Anonymous Security Guide 2.0

anonymous-1920-1080-wallpaper

After releasing the first Anonymous Security Guide last fall, with feedback from the public, updated features, downloads and popular requests, we bring you version 2.0

At the very least, if you are going to interact with Anonymous you need to have a VPN. This should literally beSTEP 1:

What is a VPN?

A Virtual Private Network (VPN) is a network technology that creates a secure network connection over a public network such as the Internet or a private network owned by a service provider.

So what does this mean? To put it most simply: If someone tries to log your IP, this person will see the IP of your VPN service provider, protecting your personal computer. It will cost you money for a good VPN service, but you do get what you pay for in this industry. However, even on the lower end of price range spectrum, most VPN services do an adequate job.

Below are two of the most trusted VPN servers, there are of course many others if you do the research. We recommend the following services because they allow users the most options/control over settings. They are also some of the most highly rated VPN services by several leading sites.

– Buy IPVanish:https://www.ipvanish.com/?a_aid=anonymous&a_bid=48f95966

– Buy Nord VPN:https://nordvpn.com/

– Buy Perfect Privacy VPN:https://www.perfect-privacy.com/?gclid=Cj0KEQiAg7ayBRD8qqSGt-fj6uYBEiQAucjOwYQqT0ho9VC8S9rjMgNJzBtuSux96TjpYkgA8NwkxcwaApBF8P8HAQ

– Buy HideMyAss VPN:https://www.hidemyass.com/?ecid=ad:go:se:US-EN-VPN-Brand-Search&gclid=CjwKEAjwtqe8BRCs-9DdpMOilBoSJAAyqWz_pFbMiSbosSabHsaR_FukURXOIFEI6Nayg15yJ0wZUhoCd1Dw_wcB

– Buy MullVad VPN:https://mullvad.net/en/

Free VPN’s do exist, but use at your own risk. The most trustedfreeVPN’s appear to be RiseUP VPN & BetterNet VPN.<–I have recommended these to countless users over the last year and have not heard one negative thing about either.

– Download RiseUp VPN:https://help.riseup.net/en/vpn

– Download BetterNet VPN:https://www.betternet.co/

For those of you who are more advanced, or complete computer nerds, here is a tutorial on how to manually set up a VPN within your own computer. If done successfully, this will protect your computer better than any paid service and will offer more protection for your personal files:http://anonhq.com/how-to-manually-setup-vpn-on-pc-anondos/

CyberGhost offers a free and paid VPN service, however, I have heard from multiple Anonymous sources that not only is CyberGhost the easiest VPN to hack through, but it also regularly coordinates with the FBI.

This leads us to our next piece of advice, when selecting a VPN service,DO NOT SELECT ANY VPN BASED OUT OF THE UNITED STATES!

The reason for this is simple, its not that these companies are evil or offer an inferior product, it is because there is no containing the power of the United States government from within the United States. For example, in the US, a simple subpoena -which legally does not even have to be reviewed by a court or judge – is all that is required to force corporations and companies to overturn data and information to the federal government – under severe penalty of law.The FBI has even convinced US Congress to pass a new law, essentially criminalizing the use of security software– such as VPN’s – to take effect in the near future.

On the other hand, an international court made a landmark decision July 14th 2016declaring that foreign companies do not have to comply with US warrants or requests for information stored on foreign servers/databases. So stay safe, protect your data and use a foreign based VPN.

Outside of the federal government, a VPN alone should be enough to protect you from the average person on the internet – 99% of ‘white hat hackers‘. But once you have one, you are ready forSTEP 2:setting up some sort of proxy protection.

What is a Proxy?

Aproxy serveris a computer that offers a computer network service to allow clients to make indirect network connections to other network services. A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. The proxy provides the resource either by connecting to the specified server or by serving it from a cache. In some cases, the proxy may alter the client’s request or the server’s response for various purposes.

There are different ways you can go about creating a proxy. The most most simple way is to use a browser with built in proxy protection – many people have traditionally used the Tor browser for this.

A proxy browser is helpful because it will conceal the IP of your computer on whatever web site you are using. If someone is trying to log your IP on a site, or the site you are using logs your IP, they will pick up the Tor exit node your computer is using at that particular time, not your personal IP. If someone is able to crack through the Tor proxy, which almost no one is capable of doing outside of federal governments, they will still end up having to face your VPN. So, if you sign into your VPN first, then proxy second, the proxy browser will protect your VPN. In this way, it creates a duel level protection.

Previously, it was discovered thatthe FBI was able to exploit the Tor Browser through a hole in the flash player. This has now been patched and the latest version of the browser was released June 2016.

