Author Topic: Linux.Encoder.1  (Read 1065 times)

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Linux.Encoder.1
« on: November 15, 2015, 12:37:09 AM »
Not sure if this is the right place to ask this.

Does the COMODO Anti-Malware Database have Linux.Encoder.1 on record and detect this if I do a full system scan?

Linux.Encoder.1 is a encryption ransomware that infects Linux systems.

From Dr.Web virus library (https://vms.drweb.com/virus/?i=7704004&lng=en)

Quote
Linux.Encoder.1

Added to Dr.Web virus database:   2015-11-05
Virus description was added:   2015-11-06
SHA1:

    a5054babc853ec280f70a06cb090e05259ca1aa7 (x64, UPX)
    98e057a4755e89fbfda043eaca1ab072674a3154 (x64, unpacked)
    810806c3967e03f2fa2b9223d24ee0e3d42209d3 (x64, FreeBSD)
    12df5d886d43236582b57d036f84f078c15a14b0 (x86, UPX)
    5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (x86, unpacked)

Encryption ransomware for Linux written in C using the PolarSSL library.

Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:

    ./readme.crypto—file with demands,
    ./index.crypto—HTML file with demands.

As an argument, the Trojan receives the path to the file containing a public RSA key.

Once the files are read, the malicious program starts as a daemon and deletes its original files.

First, the Trojan encrypts files in the following directories:

/home
/root
/var/lib/mysql
/var/www
/etc/nginx
/etc/apache2
/var/log

After that, Linux.Encoder.1 encrypts all files in home directories. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (“/”). At that, the Trojan encrypts only files from directories whose names start with one of the following strings:

public_html
www
webapp
backup
.git
.svn

At that, the Trojan encrypts only files with the following extensions:

".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv"

The Trojan does not encrypt files in the following directories:

/
/root/.ssh
/usr/bin
/bin
/etc/ssh

To encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand.

If decryption is initiated, Linux.Encoder.1 will use a private RSA key to retrieve AES keys from encrypted files, traverse directories in the same order as when they were encrypted, and delete README_FOR_DECRYPT.txt files trying to decrypt all files with the .ecnrypted extension.

Doctor Web security researchers have developed a decryption technique that may help restore files encrypted by this malicious program.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5180
  • COMODO Rocks!
    • Free Comodo Products!
Re: Linux.Encoder.1
« Reply #1 on: November 15, 2015, 03:46:14 AM »
Hello,

Please report these SHA-1 values to Comodo experts without the quote.

5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616
98e057a4755e89fbfda043eaca1ab072674a3154


Other samples are detected by Comodo database.

Just SHA-1 values are enough. They can harvest them from VT, here.
https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2015-no-live-malware-t108999.0.html;msg823175#new

Thanks
« Last Edit: November 15, 2015, 03:48:08 AM by yigido »
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline Silwncer

  • Board moderator
  • Comodo Family Member
  • ***
  • Posts: 92
  • Malware Removal Expert
    • TechForums
Re: Linux.Encoder.1
« Reply #2 on: November 15, 2015, 07:20:06 AM »
If you're not infected,then you should post it in General Security.

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Re: Linux.Encoder.1
« Reply #3 on: November 15, 2015, 07:33:01 AM »
Hello,

Please report these SHA-1 values to Comodo experts without the quote.

5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616
98e057a4755e89fbfda043eaca1ab072674a3154


Other samples are detected by Comodo database.

Just SHA-1 values are enough. They can harvest them from VT, here.
https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2015-no-live-malware-t108999.0.html;msg823175#new

Thanks

Thanks for the reply. How do I go about reporting these SHA-1 values to Comodo experts?

If you're not infected,then you should post it in General Security.

Thanks for the heads up, as I said, I didn't know where to post, now I know, thanks.

EDIT: Okay, do I submit these SHA-1 values on the Submit Malware Here To Be Blacklisted page?

