A few thoughts on #Tor-enabled #malware. #Kaspersky #protectmybiz #enterprisesec<\/p>Tweet<\/a><\/blockquote>\n Well, the answer is somewhat ambiguous. Both 64-bit ZeuS Trojans and the new ransomware, which Kaspersky Lab called \u201cOnion\u201d, by the way, use Tor to conceal the C&C-servers in order to complicate the search for the malware operators. In a nutshell, this works. Tor\u2019s architecture makes it next to impossible to de-anonymize its users, even if illegitimate tools are used. And while it was devised to battle censorship, cybercriminals unsurprisingly employ it.<\/p>\n \u00a0<\/p>\n At the same time Onion doesn\u2019t become more dangerous just because its C&C infrastructure is now hidden well. It is a problem for IT security experts, not for the businesses that are the primary target for the malware itself.<\/p>\n Even without any Tor beef-ups, Onion is dangerous as hell. A direct \u201cheir\u201d to dreaded CryptoLocker, CryptoDefence\/CryptoWall, ACCDFISA and GpCode, it is yet another ransomware that encrypts all the files it can reach, then demands a ransom.<\/p>\n The cybercriminals claim there is a strict 72-hour deadline to pay up, or all the files will be lost forever, which is likely true: Onion uses the asymmetric cryptographic protocol known as ECDH \u2013 Elliptic curve Diffie\u2013Hellman (to read technical details please follow this link to Securelist<\/a>).<\/p>\n In short, the encrypted file cannot be decrypted without the master-private key owned by the criminals. And if it is stored just for 72 hours, as the attackers claim, there is absolutely no way to recover the encrypted files.<\/p>\n Creators of Onion take no chances in their game. There\u2019s next to no way to trace the C&C servers, no way to decrypt the files without the master-private key. Furthermore, the propagation method is also very unorthodox. Kaspersky Lab\u2019s researchers established that the bot Andromeda (detected as Backdoor.Win32.Androm by Kaspersky Lab products) receives a command to download and run another malicious program from the Email-Worm.Win32.Joleee family to the victim computer. The latter is primarily a malicious tool for sending spam emails, but it can also execute a number of commands from the cybercriminals, including the command to download and launch an executable file. So it is actually Joleee that downloads the encryptor to the infected computer and launches it.<\/p>\n Why so complex? \u2013 It\u2019s a matter for speculation. <\/p> Onion ransomware is a threat even w\/o Tor \u201cbeef-ups\u201d. #ransomware<\/p>Tweet<\/a><\/blockquote>\n What is certain is that this threat must be dealt with at a local level. If the critical data is backed up and stored in safety, an encryptor is a mere nuisance that may cost a business just a few hours at worst.<\/p>\n But backup should be performed regularly and, moreover, copies need to be created on a storage device that is accessible only during this process (e.g., a removable storage device that disconnects immediately after backup). Failure to follow these recommendations will result in the backed-up files being attacked and encrypted by the ransomware in the same way as the original file versions.<\/p>\n The security solution used should be turned on at all times and all its components should be active. The solution\u2019s databases should also be up to date.<\/p>\n Kaspersky Lab products detect Onion based on its signature with the verdict Trojan-Ransom.Win32.Onion. All possible unknown modifications are detected heuristically with the verdict HEUR:Trojan.Win32.Generic, or proactively with the verdict PDM:Trojan.Win32.Generic.<\/p>\n In addition, Kaspersky Lab solution incorporates the\u00a0Cryptomalware Countermeasures technology<\/a>\u00a0which is capable of protecting user data even from yet-unknown encryptors for which there are still no signatures or cloud-based data available. This technology is based on the principle of creating protected backup copies of personal files as soon as a suspicious program attempts to access them.<\/p>\n The technology will automatically restore the file even if it is encrypted by malware. For this technology to operate, the System Watcher component must be enabled in the Kaspersky Lab product settings.<\/p>\n Using Tor may become commonplace\u00a0for criminals, especially those who operate botnets or encryptors \u2013 i.e. anything that needs command and control servers.<\/p>\n If your house is infested by domestic ants, the only way to exterminate them is to kill the queen which resides in a deep-hidden nest; sometimes it is almost unreachable directly, so poisons must be used to destroy the colony. <\/p> #Tor-enabled #malware may go mainstream soon. #protectmybiz<\/p>Tweet<\/a><\/blockquote>\n The only sure way to dismantle a botnet is to \u201cdestroy the nest\u201d by bringing down its C&C servers (and \u2013 preferably \u2013 apprehend the \u201cant queens\u201d, i.e. the botnet\u2019s owners).<\/p>\n![\"wide-2\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2014\/08\/06020100\/wide-21-1.png\")
<\/a><\/p>\n