Download Here:http://news.softpedia.com/news/tor-browser-integrates-tool-to-fend-off-deanonymization-exploits-505418.shtml?utm_content=buffer2791f&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer

Tor has been struggling a bit in recent times. Earlier this year,the FBI launched a War on encryption,using federal courts toforce tech companies to install back-doors on encryption protocol. Rulings to whichthe FBI promised to continue to use the courts systems to defeat encryption rights. In response to these developments,the Tor Project announced if they were ever forced by the court systems to overturn their encryption protocol, they would shut down the network altogether rather then comply. A scary thought for privacy advocates

This June,the Tor Project got a new board of directorsafter sexual abuse scandal and less than week after this, the Tor Project announced thatone of the core contributors to the Project was leaving and shutting down critical servers– destroying key, trusted exit nodes in the process. Then, this July, news was released revealing how well over100 Tor exit nodes have been designated for the sole purpose of tracking/monitoring deep web users.

These events came on the heels ofMIT announcing they have developed a superior, safer network alternative to the Tor network. Needless to say, it may be time to start looking for alternatives to Tor and many already have.

One of these recent alternatives can be found in the Opera browser. Opera has been less popular over recent years, but it has been redesigned in 2016 and now offers its own built in VPN. Opera now also offers an incognito mode, similar to Mozilla, which does not record cookies or browser history once turned on. More and more Internet users are making the switch to Opera, mainly because of their new VPN.

Download Here:http://www.softpedia.com/get/Internet/Browsers/Opera-for-Windows-without-Java.shtml

Find Other Free Browser’s With Built In Proxy Protection Here:http://www.omgtop5.com/proxy-browsers-for-windows/

So, now that you have your VPN and proxy browser. WithSTEP 3, you can add onproxy chain.

The longer the chain the longer/harder it will take for anyone who wants to hack into you. Every proxy that a hacker can bypass will lead them straight to another proxy address which leads to another, so on and so forth. If someone can somehow get through all of them, they end up at your browser proxy, then VPN – this is how proxy chains will add a third layer of protection.

It is rare to encounter proxy chains, but for this same reason, it is much more effective than a standalone VPN. Let it be noted, mush like with paid VPN services, if you pay for a proxy chain, you get what your pay for. If you are interested, here are some links to teach you how to manually set up your own proxies for free:

– How To Proxy Chain Using Internet Explorer and Tor:http://resources.infosecinstitute.com/proxy-chaining/

– Add Proxy’s With FoxyProxy for Mozilla:https://www.youtube.com/watch?v=mM-soqYrdVg

– Alternative Tutorial: Creating Proxy Chains:http://tech-blog10.blogspot.com/2011/09/proxy-chaininguse-multiple-proxies-to.html

Now that you have all the outside protections in place, you are going to want some internal protection. Believe it or not, even with a VPN and proxy, your computer may still leak your IP to web sites. This is done through something known as the WebRTC, which makes a “real time connection” to each web site you visit.Even with protections turned on, this “connection” can be made, and depending on the site or configuration, will leak your IP– undermining your VPN and making it useless.

STEP 4, You are going to need to install something to Disable WebRTC. This will be free and easy.

Disable WebRTC for Firefox:https://addons.mozilla.org/en-us/firefox/addon/happy-bonobo-disable-webrtc/

Internet Explorer, Tor and Safari do not enable WebRTC – yet.

**WARNING: There was an app available to block WebRTC from Google Chrome but it has been deleted by google and you will be vulnerable on that browser. Ditch Chrome and Gmail altogether if you care at all about protecting your privacy. See alternative emails lists further down the article**

To Test If Your Browser Is Leaking Your IP through WebRTC Test Here:https://www.browserleaks.com/webrtc

STEP 5:This next bit may not be completely necessary and may make browsing the Internet annoying until you get used to it, but it does serve as a last line of defense either way. So, if you want lock tight security, you are going to want a Java Script blocker. No Script is a free open source java blocker, which allows your to peal back java script on websites, layer by layer. You can customize settings for every unique website you enter easily with just the click of a button.

Install No Script:https://noscript.net/

Additionally, to get rid of all those pesky advertisements, install AdBlock Plus:https://adblockplus.org/

Safer Alternatives To Gmail

Ghostmail.This service allows you to sign up to an encrypted email service. The server is located in Switzerland and offers free end to end encryption on all emails. The service also has a built in “self destruct mode” which, when turned on, will automatically delete any message after it has been read – Mission Impossible stye. At no point in signing up for this service are you asked to confirm anything or give away any personal information.Sign Up Here:www.ghostmail.com

ProtonMail.Another service offering free end to end encryption who’s services are located in Switzerland –outside of US laws and jurisdiction. Like Ghostmail, at no point in time are you asked for any personal information. If you are a fan of the Television show “Mr. Robot” this is Elliot’s email of choice.Sign Up Here:https://protonmail.com/

Tutanota.This is another free encrypted email service that has become quite popular in recent times. Earlier this year,Tutanota surpassed 1 million accounts, becoming the largest online encrypted email service on the internet. Tutanota makes their encryption code open source so security experts can confirm the level of security they will be receiving.Sign up Here:https://tutanota.com/

** WARNING: Never open an email from a sender you do not know. It might seem harmless, but the simple act of opening an email can send the IP Address of your computer to the sender of that email. It is extremely simple for a hacker/phisher to set this up **

Always use caution when clicking on links in an email, online chat, social networking posts, even from someone you may know, but particularly by sources you do not. Clicking on a link that appears to be benign in nature may in fact contain embedded malware or IP loggers that can compromise your computer. Once compromised, the data on your computer can be exploited and even your computer can be remotely operated as a surrogate in online attacks against others.