Okay, I submitted the SHA-1 values to the Blacklisted page, thanks.
« Last Edit: November 15, 2015, 07:48:19 AM by ardouronerous »

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5180
  • COMODO Rocks!
    • Free Comodo Products!
Re: Linux.Encoder.1
« Reply #4 on: November 15, 2015, 07:48:03 AM »
You did not need to post "whole" post there.
Just SHA-1 values, I said. Anyway, they will look into this.
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Re: Linux.Encoder.1
« Reply #5 on: November 15, 2015, 07:49:53 AM »
Oops, sorry.

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5180
  • COMODO Rocks!
    • Free Comodo Products!
Re: Linux.Encoder.1
« Reply #6 on: November 15, 2015, 07:54:13 AM »
Oops, sorry.
There are 5 samples and 3 of them detected by Comodo. Only two of them undetected.
You can edit your submission post. It will make their works easier.
Thank you for your undertsanding.
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Re: Linux.Encoder.1
« Reply #7 on: November 15, 2015, 07:59:58 AM »
Thanks, I edited my post.

They're asking me for a sample, I don't have any, is that okay?

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5180
  • COMODO Rocks!
    • Free Comodo Products!
Re: Linux.Encoder.1
« Reply #8 on: November 15, 2015, 08:04:01 AM »
Thanks, I edited my post.

They're asking me for a sample, I don't have any, is that okay?
They should harvest the undetected samples from Virustotal. There is no problem.
Thank you of your reports.
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Re: Linux.Encoder.1
« Reply #9 on: November 15, 2015, 08:06:16 AM »
Thanks, you've been very helpful :)

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5180
  • COMODO Rocks!
    • Free Comodo Products!
Re: Linux.Encoder.1
« Reply #10 on: November 15, 2015, 08:08:56 AM »
Thanks, you've been very helpful :)
Anytime :) Stay safe :-TU
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Re: Linux.Encoder.1
« Reply #11 on: November 15, 2015, 08:32:15 AM »
I checked out the SHA1s on VirusTotal, and it seems that only 1 out of 5 is detected by COMODO, unless VT's database is outdated?

a5054babc853ec280f70a06cb090e05259ca1aa7 - detected (https://www.virustotal.com/en/file/fd042b14ae659e420a15c3b7db25649d3b21d92c586fe8594f88c21ae6770956/analysis/)

98e057a4755e89fbfda043eaca1ab072674a3154 - not detected (https://www.virustotal.com/en/file/18884936d002839833a537921eb7ebdb073fa8a153bfeba587457b07b74fb3b2/analysis/)

810806c3967e03f2fa2b9223d24ee0e3d42209d3 - not detected (https://www.virustotal.com/en/file/ee21378abf78e31d79f9170e76d01ffb74aa65ce885937fb5bc1e71dff68627d/analysis/)

12df5d886d43236582b57d036f84f078c15a14b0 - not detected (https://www.virustotal.com/en/file/f5ca1277b7fde07880a691f7f3794a11980a408c510442fde486793ee56ad291/analysis/)

5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 - not detected (https://www.virustotal.com/en/file/cfca38c408c95e45cdf797723dc5cdb0d6dadb1b8338a5fda6808ce9a04e6486/analysis/)

EDIT: I've added the 4 SHA1s that are undetected by COMODO according to VT to the blacklist page.
Thanks again :)
« Last Edit: November 15, 2015, 08:38:19 AM by ardouronerous »

Offline yigido

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 5180
  • COMODO Rocks!
    • Free Comodo Products!
Re: Linux.Encoder.1
« Reply #12 on: November 15, 2015, 11:54:34 AM »
You should use Comodo File Intelligence to check them. As you can see these VT reports are old!
https://file-intelligence.comodo.com
Encrypt the web! Use HTTPS Everywhere..
Block spying ads and invisible trackers! Use Privacy Badger..

Offline ardouronerous

  • Newbie
  • *
  • Posts: 12
Re: Linux.Encoder.1
« Reply #13 on: November 15, 2015, 11:30:11 PM »
Thanks for the heads up, I checked it out, and yeah, 3 out of 5 of the SHA1s are detected, and VT justed updated their database to reflect this, once again, thanks for the heads up and thanks for your help :)  :-TU

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek