even believe the real attack has been disguised to divert world's attention from a state-sponsored attack on Ukraine to a malware outbreak.

"We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker," Suiche writes.

Saturday, 24 June 2017

Email Footprinting - Trace an Email and Collect Information from it..!


In the previous article, I wrote on Website Scraping, Website Monitoring and Website Mirroring. It contained the methodology of gathering information from a website. Similarly, this article refers to gathering information from an Email.

An Email can give us access to a lot of sensitive information. Information such as:
  • Sender's Email
  • Sender's Name
  • Sender's Physical Location
  • The Path through which Email travelled - The transfer agents in between
  • Sender's IP Address
  • Active Ports of Sender
and much more information about the sender can be known

These sensitive information can lead a Hacker to access many of the data about the target. So, in this article we are going to study about how to collect information from Emails.

There are in general, two methods of gathering information from emails.
  • Tracing Email
  • Tracking Email
And here we are going to study tracing an email. Tracking email is not the part of Email Footprinting but still we will study it later. For now, let us not go into deep about email tracking and just study only the difference between Email Tracing and Email Tracking.

Email Tracing vs. Email Tracking

Tracing generally refers to movement in backward direction while tracking refers to movement in forward direction. A common example is, when you order an item on amazon, they let you to track the delivery of that item. Hence you can track where your object is right now. That is referred to as tracking. Object is yours and you are spying on your object. While in tracing, object belong to someone else and you are spying on other's object.

When you send a mail and you start spying on it (if receiver clicked a link in your mail or if receiver opened your mail or any other activity), then it is called Email Tracking. Similarly, when you get an email in your inbox and you spy on the that email (move backwards and get information about from where the mail was sent and information of every sender), it is called Email Tracing.

Now that we know about Email Tracing and what type of information can be obtained, let us see the topic in brief.

Email Header

We know that we can obtain information about sender from Email. Think somewhat deeper.. There might be a source from which we get all these information. Yes, that source is the Email Header.

In an e-mail, the body (content text) is always preceded by header lines that identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the FROM, TO and DATE headers. Others are optional, but very commonly used, such as SUBJECT and CC. Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message.

Mail Transfer Agents (MTA) are the intermediate routers, computers or servers that help in transfer of email from a sender to the receiver. Generally, sender and receiver are not connected by a direct connection. Hence, we use MTAs to create a path between sender's mail box (on sender's mail server) and receiver's mail box (on receiver's mail server). To know more about How Email system works, click here..

In other words, any time a message is transferred from one user to another (i.e. when it is sent or forwarded), the message is date/time stamped by a mail transfer agent (MTA) - a computer program or software agent that facilitates the transfer of email message from one computer to another. This date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that precede the body of an email. Hence, there might be multiple sub-headers in an email header providing information about each MTA unit associated in the transfer.

Headers Provide Routing Information

Besides the most common identifications (from, to, date, subject), email headers also provide information on the route an email takes as it is transferred from one computer to another. As mentioned earlier, mail transfer agents (MTA) facilitate email transfers. When an email is sent from one computer to another it travels through a MTA. Each time an email is sent or forwarded by the MTA, it is stamped with a date, time and recipient. This is why some emails, if they have had several destinations, may have several RECEIVED headers: there have been multiple recipients since the origination of the email. In a way it is much like the same way the post office would route a letter: every time the letter passes through a post office on its route, or if it is forwarded on, it will receive a stamp. In this case the stamp is an email header.

An example of simple email header with only one sender an receiver tag is shown below:

Click to view full size image
The above example is the simplest header of all. But still it might look complicated to you. Hence, is proves that tracing the email manually is complex. But we need to know the manual method too, because only using automated tools doesn't provide perfection.

Manual method to trace an Email

To find the information from a received email you're curious about, open the email and look for the header details. How you find that email's header depends on the email program you use. Do you use Gmail or Yahoo? Hotmail or Outlook? 

For example, if you're a Gmail user, here are the steps you'd take:
  1. Open the message you want to view
  2. Click the down arrow next to the "Reply" link
  3. Select "Show Original" to open a new window with the full headers
Similarly, you can find a method from Google for other Email Programs. If I write methods for all of them, article would become lengthy.

Automated Tools for Email Tracing

Here is a small list of some of the best tools for Email Tracing..
You can easily search Google for other tools.

As I told, email tracking and email tracing are different. I will teach you about Email Tracking in my next article. So, stay connected..

Sunday, 18 June 2017

Website Footprinting - Website Scraping, Website Mirroring and Website Monitoring


While Footprinting refers to gathering the needed information and getting knowledge of how things work, website footprinting refers to extracting data from a website and knowing how the site works. Basically, working of a website is known on the basis of the javascript files or the js code which executes on an activity. There are many other things which determine the methodology of working od a site and this may be helpful to the attacker. So, let us explore more on the terms and methods.

Website Footprinting is the first step towards hacking a website. To hack a site, we need information such as:
  • How the site works?
  • How frequent are new article posted on site?
  • Is the admin of website active/inactive?
  • What type of data is available on the site?
  • And much more...
These can be achieved by footprinting a website. Following all the steps in website footprinting leads us to get confidential information from the site and know how the site works in reality. Let us explore more about this.

Website Scraping

The best way to extract information from a webpage is to open the page in browser and then examine it's source code and cookies used by the site. But examining the source code doesn't provide all the needed information and looking at cookies manually is tiresome. So, the concept of extracting data from a website came into existence.

Web Scraping (also termed Screen Scraping, Web Data Extraction, Web Harvesting etc.) is a technique employed to extract large amounts of data from websites whereby the data is extracted and saved to a local file in your computer or to a database in table (spreadsheet) format.

Data displayed by most websites can only be viewed using a web browser. They do not offer the functionality to save a copy of this data for personal use. The only option then is to manually copy and paste the data - a very tedious job which can take many hours or sometimes days to complete. Web Scraping is the technique of automating this process, so that instead of manually copying the data from websites, the Web Scraping software will perform the same task within a fraction of the time.

A web scraping software will automatically load and extract data from multiple pages of websites based on your requirement. It is either custom built for a specific website or is one which can be configured to work with any website. With the click of a button you can easily save the data available in the website to a file in your computer.

One of the useful Web Scraping Software is listed below: 
You can also use any other software/plugin/script for the same job. These are easily available on internet. The main concern is that, the tool must be easy to use.

Website Mirroring

Mirroring refers to downloading the entire website offline on your harddisk for browsing it offline.

Mirroring an entire website onto local machine enables an attacker to browse website offline; it can also assist in finding directory structure and other valuable information from mirrored copy without multiple requests to web server. Sending multiple requests to a web server may be dangerous as the admin when looking to log files, can identify that you were trying to collect sensitive information from the site and it can help the admin to traceback you.

Some well-known web mirroring tools are:
There are many other tools which are easily available on Google but these are the best.

Website Monitoring

Monitoring a website refers to getting information such as:
  • How frequently the admin posts on the site?
  • Which posts are deleted?
  • When was an article posted?
  • Get alerted when a new article is posted on the site.
There are two methods used for different purposes. The first three purpose listed above are satisfied by Internet Archives. You can refer to its complete guide in this article.

The second method is easy to use and satisfies the fourth (last) purpose of website monitoring. It works the same way when you subscribe to a website. When a new post is posted, you are informed about it through mail service. But the major difference is that, in subscription, the alert mail is controlled by the admin i.e. we are alerted of the new article when the admin wants; while in monitoring, we are the controller. That is, we check regularly if a site has posted a new article or has made any changes.

But doing this task manually is tiresome as said before. So automated tools and services are used with a view to reduce the work. Some of the tools used for this purpose are:
The above are some of the best services while you can search google for more such services if you want.

Popular Posts