– Test Hyperlink URL’s Before You Click for Malicious/Hidden Content:http://onlinelinkscan.com/

– Test Recent Downloads for Malicious Content:https://virscan.org/

**If you find that you have downloaded something malicious and own a windows computer, go to start/system restore/select a date prior to the download and reset your system. This will reboot your system to a time before it was effected by the virus**

Always make sure that your firewalls are turned on, your anti-virus software is up to date and you have disabled remote access connection to your computer.

Use CCleaner on a (fairly) regular basis. This is a free disk cleaner tool “on steroids”. It works by searching for and deleting useless files on your computer, thus freeing up your hard-drive. Asexplained by How-To-Geek, “it will also erase your browser history, cookies, and cache files for any browsers you have installed — Internet Explorer, Firefox, Chrome, even Opera. It will even erase the cookie data stored by your Flash Player. It will even wipe out other potentially privacy-risking data, such as the list of recently opened file names in Microsoft Word, Adobe Reader, Windows Media Player, VLC media player, and other common Windows applications.”

Please note, if you use CCleaner, you should save or write down all the passwords to your online accounts before using. You would be surprised how much information the internet and your computer remembers about you – until every bit of it is deleted.

Download CCleaner:http://www.softpedia.com/get/Security/Secure-cleaning/CCleaner.shtml

How To Keep an Anonymous Identity On The Internet

Invent an alias, a surname if you will, with a name of your choice. Go and register this name with one of the email service providers located above. Use this new email to register any new Twitter, Facebook, Instagram, et cetera accounts. Be sure to clear all browser cookies before using this alias, or better yet, use a different web browser for your anonymous identity than you would use for your more typical internet activity. If you can not remember passwords or account information for this, store then in an encrypted file (encryption tutorials located further down the article).

Hide your profile from search engines. This can be accomplished by going to the Account/Privacy Settings/ Search and unchecking the “Public Search Results” box. This will remove your public preview from Google, Bing, and Yahoo search returns.

How To Kick Someone From Your Computer

If you ever sense that someone is on your computer, you can use the following sequence to boot them off your computer, at least temporarily. You can use the command inboldon a regular basis. It will not disrupt your Internet connection.

  • Open cmd window
  • title Hacker (press enter)
  • color a (enter)
  • echo off (enter)
  • cls (enter)
  • ipconfig/flushdns(enter)
  • ipconfig/release(enter)
  • ipconfig/renew(enter)

If you want to try and find the IP address of that person on your computer open cmd and use:netstat -nornetstat -anornetstat -anp.

– cmd Commands Encyclopedia for Windows:https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/ntcmds.mspx?mfr=true

– Linux Bash Commands Encyclopedia:http://ss64.com/bash/

– Terminal Commands Encyclopedia for Mac:http://ss64.com/osx/

– DOS Commands Encyclopedia:http://www.computerhope.com/msdos.htm#02

Additional Safety Tips/Advice

How To Make Your PC Safe | By: Anon.Dos:http://anonhq.com/make-pc-safe/

How To Encrypt Your Hard Drive:http://www.pcworld.com/article/153826/data_encryption_tools.html

Learn To Encrypt Your Files on Windows, Linux & Mac:http://www.howtogeek.com/195124/how-to-easily-encrypt-files-on-windows-linux-and-mac-os-x/

Enable BIOS Protection For Added Security:http://www.pcworld.com/article/158292/Enable_BIOS_Passwords_for_Extra_Security.html

Learn To Create Un-Hackable Passwords:http://www.inscribd.com/how-to-create-an-unhackable-password-youll-remember/

How To Secure Your Windows Phone:https://ghostbin.com/paste/vromn

How To Secure Your Android Phone:https://ghostbin.com/paste/oehzj

Iphone Encryption Advice From Edward Snowden:https://theintercept.com/2016/02/18/passcodes-that-can-defeat-fbi-ios-backdoor/

If you care about privacy and protection, here is why you may want to learn to make a switch from Windows to run a Linux OS:http://www.pcworld.com/article/202452/why_linux_is_more_secure_than_windows.html

For complete security, download the Linux based TAILS OS:http://news.softpedia.com/news/tails-2-4-edward-snowden-s-favorite-anonymous-live-cd-brings-tor-browser-6-0-504942.shtml?utm_content=buffere4b90&utm_medium=social&utm_source=facebook.com&utm_campaign=buffer

Installing The Anonymous Operating System:https://anonguide.cyberguerrilla.org/

Anonymous Just Took Down 1/5 Of Dark Web’s Child Pornography(暗网访问以及连接地址都有可以翻译去直接疯狂一下吧!)

Anonymous

The Dark Web is the encrypted network that exists between Tor servers and their clients aka cyber criminals, activists and many others who want encrypted communications. The Tor Network, the only network that protects the user’s identity and does not watch their Internet activities, helps Internet users retain their privacy online — especially when they are being watched by third parties.

