Web version of ransomware ctb-locker PHP source on GitHub

Ransomware Ctb-locker appears in its web evolution version, infecting Web sites. According to analysis, the code is written in PHP, the current source code has been hosted on GitHub.

The first appearance of the web version of ransomware Ctb-locker

On the eve of this year's Western Valentine's Day, a British webmaster has an unpleasant discovery, he looked at the management of the site page has been tampered with, tampering with the information presented on the page looks similar to the computer infected with malicious ransomware, the main message is to let the site administrator pay Bitcoins, in exchange for the corresponding directory file decryption, To restore the site to normal. Tampering with pages such as,

The incident was a matter of great concern after being verified as the first ransomware incident against the Web page. But in fact, as a server administrator, the beginning is just hope that this is only a one-time event, not the attacker's premeditated start.

In the initial phase, no other infections were actually found, and the situation has changed dramatically over the past one weeks. During this period of time frequent occurrence of the above page ransomware infection event. It is reported that up to now more than 100 similar incidents were found. In the tampered information, its behind-the-scenes operator asked the victim to pay 0.4 bitcoins, and if the payment was not completed within two days, the payment amount would be increased to 0.8 bitcoin. Below is the source code for which bitcoin is required to pay:

The ransomware program is the same model as Ctb-locker on the ransom payment notice. But technically, this is not the case with the notorious Ctb-locker ransomware. Because it only runs in the Windows desktop environment and does not run on a Linux Web server.

Web version ctb-locker is written in PHP

Benkow, a security analyst from Stormshield, managed to analyze the operating mode of the ransomware and extract the source code from an infected object. Benkow then uploaded the Web version of Ctb-locker Source to the KernelMode forum for Analysis and research by other security researchers. and the web version of the Ctb-locker "visibility" quickly improved, and its source code is also hosted on GitHub.

Source code Address please click: GitHub

Given that the ransomware hidden tear source code was also hosted on GitHub, things didn't end up moving in favor of the user. Combined with the current situation, it can be predicted that in the next few months, there will be a large-scale attack on Web sites.

According to Benkow's research analysis, web version ctb-locker is written in PHP, which uses high-strength AES-256 encryption algorithm. Refer to the source code on GitHub for details.

The infection point is still unknown.

It is not yet discovered how the ransomware program infects the server host. It is worth noting that, from a statistical point of view, the infected host runs Linux and Windows dual systems, most of them (73%) host enabled Exim Service (SMTP server). Benkow also added that

Most of the hosts are running a Webshell that can be accessed through the ' logout.php ' dynamic page.

In addition, many infected sites were found to still have shellshock vulnerabilities, and the vulnerability actually released a patch more than a year ago. Statistically, the big problem is that most sites tend to ignore the vulnerability of their own sites and fail to fix them, causing the vulnerabilities to be exploited by attackers.

There have been instances of ransomware infecting Web server events before

In 2015 's December, security researchers found that the Linux.encoder ransomware family already had functionality for Web servers, and that, according to research, Linux.encoder was written in C and C + +, which was not associated with the web version ctb-locker.

Conclusion

In an increasingly severe security situation, the site's administrator should update their site version to the latest. At the same time, when possible, you should use a variety of scanning tools to cross-detect, the management of the site for vulnerability scanning, in order to detect vulnerabilities and repair the reinforcement.

* Reference Source: Soft, GitHub, Ker, FB small Troy Compilation, reproduced please indicate from FREEBUF hackers and Geeks (freebuf.com)

