[BreachExchange] PHP ransomware attacks blogs, websites, content managers and more…

Inga Goddijn inga at riskbasedsecurity.com
Wed Mar 2 20:07:01 EST 2016


https://nakedsecurity.sophos.com/2016/03/02/php-ransomware-attacks-blogs-websites-content-managers-and-more/

Most file-scrambling ransomware
<https://nakedsecurity.sophos.com/?s=ransomware> is written for Windows
computers
<https://nakedsecurity.sophos.com/2016/02/17/locky-ransomware-what-you-need-to-know/>,
although it can encrypt files anywhere they’re writable, including Macs,
file servers and cloud storage sites.

We’ve seen a few attempts at both Android
<https://nakedsecurity.sophos.com/2014/07/25/android-fbi-lock-malware-how-to-avoid-paying-the-ransom/>
and Linux
<https://nakedsecurity.sophos.com/2015/11/11/ransomware-meets-linux-on-the-command-line/>
ransomware.

And, if you cast your mind back, you may remember that the very first
ransomware, more than 25 years ago, was the AIDS Information Trojan
<https://nakedsecurity.sophos.com/2012/09/25/ransomware-would-you-pay-up/>,
that ran on good old MS-DOS.

Now, sadly, we’ve got a whole new sort of ransomware, written in PHP.
What is PHP?

PHP is a programming language intended to help you produce
dynamically-generated content on your web server, typically by embedding
PHP commands inside your HTML pages.

Before the page is sent out by the server, the PHP script parts are
executed, and replaced in the final page with the output from the script.

In the input file below, for example, the part between <?php and ?> is run
by the PHP processor…

…and converted into output that looks something like this:

Many, if not most, web servers make use of PHP, automatically processing
files with a .php extension before they are served up.

PHP is sort-of like JavaScript, except that the script processing is done
on the server before the page goes out. JavaScript, in contrast, is sent to
your browser and the script processing is done inside the browser after the
page is received but before it is displayed.
PHP malware

Notably, most content and management systems, such as WordPress, Joomla and
Drupal use PHP.

In other words, if a crook has your blog password and can upload files to
your server, or if you have an unpatched server plugin that allows him to
modify files that are supposed to be write-protected, and he can alter one
or more of your PHP files…

…then he can install a payload on your website that will trigger whenever
anyone happens to visit the booby-trapped page.

Indeed, he can activate the payload himself at will by accessing the page
himself in what appears to be an entirely innocent web request.

That’s how the malware known as *Troj/PHPRansm-B* works.

It infects your server by means of a file called index.php that contains:

   - File encrypting and decrypting code using PHP.
   - Style-sheet information using CSS, plus inline images.
   - A “pay page” using HTML and JavaScript.

The file encryption doesn’t happen every time the page is viewed, only when
the crook himself submits a specially-formatted upload request in which he
specifies two passwords, a “test” password and a “full” password.

Once the encryption is kicked off, two randomly-chosen files are encrypted
with the test pasword, and the rest with the full password. (The encryption
uses the AES cipher in CBC mode.)

Anyone else visiting the page – embarrassingly, this may very well include
your prospects and customers – will see a warning page like this:

*Troj/PHPRansm-B “pay page” from 2016*

Simply put, you need to fork over BTC 0.4 (0.4 bitcoins, currently about
$170) to get the full password back from the crooks.

You may recognise the name “CTB-Locker” from the pay page: that name was
also used by the crooks behind a widespread Windows ransomware campaign
<https://blogs.sophos.com/2015/12/31/the-current-state-of-ransomware-ctb-locker/>
back in 2014.

(You can read about the Windows version of CTB-Locker and other ransomware
variants in the SophosLabs paper *The Current State of Ransomware*
<https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-current-state-of-ransomware.pdf?la=en>,
published in December 2015.)

If you need convincing that paying up is likely to work, you can click on
the [Free decrypt] button to upload the “test” files that were encrypted
with the test paswords.

Even if you use a web debugger to intercept the free decryption function,
and successfully extract the test password from memory, it won’t help you
to unscramble any of your other files.

And there’ even a [Chat] window where you can communicate with the crooks:

Chat room

If you have any questions or suggestions, please leave a
english message below. To prove that you are an administrator,
you must specify the name of the secret file that is in same
directory with index.php. We will reply to you within 24 hours.

What to do?

   - *Pick a proper password for your web server, content management system
   or blog.* We shouldn’t have to say this, but don’t choose the same
   password that you have used anywhere else.
   - *Consider using two-factor authentication.* This usually works by
   sending you an SMS, or requiring you to run a special code-generating app
   on your phone, with a one-time code to complete your login. This means your
   password alone is not enough.
   - *Review all your server access permissions.* Make sure that guest
   users, for example, can’t modify files they aren’t supposed to.
   - *Make sure your server is patched against security holes.* This means
   updating the operating system, your blogging or web server software, the
   PHP application, your site’s themes and plugins, and much more.
   - *Run a real-time anti-virus on your server.* Yes, even if it’s Linux.
   Especially if it’s Linux. By the way, Sophos Anti-Virus for Linux
   <https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx>
   is 100% free for desktops and servers, at work and at home.

------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160302/ca7c428d/attachment.html>


More information about the BreachExchange mailing list