Since most of the Dark Web is a haven for drug markets, pedophiles and sex traffickers who use Tor or set up anonymous .onion websites to hide their location and to ply their illegal trade, it becomes difficult for law enforcement to unmask the criminals seeking refuge in the shadows.

In their attempt to uncover the creators, possessors, and subscribers of child pornography,a group of anonymous hackers breached Freedom Hosting II —the largest host of Dark Web sites accessible only through Tor — downloaded gigabytes of data, and took down and defaced some 10,613 .onion websites.

The anonymous hacktivists claimed over 50% of the data stored on the Freedom Hosting II servers contained child pornography.International Business Timesreported that thehackers stole 75 GB worth of files and 2.6 GB of databases, which they offered to return for 0.1 bitcoin, around $100.

torAccording to Sarah Jamie Lewis, an independent anonymity & privacy researcher who spotted the mass hack as part of her regular scans of the Onion space (Dark Web sites running on the Tor network), Freedom Hosting II was hosting an estimated 15% to 20% of all websites on the Dark Web.

This means that the hack took down nearly a fifth of the Dark Web. Lewis toldThe Verge: “This is a major blow considering many were personal or political blogs and forums. In the short term,a lot of diversity has disappearedfrom the Dark Web.”

Security researcher Chris Monteiro claimed the Freedom Hosting II hack may have disrupted a substantial number of botnets, which are increasingly used by cyber criminals to launch large-scale DDoS attacks.

Monteiro also discovered the .onion websites were not only hosting botnets, but also fraud sites, sites peddling hacked data, weird fetish portals, and child abuse sites targeting both English and Russian speaking buyers. Websites defaced inthe Freedom Hosting II hackinclude:

 

In an interview withVICE, the hackers explainedwhy and howthey took down the Dark Web hosting provider:

“Initially we didn’t want to take down FHII. But thenwe found several large child pornography siteswhich were using more than Freedom Hosting II’s stated allowance. Usually, Freedom Hosting II has a quota of 256MB per site, but these illegal sites comprised of gigabytes of material. This suggests they paid for hosting and the admin knew of those sites. That’s when I decided to take it down instead.”

torIn 2011 also, as part of Operation Darknet,anonymous hacked and DDoSed the first Freedom Hostingfor hosting child pornography websites. In 2013, when the first Freedom Hosting was hosting half of all Dark Web sites, the FBI used a misconfiguration in the Tor Browser setup to identify visitors to such websites, took down the service, and arrested its owner Eric Eoin Marques in Ireland. Charges laid against Marques were of facilitating the distribution of online child pornography.

病毒软件加密与勒索软件加密同出一辙,那么我们该如何针对以上软件加密呢?【中国骇客云分享总结报告】

一、介绍


1.1 勒索软件

勒索软件是计算机恶意软件的一种类型,它可以绑架用户的文件,使用户无法访问到文件,并向用户要求赎金,用于恢复文件。勒索软件的目标通常是用户的个人数据,包括文档、数据库、源代码、图片、视频等等,赎金货币通常是比特币。

勒索软件最早出现于1989年,但是在2012年开始大规模爆发,直到现在,已经有数百万人成为了勒索软件的受害者,这也使得勒索软件更加猖獗。

1.2 本文内容

因为勒索软件已经严重影响了我们的生活,我们决定为非技术人员和技术人员写点东西。我们对我们在勒索软件上的工作进行了总结,并选取了10款有代表性的勒索软件在这里进行讨论。

通过本文,人们可以理解勒索软件工作的基本思路,以及用于加密受害人文件的准确算法。此外,我们真诚的希望这篇文章能帮助那些想进一步分析勒索软件的人。

再有,需要注意的是,我们在这里重点关注的是加密方式和解密方式。其它的内容,如打包、反沙箱、提权、DLL注入等,在这里我们没有涉及。

最后,由于作者水平有限,本文内容如有不妥之处,期待您的意见。

1.3 本文结构

本文共有以下几个部分。第一部分,我们对勒索软件和本文的主要内容进行了介绍。在第二部分,我们主要讨论了每个勒索软件的加密过程。第三部分中,我们主要讨论勒索软件存在的漏洞,利用这些漏洞可以有效的破解勒索软件。然而,还存在大量的勒索软件没有被破解。此外,在最后一部分,我们对勒索软件的发展趋势进行了总结,并提出了一些如何保护自己的建议。

二、样本分析


在这一部分中,我们选取了10款有代表性的勒索软件,下面我们将逐个研究它们用到的加密方法。

需要注意的是,为了使每个人都能理解它们的加密方法,我们使用了更容易理解,但有可能不够科学的描述方法。这意味着我们在本文中描述的内容和勒索软件实际发生的内容可能有一点不同,但是,最核心的思想必须是一样的。此外,我们忽略了所有的HASH算法,因为这会给读者理解勒索软件增加额外的负担。

2.1 Apocalypse–(内嵌密钥+自定义加密算法)

Apocalypse勒索软件在2016年6月被发现,不过,在它被广泛传播前就已经被完全遏制了。尽管如此,我们还是要讨论一下,因为Apocalypse勒索软件可以作为一类勒索软件的代表,它并没有使用标准的加密算法,而是使用了一个专门设计的加密算法。

当受害人感染Apocalypse后,个人文件会被加密,看起来是这样的:

http://p3.qhimg.com/t0124588199c3d702c1.png

如图所示,所有的个人文件会被加密,并添加“.encrypted”后缀名,并为每个加密文件生成一个相对应的付款说明。

与其它后面要讨论的勒索软件不同,Apocalypse勒索软件使用了一个专门设计的加密算法,并且将密钥存储在勒索软件代码中。

http://p2.qhimg.com/t0166946f0c4ad3fbfb.png

如图所示,算法的密钥存储在DL寄存器中,CL寄存器作为一个计数器,当加密过程结束时,密文会覆盖明文,并加添“.encrypted”后缀名。

由于这个自定义加密算法属于对称密钥加密算法,因此,找到它的解密算法并不难,并且我们可以用加密算法的密钥,解密受感染的文件。

更多对称密钥加密算法可以从WIKI中找到:

https://en.wikipedia.org/wiki/Symmetric-key_algorithm

2.2 Cerber–(生成RSA密钥+RSA+RC4)

Cerber勒索软件在2016年3月被释放出来,直到2016年9月份,探测到了第二个版本的Cerber勒索软件。在这一部分中,我们主要讨论原始版本的Cerber勒索软件。将文件加密后会添加“.cerber”后缀名。

下图是受害人被加密的个人数据:

http://p8.qhimg.com/t01ba8e3b616437f74c.png

Cerber采用了是RSA和RC4加密算法。关于RSA和RC4加密算法的详细信息可以从以WIKI中找到:

RSA:https://en.wikipedia.org/wiki/RSA_(cryptosystem)

RC4:https://en.wikipedia.org/wiki/RC4

和Apocalypse勒索软件相比, Cerber更加复杂和缜密。为了能更容易理解,我们主要讨论Cerber加密过程的主要思想,过程有所简化,但更容易让大家理解。

Cerber勒索软件加密过程共有三级。第一步:利用程序中内嵌的RSA公钥,通过RSA算法加密一个随机生成的RSA密钥。第二步:利用随机生成的RSA密钥,通过RSA算法加密一个随机生成的RC4密钥。第三步:利用随机生成的RC4密钥,通过RC4算法加密受害人的个人文件。

对于每一个Cerber样本,都有一个加密的配置文件,该配置文件存储在程序的资源段中。将它解密后,会发现一个内嵌的、并用base64编码过的RSA公钥。

http://p9.qhimg.com/t0156fa70227ae43192.png

对于每一个受害者的文件,都会产生一个唯一的RC4密钥。然后用这个密钥通过RC4算法加密文件。下面是RC4算法:

http://p4.qhimg.com/t0129664a6ff6cb5332.png

此外,需要注意的是,Cerber勒索软件只加密一部分文件,并不会加密全部文件,同时,一些在解密过程中需要的信息也会存储在加密的文件中。

如果你能理解上面的加密过程,那么理解Cerber的解密过程其实并不难,难的是你无法得到完整的RSA私钥,除非Cerber的作者主动把它释放出来。因此,为了解密文件,首先需要从Cerber的C&C服务器中取得那个随机产生的RSA私钥,然后用这个私钥解密随机产生的RC4密钥,最后用这个密钥解密文件。

2.3 CryptoWall–(申请RSA公钥+RSA+AES)

CryptoWall勒索软件发现于2014年,到现在已经出现了4个版本,在这里我们对CryptoWall的第三个版本进行讨论。

当感染了CryptoWall勒索软件后,受害人的文件被加密,如下图:

如上图,将文件加密后会用3个随机的字符作为文件的后缀名,并产生3个勒索信件“HELP_DECRYPT.HTML”、“HELP_DECRYPT.PNG”和“HELP_DECRYPT.TXT”。

CryptoWall勒索软件采用了RSA和AES算法,更多AES的信息可以从这里查到。在程序实现中,使用了微软的CryptoAPI库。

CryptoWall在加密时需要从C&C服务器申请一个RSA公钥,因此,如果CryptoWall连接C&C服务器失败,它就不会加密任何文件。如果成功连接,取回RSA公钥,并产生一个随机的AES密钥,并用RSA算法加密。

http://p4.qhimg.com/t01969118911e34039c.png

然后,用AES密钥和AES算法加密受害人的文件。

http://p7.qhimg.com/t01126eef40e6a4a2c6.png

最后,用密文覆盖明文文件。

CryptoWall的解密过程和加密过程相似,首先需要从C&C服务器取回RSA私钥,然后利用RSA私钥解密随机生成的AES密钥。最后,用AES密钥解密受害人的文件。

2.4 CTB_Locker–(生成ECDH密钥+ECDH+AES)

CTB_Locker是一个在2014年传播的老牌勒索软件,但是它采用了一个复杂的算法替代了RSA算法。受害人的文件被加密后,会随机产生7个字符作为文件的后缀名。

http://p2.qhimg.com/t01ed073f9b30dae476.png

在上图中,前两个文件是该勒索软件产生的勒索信件。

CTB_Locker也非常复杂和缜密。它采用了AES算法和ECDH算法。在ECDH中用的椭圆曲线算法是curve25519算法,更多ECDH算法和curve25519算法的信息可以从WIKI中找到。

ECDH:https://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman

Curve25519:https://en.wikipedia.org/wiki/Curve25519

CTB_Locker勒索软件加密过程共有3层。首先,产生一个随机的ECDH密钥,利用程序中内嵌的ECDH公钥,通过ECDH算法将刚生成的密钥进行编码(在这里我们使用了“编码”这个词,因为ECDH是一个密钥交换协议,不是加密算法)。

http://p4.qhimg.com/t01b019dc6189403b36.png

如上图,“Pblkey”产生一个随机的ECDH密钥。第二步是产生一个AES密钥,用刚才随机生成的ECDH密钥对AES密钥进行编码。

http://p4.qhimg.com/t013a81795c1fa17616.png

第三步用AES密钥和AES算法加密受害人的文件。

http://p6.qhimg.com/t0199303f67420195b7.png

最后,利用生成的密文和解密过程中需要的信息覆盖原始的明文文件。

在对文件解密时,由于我们无法得到和内嵌ECDH公钥相对应的ECDH私钥,因此CTB_Locker的解密过程需要2步,首先从远程C&C服务器取回ECDH私钥,并用私钥解码AES密钥,然后用AES密钥对文件进行解密。

2.5 Jigsaw–(内嵌密钥+AES)

Jigsaw勒索软件在2016年四月被首次释放出来,到2016年9月时,发现了Jigsaw的第二个版本。Jigsaw是一种运行在“.net”框架上的勒索软件,在这里我们重点讨论原始版本的Jigsaw勒索软件。受害人的文件被下密后,会被添加“.fun”后缀名:

http://p9.qhimg.com/t0150bacfa815113cff.png

此外,Jigsaw勒索软件在发布后不久就被安全界打败,然后又产生了一个更新版本。

Jigsaw勒索软件采用了AES算法对文件进行加密,密钥可以在Jigsaw的样本中直接找到。

http://p6.qhimg.com/t01cca08c3331cc8904.png

而且,加密过程也很清晰(难怪它被打败了):

http://p7.qhimg.com/t013baeaa7312033fba.png

加密完成后,添加“.fun”扩展,并结束加密过程。

解密文件时,我们只需要使用相同的密钥和IV值就可以,解密过程也可以在Jigsaw样本中找到。

2.6 Locky–(申请RSA公钥+RSA+AES+Intel的AES指令集)

Locky是另一个勒索软件,需要向C&C服务器申请一个公钥。Locky的第一个版本在2016年二月被发现,如果Locky无法连接到它的C&C服务器,任何文件都不会被加密。

Locky将文件加密后,会添加“.locky”扩展名。

http://p3.qhimg.com/t01a5e9119c43dd5b5c.png

如上图,_HELP_instructions.bmp和_HELP_instructions.html是Locky产生的勒索信件。

Locky在加密过程中采用了RSA算法和AES算法,但是在不同版本的Locky中实现方法有所不同。

在我们要讨论的Locky样本中,RSA算法通过CryptoAPI实现,和CryptoWall的一样。

http://p0.qhimg.com/t01baffcd01f4c60e9b.png

RSA算法用于加密随机产生的AES密钥,并且RSA公钥是从远程C&C服务器中取得的。随机产生的AES密钥用于加密受害人的文件。此外,AES算法在实现过程中使用了Intel的AES指令集,包含“aesenc”指令等等。

http://p2.qhimg.com/t01db71e85d1dfcf1f4.png

加密过程结束后,原始明文文件会被密文和一些需要的信息所覆盖。

解密过程和CryptoWall的很相似,首先需要从C&C服务器取回私钥,然后解密AES密钥,然后用AES密钥和其它存储在加密文件中的额外信息解密受害人的文件。

2.7 Petya–(ECDH+SALSA20)

Petya是一个特殊的软件,发现于2016年3月,和其它勒索软件相比,Petya是完全不同的。一方面,Petya会覆盖主引导记录(MBR)中的引导代码,并会停止windows正常的初始化进程。另一方面,Petya会加密NTFS的MFT文件,并不会加密受害人的个人文件。

MBRNTFS MFT的详细信息可以从WIKI中找到。

被Petya感染以后,计算机会停止引导过程,并显示以下信息:

http://p3.qhimg.com/t01dbdfc1e998e5ae48.png

在上面的图中,所有的勒索信件会以白色字符写在血红色背景上。

Petya的加密过程并不复杂,采用了ECDH算法和SALSA20算法。ECDH中用的椭圆曲线算法是secp192k1算法。更多secp192k1和SALSA20算法的信息可以从WIKI中找到。

首先用ECDH算法对一个随机产生的SALSA20密钥进行编码:

http://p6.qhimg.com/t01f22bf5c6a8177bc0.png

然后,SALSA20算法在一个16-bit-环境中运行。

http://p4.qhimg.com/t01b7522370e776123e.png

http://p1.qhimg.com/t01b6b7072b7fb5bd1f.png

解密时需要先从远程C&C服务器中取回SALSA20算法的密钥,然后对MBR和MFT进行解密。

2.8 TeslaCrypt–(生成ECDH密钥+ECDH+AES)

TeslaCrypt勒索软件在2015年2月被探测到,到现在,已经发展了4个主要的版本,不同版本的TeslaCrypt勒索软件使用了不同的加密文件扩展名,如‘.ecc’、‘.ezz’、‘.zzz’、‘.vvv’和‘.abc’。在这里我们只讨论第4个版本的TeslaCrypt勒索软件,这个版本没有使用扩展名,如下图所示:

http://p9.qhimg.com/t01420cf5a9049a391f.png

不同版本的TeslaCrypt使用了不同的算法,在我们即将要讨论的这个样本中,它使用了ECDH算法和AES算法,ECDH中用的椭圆曲线算法是secp192k1算法。

完整的加密过程和CTB_Locker的很相似。TeslaCrypt的加密过程有3层,首先,会产生一个随机的ECDH密钥,然后利用程序中内嵌的一个ECDH密钥,通过ECDH算法对随机生成的ECDH密钥进行编码,第二步,生成一个AES密钥,利用刚才随机生成的ECDH密钥,通过ECDH算法对AES密钥进行编码。

http://p8.qhimg.com/t01fae624bd7edc5408.png

第三步,利用AES密钥和AES算法对受害人文件进行加密。

http://p3.qhimg.com/t010dc0455702e577b4.png

最后,用密文和一些需要的信息,如编码过的ECDH公钥,覆盖原始明文文件。

解密过程和CTB_Locker的有点相似,我们无法得到ECDH的私钥,因此,解密过程需要2步。首先,从C&C服务器取回ECDH私钥,并用ECDH算法解码AES密钥,然后用AES算法解密受害人的文件。

2.9 TorrentLocker–(RSA+AES)

TorrentLocker是另一个臭名昭著的的勒索软件,发现于2014年,大多数TorrentLocker勒索软件会给加密文件添加“.encrypted”扩展名,并且大多数版本的TorrentLocker勒索软件会伪装成CryptoLocker勒索软件。在这部分,我们重点讨论该勒索软件的一个早期版本,它将文件加密后不会改变文件的大小。

http://p7.qhimg.com/t012ff8f7c92e20a855.png

上图中,“PLEASE_READ.txt”文件是勒索软件的勒索信件。

TorrentLocker勒索软件采用了RSA算法和AES算法,RSA算法用于加密一个随机生成的AES密钥,然后,用这个AES密钥和AES算法加密受害人的文件。实际上,在本文中,我们没有讨论到的大部分勒索软件都采用了RSA-AES的模式。

不同的是,该勒索软件使用yarrow算法作为AES随机密钥的生成算法。

Yarrow算法的随机因素包含了以下函数的返回值:

http://p9.qhimg.com/t0195872a6348d6c691.png

请注意:上图并不是相关函数的完整列表。下一步,受害人的个人文件将会按16字节分组,进行AES加密。

当加密完成后,原始文件会被加密的数据覆盖,没有其它额外的数据。

在对文件进行解密时,AES密钥是用RSA算法加密的,我们无法取回RSA私钥。为了对文件进行解密,我们需要从C&C服务器取回AES密钥,然后用AES密钥对文件进行解密。

2.10 Unlock92–(生成RSA密钥+RSA+RSA)

Unlock92勒索软件是我们讨论的最后一款,在2016年6月首次被发现,目前已经发现了它的第二个版本。Unlock92运行在.net框架下。和第一个版本相比,第二个版本更加复杂一些,因此,在这里我们主要讨论第二个版本。

http://p9.qhimg.com/t0115fd2ac02fdd012a.png

上图中的FBDX.jpg是勒索软件的勒索信件。

Unlock92勒索软件在加密过程中使用了两次RSA算法,每个Unlock92样本中,都存在一个用base64编码的内嵌RSA公钥,这个RSA公钥的作用是加密另一个随机生成的RSA密钥:

http://p4.qhimg.com/t01f809c2fa0dc77b37.png

并使用这个随机生成的RSA密钥对受害人的文件进行加密。

http://p2.qhimg.com/t011d7946cd637cf567.png

为了使加密过程的效率最大化,Unlock92勒索软件只加密文件的前0x300个字节,并不会加密整个文件。

在对文件进行解密时,首先需要从远程C&C服务器上取回随机生成的RSA私钥,然后用这个私钥对文件进行解密。

三、勒索软件的弱点


3.1 加密方法总结

在第二部分,我们描述了10款勒索软件的加密方法,每一个都代表了一种加密过程,在这里我们没有列出来的其它勒索软件有可能就属于其中的一类。

现在,我们对勒索软件中的加密方法总结如下:

1) 自定义的加密方法,如Apocalypse勒索软件。

2) 使用1层加密算法,如Jigsaw勒索软件。

3) 使用2层加密算法,比如RSA-AES模型,采用2层算法例子有CryptoWall,Locky,Petya,Unlock92。

4) 使用3层加密算法,比如ECDH+ECDH+AES模型。例子有Cerber,CTB_Locker,TeslaCrypt。

5) 利用其它正常软件的加密模块。例如,CryptoHost勒索软件加密过程利用了WINRAR的加密模块来对受害人的文件进行加密,Vault勒索软件使用 了GNUPG的加密模块。

正如我们看到的,勒索软件大量使用了标准的加密算法。除了Apocalypse勒索软件使用了自定义的算法,在所有加密算法中,AES算法被使用的最多,其次是RSA算法,部分勒索软件也使用了ECDH算法。由于这些标准加密算法被认为是无法破解的,而部分勒索软件可以被破解的最大原因是因为标准加密算法使用不当。

3.2 解密方法总结

如果所有勒索软件都是精心设计的,换句话说,如果所有的勒索软件都不可能破解,那么解密受害人文件的方法可以总结为以下几点(正常的解密途径):

1) 对于自定义的加密算法,我们需要知道解密密钥和解密算法(标准加密算法的解密算法是已知的)。

2) 对于1层加密算法,我们需要获得解密密钥,并用这个密钥解密受害人的文件。

3) 对于2层加密算法(第二层密钥才是真正的文件加密密钥),我们需要知道第一层密钥、或第二层密钥。如果我们有第一层密钥,我们可以用第一层密钥还原出第二层密钥,再用第二层密钥解密受害人的文件。

4) 对于3层加密算法(第三层密钥才是真正的文件加密密钥),我们需要知道其中任何一层的密钥,如果我们知道第一层密钥,我们就可以还原出第二层密钥,然后用第二层密钥还原出第三层密钥,最后用第三层密钥解密文件。

5) 加密算法使用了其它软件的加密模块时,我们需要知道解密密钥,然后用解密密钥和相应的解密模块解密文件。

从勒索软件作者的角度看,上面的这些解密方法,是解密受害人文件的唯一正确途径。然而,在某些种类的勒索软件中存在或多或少的漏洞,这使得破解它们成为了可能(不用经过上面的正常方法)。

3.3 勒索软件漏洞总结

实际上,少数勒索软件是可以被破解的,原因是它们没有正确使用标准加密算法,根据我们的经验,为什么少数勒索软件可以被破解,总结如下:

1) 由于自定义的解密算法。通常这种自定义的算法和标准加密算法相比,强度都不大,而且存在漏洞。

2) 错误的密钥存储方法。个别勒索软件直接将密钥(加密和解密是一个密钥)内嵌在程序代码中。

3) 密码强度太小。部分勒索软件使用了RSA算法,但是密钥强度不大,导致可以因式分解,从而被破解。

4) 不科学的伪随机数发生器。如果伪随机数发生器不随机,那么产生的密钥就有可能被预测到,如早期的Unlock92勒索软件就存在这样的问题。

5) C&C服务器存在漏洞。部分勒索软件的C&C服务器存在漏洞,这使得从C&C服务器上取回密钥成为了可能。如早期版本的Cerber勒索软件。

6) 其它原因,如CoinVault勒索软件的作者被逮捕,TeslaCrypt勒索软件的作者主动释放出了ECDH私钥,等等。

还有其它我们没有总结到的原因。

3.4 样本总结

下图是我们刚才总结到的所有样本:

http://p1.qhimg.com/t01fb702317dbe24853.png

此外,早期版本的Unlock92已经被破解,因为它的伪随机数发生器存在漏洞,因此,存在漏洞的2层加密算法是有可能被猜解的。

四、趋势和建议


根据我们的经验,勒索软件的数量和类型正在增长,此外,勒索软件的源代码和生成工具已经在暗网市场上出售,这使得产生一个新的勒索软件变得更容易,如果没有有效的应对措施,那将很难评估我们要面对的结局到底有多糟。

好消息是反勒索软件阵营已经变得强大起来了。很多反病毒公司已经发布了他们的反勒索产品,用于帮助用户远离勒索软件。我们相信会有更多的受害者因此受益。

到目前为止,在勒索软件中仍然或多或少的存在标准加密算法使用上的漏洞,但是,随着勒索软件的不断发展,这种问题会越来越少。一旦勒索软件作者能正确的使用标准加密算法时,恢复受害人的数据将会真的很难。因此,我们建议要把防御放在优先位置。一方面,计算机用户要经常备份个人文件,另一方面,反病毒公司需要设计出专门的算法来识别出勒索软件,并根据勒索软件的特征,能主动停止勒索软件的加密进程。此外,不要向勒索软件屈服,即使你已经感染了勒索软件,咨询一些专家可能是一个很好的处理这种情况的方法。